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Preface 



These are the proceedings of the First International Conference on Computa- 
tional Logic (CL 2000) which was held at Imperial College in London from 24th 
to 28th July, 2000. The theme of the conference covered all aspects of the theory, 
implementation, and application of computational logic, where computational 
logic is to be understood broadly as the use of logic in computer science. The 
conference was collocated with the following events: 

— 6th International Conference on Rules and Objects in Databases (DOOD 

2000 ) 

— 10th International Workshop on Logic-based Program Synthesis and Trans- 
formation (LOPSTR 2000) 

— 10th International Conference on Inductive Logic Programming (ILP 2000). 
CL 2000 consisted of seven streams: 

— Program Development (LOPSTR 2000) 

— Logic Programming: Theory and Extensions 

— Constraints 

— Automated Deduction: Putting Theory into Practice 

— Knowledge Representation and Non-monotonic Reasoning 

— Database Systems (DOOD 2000) 

— Logic Programming: Implementations and Applications. 

The LOPSTR 2000 workshop constituted the program development stream and 
the DOOD 2000 conference constituted the database systems stream. Each 
stream had its own chair and program committee, which autonomously selected 
the papers in the area of the stream. Overall, 176 papers were submitted, of 
which 86 were selected to be presented at the conference and appear in these 
proceedings. The acceptance rate was uniform across the streams. In addition, 
LOPSTR 2000 accepted about 15 extended abstracts to be presented at the 
conference in the program development stream. (These do not appear in these 
proceedings.) CL 2000 also had eight invited speakers, 12 tutorial speakers, and 
seven workshops held in-line with the conference. 

ILP 2000 was held as a separate conference with its own proceedings, but 
shared invited speakers and tutorial speakers with CL 2000. 

The unusual structure of CL 2000 relied for its success on the cooperation 
of various subcommunities inside computational logic. We would like to warmly 
thank members of the automated deduction, constraints, database, knowledge 
representation, logic programming, and program development communities who 
contributed so much to the technical program. In particular, we would like to 
thank everyone who submitted a paper, the members of the stream program 
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committees, the other reviewers, the invited speakers, the tutorial speakers, the 
workshop organisers, and those who submitted papers to the workshops. Thanks 
to Vladimiro Sassone for allowing us to use his excellent software for electronic 
submission and reviewing of papers. We would also like to thank the members 
of the Executive Committee of the Association of Logic Programming for their 
support throughout the preparations for the conference. 
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Abstract. The development of computational logic since the introduction of 
Frege’s modern logic in 1879 is presented in some detail. The rapid growth of 
the field and its proliferation into a wide variety of subfields is noted and is 
attributed to a proliferation of subject matter rather than to a proliferation of 
logic itself. Logic is stable and universal, and is identified with classical first 
order logic. Other logics are here considered to be first order theories, 
syntactically sugared in notationally convenient forms. From this point of 
view higher order logic is essentially first order set theory. The paper ends by 
presenting several challenging problems which the computational logic 
community now faces and whose solution will shape the future of the field. 



1 Introduction 

Although logic and computing are each very old subjects, going back very much 
more than a mere hundred years, it is only during the past century that they have 
merged and become essentially one subject. As the logican Quine wrote in 1960, 
"The basic notions of proof theory converge with those of machine computing. ... 
The utterly pure theory of mathematical proof and the utterly technological theory 
of machine computation are thus at bottom one, and the basic insights of each are 
henceforth insights of the other" ([1], p. 41). 

The aptly-named subject of computational logic - no pun intended - subsumes a 
wide variety of interests and research activities. All have something to do with 
both logic and computation. Indeed, as the declaration of scope of the new ACM 
journal Transactions on Computational Logic says, computational logic reflects all 
uses of logic in computer science. If things are no longer as simple as they 
seemed to be when logic and computing first came together, it is not because logic 
has become more complex, but because computing has. 

Computational logic seemed simple enough when first order logic and electronic 
computing first met, in the 1950s. There was just one thing to know: the proof 
procedure for first order logic. It was clear that now at last it could be 
implemented on the fantastic new computers that were just becoming available. 
The proof procedure itself had of course been invented a generation earlier in 
1930. It had waited patiently in the literature, supported by beautiful correctness 
and completeness proofs, for twenty five years until the first electronic digital 
computers were made available for general research. Then, in the first wave of 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 1-24, 2000. 

© Springer-Verlag Berlin Heidelberg 2000 




2 



John Alan Robinson 



euphoria, it seemed possible that there would soon be proof-finding software 
which could serve as a computational assistant for mathematicians, in their regular 
work. Even though that still has not quite happened, there has been remarkable 
progress. Such automated deduction aids are now in use in developing and 
verifying programs. 

Our small niche within general computer science was at first known simply as 
"mechanical theorem proving”. It really was a small niche. In 1960 only a 
handful of researchers were working seriously on mechanical theorem proving. 
Theirs was a minority interest, which hardly counted as “real” computing. The 
numerical analysts, coding theorists, electronic engineers and circuit designers 
who ruled mainstream computer conferences and publications tended to be 
suspicious of our work. It was not so easy to find funding or places to publish. 
Most people in the computing mainstream considered logic to be boolean algebra, 
and logical computations to be what you had to do in order to optimize the design 
of digital switching circuits. 

A half century later, our small niche has grown into a busy international federation 
of associations of groups of small niches housing thousands of researchers. At 
meetings like the present one the topics cover a broad range of theory and 
applications reaching into virtually every corner of computer science and software 
engineering. Such fertile proliferation is gratifying, but brings with it not a little 
bemusement. No one person can hope any more to follow closely everything 
going on in the whole field. Each of us now knows more and more about less and 
less, as the saying goes. Yet there is, after all, a unity under all this diversity: 
logic itself. We all speak essentially the same language, even if we use many 
different dialects and a variety of accents. It is just that nowadays logic is used to 
talk about so many different things. 

1.1 First Order Predicate Calculus: All the Logic We Have and All the 
Logic We Need 

By logic I mean the ideas and notations comprising the classical first order 
predicate calculus with equality (FOE for short). FOL is all the logic we have and 
all the logic we need. It was certainly all the logic Godel needed to present all of 
general set theory, defining in the process the "higher order" notions of function, 
infinite cardinals and ordinals, and so on, in his classic monograph on the 
consistency of the axiom of choice and the continuum hypothesis with the other 
axioms of set theory [2]. Within FOL we are completely free to postulate, by 
formulating suitably axiomatized first order theories, whatever more exotic 
constructions we may wish to contemplate in our ontology, or to limit ourselves to 
more parsimonious means of inference than the full classical repertoire. The first 
order theory of combinators, for example, provides the semantics of the lambda 
abstraction notation, which is thus available as syntactic sugar for a deeper, first- 
order definable, conceptual device. Thus FOL can be used to set up, as first order 
theories, the many “other logics” such as modal logic, higher order logic, temporal 
logic, dynamic logic, concurrency logic, epistemic logic, nonmonotonic logic, 
relevance logic, linear logic, fuzzy logic, intuitionistic logic, causal logic, quantum 
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logic; and so on and so on. The idea that FOL is just one among many "other 
logics" is an unfortunate source of confusion and apparent complexity. The 
"other logics" are simply notations reflecting syntactically sugared definitions of 
notions or limitations which can be formalized within FOL. There are certain 
universal reasoning patterns, based on the way that our minds actually work, and 
these are captured in FOL. In any given use it is simply a matter of formulating 
suitable axioms and definitions (as Godel did in his monograph) which single out 
the subject matter to be dealt with and provide the notions to deal with it. The 
whole sprawling modern landscape of computational logic is simply the result of 
using this one flexible, universal formal language FOL, in essentially the same 
way, to talk about a host of different subject matters. All those “other logics”, 
including higher-order logic, are thus theories formulated, like general set theory 
and indeed all of mathematics, within FOL. 

There are, of course, many different ways to present FOL. The sequent calculi, 
natural deduction systems, resolution-based clausal calculi, tableaux systems, 
Flilbert-style formulations, and so on, might make it seem that there are many 
logics, instead of just one, but these differences are just a matter of style, 
convenience and perspicuity. 

2 Hilbert’s 1900 Address 

On this occasion it is natural to think of David Hilbert’s famous 1900 Paris 
address to the International Congress of Mathematicians [3]. When he looked 
ahead at the future of his field, he actually determined, at least partially, what that 
future would be. His list of twenty three leading open problems in mathematics 
focussed the profession’s attention and steered its efforts towards their solutions. 
Today, in wondering about the future of computational logic we have a much 
younger, and much more untidy and turbulent subject to deal with. It would be 
very surprising if we could identify a comparable set of neat open technical 
problems which would represent where computational logic should be trying to go 
next. We have no Hilbert to tell us what to do next (nor, these days, does 
mathematics). In any case computational logic is far less focussed than was 
mathematics in 1900. So instead of trying to come up with a Hilbertian list of 
open problems, we will do two things: first we will reflect on the historical 

developments which have brought computational logic this far, and then we will 
look at a representative sampling of opinion from leaders of the field, who kindly 
responded to an invitation to say what they thought the main areas of interest will, 
or should, be in its future. 

3 The Long Reign of the Syllogistic Logic 

In the long history of logic we can discern only one dominating idea before 1879, 
and it was due to Aristotle. People had certainly begun to reason verbally, before 
Aristotle, about many things, from physical nature, politics, and law to 
metaphysics and aesthetics. For example, we have a few written fragments, 
composed about 500 B.C, of an obviously detailed and carefully reasoned 
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philosophical position by Parmenides. Such thinkers surely used logic, but if they 
had any thoughts about logic, we now have no written record of their ideas. The 
first written logical ideas to have survived are those of Aristotle, who was active 
about 350 B.C. Aristotle’s analysis of the class of inference patterns known as 
syllogisms was the main, and indeed the only, logical paradigm for well over two 
millennia. It became a fundamental part of education and culture along with 
arithmetic and geometry. The syllogism is still alive in our own day, being a 
proper and valid part of basic logic. Valid forms of inference remain valid, just as 
2 plus 2 remains 4. However, the view that the syllogistic paradigm exhausts all 
possible logical forms of reasoning was finally abandoned in 1879, when it was 
subsumed by Frege’s vastly more general and powerful modern scheme. 

Before Frege, there had also been a few ingenious but (it seems today) hopeless 
attempts to automate deductive reasoning. Leibniz and Pascal saw that syllogistic 
analysis could be done by machines, analogous to the arithmetical machines which 
were feasible even in the limited technology of their time. Leibniz even dreamed 
of fully automatic deduction engines like those of today. Even now we have still 
not quite completed his dream - we cannot yet settle any and all disputes merely 
by powering up our laptops and saying to each other: calculemus. We still have 
to do the difficult job of formalizing the dispute as a proof problem in FOL. It 
may not be long, however, before computational conflict resolution turns out to be 
one more successful application of computational logic. 

As modern mathematics grew in sophistication, the limitations of the syllogistic 
framework became more and more obvious. From the eighteenth century onwards 
mathematicians were routinely making proofs whose deductive patterns fell 
outside the Aristotelian framework. Nineteenth-century logicians such as Boole, 
Schroeder, de Morgan, levons, and Peirce tried to expand the repertoire of logical 
analysis accordingly, but with only partial success. As the end of the nineteenth 
century approached, it was clear that a satisfactory general logical theory was 
needed that would cover all possible logical inferences. Such a theory finally 
arrived, in 1879. 

4 Frege’s Thought Notation 

The new logic was Frege’s Begriffschrijft, alias (in a weird graphical notation) 
FOL ([4], pp. 5 - 82). One can reasonably compare the historical significance of 
its arrival on the scientific scene with that of the integral and differential calculus. 
It opened up an entirely new world of possibilities by identifying and modelling 
the way the mind works when reasoning deductively. Frege’s German name for 
FOL means something like Thought Notation. 

Frege’s breakthough was followed by fifty years of brilliant exploration of its 
strengths and limitations by many mathematicians. The heroic efforts of Russell 
and Whitehead (following the lead of Peano, Dedekind, Cantor, Zermelo, and 
Frege himself) to express all of mathematics in the new notation showed that it 
could in principle be done. In the course of this investigation, new kinds of 
foundational problems appeared. The new logical tool had made it possible not 
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only to detect and expose these foundational problems, but also to analyze them 
and fix them. 

It soon became evident that the syntactic concepts comprising the notation for 
predicates and the rules governing inference forms needed to be supplemented by 
appropriate semantic ideas. Frege himself had discussed this, but not in a 
mathematically useful way. Russell’s theory of types was also an attempt to get at 
the basic semantic issues. The most natural, intuitive and fruitful approach turned 
out to be the axiomatization, in the predicate calculus notation, of the concept of a 
set. Once this was done the way was cleared for a proper semantic foundation to 
be given to FOL itself. The rigorous mathematical concept of an interpretation, 
and of the denotation of a formula within an interpretation, was introduced by 
Alfred Tarski, who thus completed, in 1929, the fundamentals of the semantics of 
FOL ([5], p. 277). From the beginning FOL had come with the syntactic 
property, ascribable to sentences, of being formally derivable. Now it was 
possible to add to it the semantic properties, ascribable to sentences, of being true 
(in a given interpretation) and logically true (true in all interpretations). The 
notion of logical consequence could now be defined by saying that a sentence S 
logically follows from a sentence P if there is no interpretation in which P is true 
and S is false. 

5 Completeness: Herbrand and Godel 

This now made it possible to raise the following fundamental question about FOL: 
is the following Completeness Theorem provable: for all sentences S and P, S is 
formally derivable from P if and only if S logically follows from P? 

The question was soon positively answered, independently, in their respective 
doctoral theses, by two graduate students. Kurt Godel received his degree on 
February 6, 1930 at the University of Vienna, aged 23, and Jacques Herbrand 
received his at the Sorbonne on 11 June, 1930, aged 22 ([4], pp. 582 ff., and pp 
525 ff.). Today's graduate students can be forgiven for thinking of these giants of 
our field as wise old greybeards who made their discoveries only after decades of 
experience. In fact they had not been around very long, and were relatively 
inexperienced and new to FOL. 

The theorem is so important because the property of formal derivability is 
semidecidable: there is an algorithm by means of which, if a sentence S is in fact 
formally derivable from a sentence P, then this fact can be mechanically detected. 
Indeed, the detection procedure is usually organized in such a way that the 
detection consists of actually constructing a derivation of S from P. In other 
words, when looked at semantically, the syntactic detection algorithm becomes a 
proof procedure. 

Herbrand did not live to see the power of the completeness theorem exploited 
usefully in modern implementations. He was killed in a climbing accident on July 
27, 1931. 
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Godel, however, lived until 1978, well into the era in which the power of the 
completeness theorem was widely displayed and appreciated. It is doubtful, 
however, whether he paid any attention to this development. Already hy 1931, his 
interest had shifted to other areas of logic and mathematical foundations. After 
stunning the mathematical (and philosophical) world in 1931 with his famous 
incompleteness theorems ([4], pp. 592 ff.), he went off in yet another direction to 
prove (within FOL) the consistency of the axiom of choice and the generalized 
continuum hypothesis with each other and with the remaining axioms of set theory 
([2]), leading to the later proof (hy Paul Cohen) of their independence both from 
each other and from the remaining axioms ([6]). 

Interestingly, it was also Godel and Herbrand who played a major role in the 
computational part of computational logic. In the course of his proof of the 
incompletness theorems, Godel introduced the first rigorous characterization of 
computability, in his definition of the class of the primitive recursive functions. In 
1934 (reprinted in [7]) he broadened and completed his characterization of 
computability by defining the class of general recursive functions, following up a 
suggestion made to him by Herbrand in “a private communication”. 

6 Computation: Turing, Church, and von Neumann 

In this way Godel and Herbrand not only readied FOL for action, but also opened 
up the field of universal digital computation. Soon there were others. At the time 
of the proof of the completeness theorem in 1930, the 18-year-old Alan Turing 
was about become a freshman mathematics student at Cambridge University. 
Alonzo Church was already, at age 28, an instructor in the mathematics 
department at Princeton. John von Neumann had just emigrated, at age 27, to 
Princeton, where he was to spend the rest of his life. By 1936 these five had 
essentially laid the basis for the modern era of computing, as well as its intimate 
relationship with logic. 

Turing’s 1936 paper (reprinted in [7]) on Hilbert’s Decision Problem was crucial. 
Ostensibly it was yet another attempt to characterize with mathematical precision 
the concept of computability, which he needed to do in order to show that there is 
no fixed computation procedure by means of which every definite mathematical 
assertion can be decided (determined to be true or determined to be false). 

Alonzo Church independently reached the same result at essentially the same time, 
using his own quite different computational theory (reprinted in [7]) of lambda- 
definability. In either form, its significance for computational logic is that it 
proved the impossibility of a decision procedure for FOL. The semidecision 
procedure reflecting the deductive completeness of FOL is all there is, and we 
have to be content to work with that. 

Remarkable as this theoretical impossibility result was, the enormous practical 
significance of Turing’s paper came from a technical device he introduced into his 
argument. This device turned out to be the theoretical design of the modern 
universal digital computer. The concept of a Turing machine, and in particular of 
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a universal Turing machine, which can simulate the behavior of any individual 
Turing machine when supplied with a description of it, may well be the most 
important conceptual discovery of the entire twentieth century. Computability by 
the universal Turing machine became virtually overnight the criterion for absolute 
computability. Church’s own criterion, lambda-definability, was shown by 
Turing to be equivalent to Turing computability. Other notions (e.g., Kleene's 
notion of deducibility in his equational-substitutional calculus. Post's notion of 
derivability within a Post production system) were similarly shown to be 
equivalent to Turing's notion. There was obviously a fundamental robustness 
here in the basic concept of computability, which led Alonzo Church to postulate 
that any function which was found to be effectively computatble would in fact be 
computable by a Turing machine ("Church's Thesis"). 

During the two years from 1936 to 1938 that Turing spent in Princeton, working 
on a Ph.D. with Church as supervisor, he and von Neumann became friends. In 
1938 von Neumann offered Turing a job as his assistant at the Institute for 
Advanced Study, and Turing might well have accepted the offer if it had not been 
for the threat of World War 2. Turing was summoned back to Britain to take part 
in the famous Bletchley Park code-breaking project, in which his role has since 
become legendary. 

Von Neumann had been enormously impressed by Turing’s universal machine 
concept and continued to ponder it even as his wide-ranging interests and national 
responsibilities in mathematics, physics and engineering occupied most of his 
attention and time. He was particularly concerned to improve computing 
technology, to support the increasingly more complex numerical computing tasks 
which were crucial in carrying out wartime weapons development. His 
knowledge of Turing’s idea was soon to take on great practical significance in the 
rapid development of the universal electronic digital computer throughout the 
1940s. He immediately saw the tremendous implications of the electronic digital 
computing technology being developed by Eckert and Mauchly at the University 
of Pennsylvania, and essentially assumed command of the project. This enabled 
him to see to it that Turing’s idea of completely universal computing was 
embodied in the earliest American computers in 1946. 

The work at Bletchley Park had also included the development of electronic 
digital computing technology, and it was used in devices designed for the special 
purposes of cryptography. Having been centrally involved in this engineering 
development, Turing came out of the war in 1945 ready and eager to design and 
build a full-fledged universal electronic digital computer based on his 1936 ideas, 
and to apply it to a wide variety of problems. One kind of problem which 
fascinated him was to write programs which would carry out intelligent reasoning 
and engage in interesting conversation. In 1950 he published his famous essay in 
the philosophical journal Mind discussing artificial intelligence and computing. In 
this essay he did not deal directly with automated deduction as such, but there can 
be little doubt that he was very much aware of the possibilities. He did not live to 
see computational logic take off. His death in 1954 occurred just as things were 
getting going. 
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7 Computational Logic 

In that very same year, 1954, Martin Davis (reprinted in [8]) carried out one of the 
earliest computational logic experiments by programming and running, on von 
Neumann’s Institute for Advanced Study computer in Princeton, Presburger’s 
Decision Procedure for the first order theory of integer addition. The computation 
ran only very slowly, as well it might, given the algorithm’s worse than 
exponential complexity. Davis later wryly commented that its great triumph was 
to prove that the sum of two even numbers is itself an even number. 

Martin Davis and others then began in earnest the serious computational 
applications of FOL. The computational significance of the Godel-Herbrand 
completeness theorem was tantalizingly clear to them. In 1955 a particularly 
attractive and elegant version of the basic proof procedure - the semantic tableau 
method - was described (independently) by Evert Beth [9] and Jaakko Hintikka 
[10]. I can still remember the strong impression made on me, as a graduate 
student in philosophy, when I first read their descriptions of this method. They 
pointed out the intimate relationship of the semantic or analytic tableau algorithm 
to the natural deductive framework of the sequent calculi pioneered in the mid- 
1930s by Gerhard Gentzen [11]. Especially vivid was the intuitive interpretation 
of a growing, ramifying semantic tableau as the on-going record of an organized 
systematic search, with the natural diagrammatic structure of a tree, for a 
counterexample to the universally quantified sentence written at the root of the 
tree. The closure of the tableau then signified the failure of the search for, and 
hence the impossibility of, such a counterexample. This diagrammatic record of 
the failed search (the closed tableau) itself literally becomes a proof, with each of 
its steps corresponding to an inference sanctioned by some sequent pattern in the 
Gentzen-style logic. One simply turns it upside-down and reads it from the tips 
back towards the root. A most elegant concept as well as a computationally 
powerful technique! 

8 Heuristics and Algorithms: The Dartmouth and Cornell 
Meetings 

In the 1950’s there occurred two meetings of major importance in the history of 
computational logic. The first was the 1956 Dartmouth conference on Artificial 
Intelligence, at which Herbert Simon and Allen Newell first described their 
heuristic theorem-proving work. Using the RAND Corporation’s von Neumann 
computer JOHNNIAC, they had programmed a heuristic search for proofs in the 
version of the propositional calculus formulated by Russell and Whitehead. This 
pioneering experiment in computational logic attracted wide attention as an 
attempt to reproduce computationally the actual human proof-seeking behavior of 
a person searching for a proof of a given formula in that system. In their 
published accounts (reprinted in [8], Volume 1) of this experiment they claimed 
that the only alternative algorithmic proof-seeking technique offered by logic was 
the so-called “British Museum’’ method of enumerating all possible proofs in the 
hope that one would eventually turn up that proved the theorem being considered. 
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This was of course both unfair and unwise, for it simply advertised their lack of 
knowledge of the proof procedures already developed by logicians. Hao Wang 
showed in 1960 how easy the search for these proofs became if one used a 
semantic tableau method (reprinted in [8], Volume 1, pp. 244-266). 

The other significant event was the 1957 Cornell Summer School in Logic. 
Martin Davis, Hilary Putnam, Paul Gilmore, Abraham Robinson and IBM’s 
Herbert Gelernter were among those attending. The latter gave a talk on his 
heuristic program for finding proofs of theorems in elementary geometry, in which 
he made use of ideas very similar to those of Simon and Newell. Abraham 
Robinson was provoked by Gelernter’ s advocacy of heuristic, psychological 
methods to give an extempore lecture (reprinted in [8], Volume 1) on the power of 
logical methods in proof seeking, stressing the computational significance of 
Herbrand’s version of the FOL completeness theorem and especially of the 
technique of elimination of existential quantifiers by introducing Skolem function 
sysmbols. One can see now how this talk in 1957 must have motivated Gilmore, 
Davis and Putnam to write their Herbrand-based proof procedure programs. Their 
papers are reprinted in [8], Volume 1, and were based fundamentally on the idea 
of systematically enumerating the Herbrand Universe of a proposed theorem - 
namely, the (usually infinite) set of all terms constructible from the function 
symbols and individual constants which (after its Skolemization) the proposed 
theorem contained. This technique is actually the computational version of 
Herbrand’s so-called Property B method. It did not seem to be realized (as in 
retrospect it perhaps ought to have been) that this Property B method, involving a 
systematic enumeration of all possible instantiations over the Herbrand Universe, 
is really a version of the British Museum method so rightly derided by Simon and 
Newell. 

9 Combinatorial Explosions with Herbrand’s Property B 

These first implementations of the Herbrand FOL proof procedure thus revealed 
the importance of trying to do better than merely hoping for the best as the 
exhaustive enumeration forlornly ground on, or than guessing the instantiations 
that might be the crucial ones in terminating the process. In fact, Herbrand 
himself had already in 1930 shown how to avoid this enumerative procedure, in 
what he called the Property A method. The key to Herbrand’s Property A method 
is the idea of unification. 

Herbrand’s writing style in his doctoral thesis was not, to put it mildly, always 
clear. As a consequence, his exposition of the Property A method is hard to 
follow, and is in fact easily overlooked. At any rate, it seems to have attracted no 
attention except in retrospect, after the independent discovery of unification by 
Prawitz thirty years later. 

In retrospect, it is nevertheless quite astonishing that this beautiful, natural and 
powerful idea was not immediately taken up in the early 1930s by the 
theoreticians of first order logic. 
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10 Prawitz’s Independent Rediscovery of Unification Ushers 
in Resolution 

In 1960 an extraordinary thing happened. The Swedish logician Dag Prawitz 
independently rediscovered unification, the powerful secret which had been buried 
for 30 years in the obscurity of the Property A section of Herbrand’s thesis. This 
turned out to be an important moment in the history of computational logic. 
Ironically, Prawitz' paper (reprinted in [8], Volume 1) too was rather inaccessible. 
William Davidon, a physicist at Argonne, drew my attention to Prawitz’ paper in 
1962, two years after it had first appeared. I wish I had known about it sooner. It 
completely redirected my own increasingly frustrated efforts to improve the 
computational efficiency of the Davis-Putnam Herbrand Property B proof 
procedure. Once I had managed to recast the unification algorithm into a suitable 
form, I found a way to combine the Cut Rule with unification so as to produce a 
rule of inference of a new machine-oriented kind. It was machine-oriented 
because in order to obtain the much greater deductive power than had hitherto 
been the norm, it required much more computational effort to apply it than 
traditional human-oriented rules typically required. In writing this work up for 
publication, when I needed to think of a name for my new rule, I decided to call it 
"resolution", but at this distance in time I have forgotten why. This was in 1963. 
The resolution paper took more than another year to reach print, finally coming 
out in January 1965 (it is reprinted in [8], Volume 1). 

The trick of combining a known inference rule with unification can of course be 
applied to many other rules besides the cut rule. At Argonne, George Robinson 
and Larry Wos quickly saw this, and they applied it to the rule of Equality 
Substitution, producing another powerful new machine-oriented rule which they 
subsequently exploited with much success. They called their new rule 
"paramodulation". Their paper is reprinted in [8], Volume 2. It and resolution 
have been mainstays of the famous Argonne theorem provers, such as McCune's 
OTTER, ever since. See, for example, the 1991 survey ([12], pp. 297 ff.) by Larry 
Wos. 

After 1965 there ensued a somewhat frenetic period of exploration of what could 
now be done with the help of these new unification-based rules of inference. 
They were recognized as a big boost in the development of an efficient, practical 
automated deduction technology. People quite rapidly came up with ways to 
adapt them to other computational applications quite different from their original 
application, mechanical theorem-proving. 

11 Computational Uogic in Edinburgh: The A.I. Wars 

Some of my memories of this period are still vivid. In 1965 Bernard Meltzer 
spent a three-month study leave at Rice University, where 1 was then a member of 
the Philosophy Department. Bernard rapidly assimilated the new resolution 
technique, and on his return to Edinburgh immediately organized a new research 
group which he called the Metamathematics Unit, with the aim of pursuing full- 
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time mechanical theorem-proving research. This turned out to he an important 
event. Edinburgh was already making its mark in Artificial Intelligence. Donald 
Michie, Christopher Longnet-Higgins, and Rod Burstall, in addition to Bernard 
Meltzer, were realigning their scientific careers in order to pnrsue AI fnll-time. 
Over the next few years Bernard’s group became a lively, intense critical mass of 
gradnate students who would go on to become leaders in computational logic: 
Bob Kowalski, Pat Hayes, Frank Brown, Donald Kuehner, Bob Boyer, J Strother 
Moore. Next door, in Donald Michie’ s Machine Intelligence group, were Gordon 
Plotkin, David Warren, Maarten van Emden and John Darlington. 1 spent a 
sabbatical year with these groups, from May 1967 to September 1968, and 
thereafter visited them for several extended study periods. Edinburgh was, at that 
time, the place to be. It was a time of great excitement and intellectual ferment. 
There was a pervasive feeling of optimism, of pioneering, of great things to come. 
We had fruitful visits from people in other AI centers: John McCarthy, Bert 
Raphael, Nils Nilsson, Cordell Green, Keith Clark, Carl Hewitt, Seymour Papert, 
Gerald Sussman. The last three were advocates of the MIT view (championed by 
Marvin Minsky) that computational logic was not at all the AI panacea some 
people thought it was. The MIT view was that the engineering of machine 
intelligence would have to be based on heuristic, procedural, associative 
organization of knowledge. The “logic” view (championed by John McCarthy) 
was that for AI purposes knowledge should be axiomatized declaratively using 
FOL, and mechanized thinking should consist of theorem-proving computation. 
This was, at that time, the view prevailing in Edinburgh and Stanford. The two 
opposing views gave rise to some stimulating debates with the MIT visitors. 

Cordell Green’s question-answering system in 1969 ([13], pp. 219 ff.) 
demonstrated the possibilities of intelligent deductive datebases and automatic 
robot planning using a resolution theorem prover as the reasoning engine. He 
showed how John McCarthy’s 1959 scheme of a deductive Advice Taker 
(reprinted in [14]) could be implemented. 

12 The Colmerauer-Kowalski Encounter 

The possibilities of resolution logic for computational linguistics were 
immediately seen by Alain Colmerauer, who had been working in Grenoble since 
1963 on parsing and syntactic analysis ([15]). By 1968 he was working for an 
Automatic Translation Project in Montreal, where he developed what later could 
be seen as a precursor of Prolog (the Q-systems formalism). Returning to France 
in 1970 he took up the theme of making deductions from texts instead of just 
parsing them, and began to study the resolution principle. This brought him into 
contact with Edinburgh’s Bob Kowalski, who had, in collaboration with Donald 
Kuehner ([16]), recently devised a beautiful refinement of resolution (SL- 
resolution) which permitted linear deductions and which could be implemented 
with great efficiency, as Boyer and Moore soon showed ([17], pp.lOl ff.) by the 
first of their many programming masterpieces, the Edinburgh Structure-Sharing 
Linear Resolution Theorem Prover. 
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The result of this Colmerauer-Kowalski encounter was the birth of Prolog and of 
logic programming. Colmerauer’s colleague Philippe Roussel, following 
discussions with Boyer and Moore, designed the first modern Prolog interpreter 
using Boyer-Moore's shared data structures. Implemented in Fortran by Meloni 
and Battani, this version of Prolog was widely disseminated and subsequently 
improved, in Edinburgh, by David Warren. 

13 Computational Logic Officially Recognized: Prolog’s 
Spectacular Debut 

By 1970 the feeling had grown that Bernard Meltzer’s Metamathematics Unit 
might be better named, considering what what was going on under its auspices. 
At the 1970 Machine Intelligence Workshop in Edinburgh, in a paper ([18], pp. 
63-72) discussing how to program unification more efficiently, I suggested that 
"computational logic" might be better than "theorem proving" as a description of 
the new field we all seemed now to be working in. By December 1971 Bernard 
had convinced the university administration to sign on to this renaming. From that 
date onwards, his official stationery bore the letterhead: University of Edinburgh: 
Department of Computational Logic. 

During the 1970s logic programming moved to the center of the stage of 
computational logic, thanks to the immediate applicability, availability, and 
attractiveness of the Marseille - Edinburgh Prolog implementation, and to Bob 
Kowalski’s eloquent and tireless advocacy of the new programming paradigm. In 
1977, I was present at the session of the Lisp and Eunctional Programming 
Symposium in Rochester, New York, when David Warren awed a partisan 
audience of LISP devotees with his report of the efficiency of the Edinburgh 
Prolog system, compared with that of Lisp ([19]). A little later, in [20], Bob 
Kowalski spelled out the case for concluding that, as Prolog was showing in 
practice, the Horn clause version of resolution was the ideal programming 
instrument for all Artificial Intelligence research, in that it could be used to 
represent knowledge declaratively in a form that, without any modification, could 
then be run procedurally on the computer. Knowledge was both declarative and 
procedural at once: the “nothing buttery” of the contending factions in the Great 
A.I. War now could be seen as mere partisan fundamentalist fanaticism. 

14 The Fifth Generation Project 

These were stirring times indeed. In Japan, as the 1970s drew to a close, there 
were bold plans afoot which would soon startle the computing world. The 10-year 
Eifth Generation Project was three years (1979 to 1981) in the planning, and 
formally began in April 1982. A compact retrospective summary of the project is 
given by Hidehiko Tanaka in his Chairman's message in [21]. It was a pleasant 
surprise to learn around 1980 that this major national research and development 
effort was to be a large-scale concerted attempt to advance the state of the art in 
computer technology by concentrating on knowledge information processing 
using Logic Programming as a central concept and technique. 
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The decade of the 1980s was dominated by the Fifth Generation Project. It was 
gratifying for the computational logic community to observe the startled response 
of the authorities in the United States and Europe to such an unexpectedly 
sophisticated and powerful challenge from a country which had hitherto tended to 
be viewed as a follower rather than a leader. One of the splendid features of the 
Fifth Generation Project was its wise and generous provision for worldwide 
cooperation and interaction between Japanese researchers and researchers from 
every country where logic programming was being studied and developed. 

In 1984 the first issue of The Journal of Logic Programming appeared. In the 
Editor’s Introduction I noted [22] that research activity in logic programming had 
grown rapidly since 1971, when the first Prolog system introduced the idea, and 
that a measure of the extent of this growth was the size of the comprehensive 
bibliography of logic programming compiled by Michael Poe of Digital 
Equipment Corporation, which contains over 700 entries. The substantial length 
of Poe’s bibliography in [22] was only one sign of the explosion of interest in 
logic programming. Another sign was the size and frequency of international 
conferences and workshops devoted to the subject, and the increasing number of 
people attending them from all over the world. It was inevitable that enthusiastic 
and in some respects overoptimistic expectations for the future of the new 
programming paradigm would eventually be followed by a more sober realism, 
not to say a backlash. 

15 The Aftermath: Pure Logic Programming not a 
Complete Panacea 

There is no getting around the fact that a purely declarative programming 
language, with a purely evaluative deductive engine, lacks the capability for 
initiating and controlling events: what should happen, and where, when, and how. 
If there are no side effects, then there are no side effects, and that is that. This 
applies both to internal events in the steps of execution of the deduction or 
evaluation computation, and to external events in the outside world, at a minimum 
to the input and output of data, but (for example if the program is functioning as 
an operating system) to the control of many other external sensors and actuators 
besides. One wants to create and manipulate objects which have states. 

So although the pure declarative logic programming paradigm may be a thing of 
beauty and a joy forever, it is a practically useless engineering tool. To be useful, 
its means of expression must be augmented by imperative constructs which will 
permit the programmer to design, and oblige the computer to execute, happenings 
- side effects. 

There was a tendency (there still may be, but I am a little out of touch with the 
current climate of opinion on this) to deplore side effects, in the spirit of Edsger 
Dijkstra’s famous “GO TO considered harmful” letter to the Editor of the 
Communications of the ACM. There is no denying that one can get into a terrible 
mess by abusing imperative constructs, often creating (as Dijkstra wrote 
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elsewhere) a “disgusting mass of undigested complexity” on even a single page of 
code. The remedy, however, is surely not to banish imperative constructs from 
our programming languages, but to cultivate a discipline of programming which 
even when using imperative constructs will aim at avoiding errors and promoting 
intelligibility. 

So the Prolog which looked as if it might well sweep the computing world off its 
feet was not simply the pure embodiment of Horn clause resolution, but a 
professional engineering tool crucially incorporating a repertoire of imperative 
constructs: sequential execution of steps (namely a guaranteed order in which the 
subgoals would be tried), cut (for pruning the search on the fly), assert and retract 
(for changing the program during the computation) and (of course) read, print, and 
so on. 

Bob Kowalski’s equation ALGORITHM = LOGIC + CONTROL summarized 
the discipline of programming needed to exploit the new paradigm - strict 
separation of the declarative from the imperative aspects. One must learn how to 
keep the denotation (the presumably intended declarative meaning, as specified by 
the clauses) of a program fixed while purposefully varying the process by which it 
is computed (the pragmatic meaning, as specified by the sequence of the clauses 
and, within each clause, the sequence of the literals, together with the other 
imperative constructs). Versions of Prolog began to reflect this ideal strict 
separation, by offering the programmer the use of such features as modes and 
various other pragmatic comments and hints. 

16 Realism: Side Effects, Concurrency, Software 

Engineering 

Others were less concerned with declarative purism and the holy grail of 
dispensing with all imperative organization of explicit control. In some sense they 
went to the opposite extreme and explored how far one could go by making the 
most intelligent use of the clausal formalism as a means of specifying 
computational events. 

Ehud Shapiro, Keith Clark, Kazunori Ueda and others followed this direction and 
showed how concurrency could be specified and controlled within the new idiom. 
If you are going into the business of programming a system whose purpose is to 
organize computations as complexes of interacting events evolving over time, you 
have to be able not only to describe the processes you want to have happen but 
also to start them going, maintain control over them once they are under way, and 
stop them when they have gone far enough, all the while controlling their 
interaction and communication with each other, and managing their consumption 
of system resources. An operating system is of course just such a system. It was 
therefore a triumph of the concurrent logic programming methodology when the 
Fifth Generation Project in 1992 successfully concluded a decade of work having 
designed, built and successfully run the operating system of the ICOT knowledge 
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processing parallel computation system entirely in the Flat Guarded Horn Clause 
programming language [21]. 

Much had been achieved technologically and scientifically at ICOT by 1994, 
when the project (which with a two-year extension had lasted twelve years) finally 
closed down, but there continued (and continues) to be a splendid spinoff in the 
form of a worldwide community of researchers and entrepreneurs who were drawn 
together by the ICOT adventure and remain linked by a common commitment to 
the future of logic programming. Type “logic programming” into the search 
window of a search engine. There emerges a cornucopia of links to websites all 
over the world dealing either academically or commercially (or sometimes both) 
with LP and its applications. 

17 Robbins’ Conjecture Proved by Argonne’s Theorem 

Prover 

Although logic programming had occupied the center of the stage for fifteen years 
or so, the original motivation of pursuing improved automatic deduction 
techniques for the sake of proof discovery was still alive and well. In 1996 there 
occurred a significant and exciting event which highlighted this fact. Several 
groups have steadily continued to investigate the application of unification-based 
inference engines, term-rewriting systems, and proof-finding search strategies to 
the classic task of discovering proofs for mathematical theorems. Most notable 
among these has been the Argonne group under the leadership of Larry Wos. Wos 
has continued to lead Argonne’s tightly focussed quest for nontrivial machine- 
generated proofs for over thirty-five years. In 1984 his group was joined by 
William McCune, who quickly made his mark in the form of the highly successful 
theorem proving program OTTER, which enabled the Argonne group to undertake 
a large-scale pursuit of computing real mathematical proofs. The spirit of the 
Argonne program was similar to that of Woody Bledsoe, who at the University of 
Texas headed a research group devoted to automating the discovery of proofs in 
what Woody always referred to as “real” mathematics. At the symposium 
celebrating Woody’s seventieth birthday in November 1991 [12] Larry Wos 
reviewed the steady progress in machine proof-finding made with the help of 
McCune ’s OTTER, reporting that already copies of that program were at work in 
several other research centers in various parts of the world. Sadly, Woody did not 
live to relish the moment in 1996 when Argonne's project paid off brilliantly in the 
machine discovery of what was undoubtedly a “real” mathematical proof. 

The Argonne group's achievement is comparable with that of the program 
developed by the IBM Deep Blue group which famously defeated the world chess 
champion Kasparov. Both events demonstrated how systematic, nonhuman 
combinatorial search, if organized sufficiently cleverly and carried out at 
sufficiently high speeds, can rival even the best human performance based 
heuristically and associatively on expertise, intuition, and judgment. What the 
Argonne program did was to find a proof of the Robbins conjecture that a 
particular set of three equations is powerful enough to capture all of the laws of 
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Boolean algebra. This conjecture had remained unproved since it was formulated 
in the 1930s by Herbert Robbins at Harvard. It had been tackled, without success, 
by many “real” matheticians, including Alfred Tarski. Argonne attacked the 
problem with a new McCune-designed program EQP embodying a specialized 
form of unification in which the associative and commutative laws were 
integrated. After 20 hours of search on a SPARC 2 workstation, EQP found a 
proof. Robbins’ Conjecture may not be Fermat’s Last Theorem, but it is certainly 
“real” mathematics. Woody Bledsoe would have been delighted, as we all were, 
to see the description of this noteworthy success for computational logic written 
up prominently in the science section of the New York Times on December 10, 
1996. 

18 Proliferation of Computational Logic 

By now, logic programming had completed a quarter-century of fruitful scientific 
and technological ferment. The new programming paradigm, exploding in 1971 
following the original Marseille-Edinburgh interaction, had by now proliferated 
into an array of descendants. A diagram of this genesis would look like the 
cascade of elementary particle tracks in a high-energy physics experiment. We 
are now seeing a number of interesting and significant phenomena signalling this 
proliferation. 

The transition from calling our field “logic programming” to calling it 
“computational logic” is only one such signal. It was becoming obvious that the 
former phrase had come to mean a narrower interest within a broader framework 
of possible interests, each characterized by some sort of a connection between 
computing and logic. 

As we noted earlier, the statement of scope of the new ACM journal TOCL points 
out that the field of computational logic consists of all uses of logic in computer 
science. It goes on to list many of these explicitly: artificial intelligence; 

computational complexity; database systems; programming languages; automata 
and temporal logic; automated deduction; automated software verification; 
commonsense and nonmonotonic reasoning; constraint programming; finite model 
theory; complexity of logical theories; functional programming and lambda 
calculus; concurrency calculi and tools; inductive logic programming and 
machine learning; logical aspects of computational complexity; logical aspects of 
databases; logic programming; logics of uncertainty; modal logics, including 
dynamic and epistemic logics; model checking; program development; program 
specification; proof theory; term rewriting systems; type theory and logical 
frameworks. 

19 A Look at the Future: Some Challenges 

So the year 2000 marks a turning point. It is the closing of the opening eventful 
chapter in a story which is still developing. We all naturally wonder what will 
happen next. David Hilbert began his address to the International Congress of 
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Mathematicians by asking: who of us would not be glad to lift the veil behind 
which the future lies hidden; to cast a glance at the next advances of our science 
and at the secrets of its development during future centuries? The list of open 
problems he then posed was intended to - and certainly did - help to steer the 
course of mathematics over the next decades. Can we hope to come up with a list 
of problems to help shape the future of computational logic? The program 
committee for this conference thought that at least we ought to try, and its 
chairman John Lloyd therefore set up an informal email committee to come up 
with some ideas as to what the main themes and challenges are for computational 
logic in the new millennium. The following challenges are therefore mainly 
distilled from communications I have received over the past three months or so 
from members of this group: Krzysztof Apt, Marc Bezem, Maurice Brynooghe, 
Jacques Cohen, Alain Colmerauer, Veronica Dahl, Marc Denecker, Danny De 
Schreye, Pierre Flener, Koichi Furukawa, Gopal Gupta, Pat Hill, Michael Kifer, 
Bob Kowalski, Kung-Kiu Lau, Jean-Louis and Catherine Lassez, John Lloyd, Kim 
Marriott, Dale Miller, Jack Minker, Lee Naish, Catuscia Palamidessi, Alberto 
Pettorossi, Taisuke Sato, and Kazunori Ueda. My thanks to all of them. I hope 
they will forgive me for having added one or two thoughts of my own. Here are 
some of the challenges we think worth pondering. 

19.1 To Shed Further Light on the P = NP Problem 

The field of computational complexity provides today’s outstanding challenge to 
computational logic theorists. Steve Cook was originally led to formulate the P = 
NP problem by his analysis of the complexity of testing a finite set S of clauses for 
truth-functional satisfiability. This task certainly seems exponential: if S contains 
n distinct atoms and is unsatisfiable then every one of the 2“ combinations of truth 
values must make all the clauses in S come out false simultaneously. All the ways 
we know of for checking S for satisfiability thus boil down to searching this set of 
combinations. So why are we are still unable to prove what most people now 
strongly believe, that this problem is exponentially complex? We not only want to 
know the answer to the problem, but we also want to understand why it is such a 
hard problem. 

This challenge was only one of several which call for an explanation of one or 
another puzzling fact. The next one is another. 

19.2 To Explain the Intelligibility/Efficiency Trade-off 

This trade-off is familiar to all programmers and certainly to all logic 
programmers. Why is it that the easier a program is to understand, the less 
efficient it tends to be? Conversely, why do more computationally efficient 
programs tend to be more difficult to reason about? It is this curious 
epistemological reciprocity which forces us to develop techniques for program 
transformations, program verification, and program synthesis. It is as though there 
is a deep mismatch between our brains and our computing devices. One of the big 
advantages claimed for logic programming - and more generally for declarative 
programming - is the natural intelligibility of programs which are essentially just 
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declarations - sets of mutually recursive definitions of predicates and functions. 
But then we have to face the fact that "naive" programs written in this way almost 
always need to be drastically reformulated so as to be made computationally 
efficient. In the transformation they almost always become more obscure. This is 
a price we have become used to paying. But why should we have to pay this 
price? It surely must have something to do with the peculiar constraints under 
which the human mind is forced to work, as well as with objective considerations 
of the logical structure and organization of the algorithms and data structures. An 
explanation, if we ever find one, will presumably therefore have to be partly 
psychological, partly physiological, partly logical. 

The nature of our brains, entailing the constraints under which we are forced to 
perceive and think about complex structures and systems, similarly raises the next 
challenge. 

19.3 To Explain Why Imperative Constructs are Harmful to a Program’s 
Intelligibility 

This is obviously related to the previous challenge. It has become the 
conventional wisdom that imperative programming constructs are at best an 
unpleasaant necessity. We are supposed to believe that while we apparently can’t 
do without them, they are a deplorable source of confusion and unintelligibility in 
our programs. In Prolog the notorious CUT construct is deployed masterfully by 
virtuoso logic programmers but regretted by those who value the elegance and 
clarity of "pure" Prolog. Why? The sequential flow of control is counted on by 
programmers to obtain the effects they want. If these features are indispensible to 
writing effective programs, in practice, then why does our theory, not to say our 
idealogy, treat them as pariahs? This is a kind of intellectual hypocrisy. It may 
well be that imperative constructs are dangerous, but we are acting as though it is 
impossible that our programming methodology should ever be able to manage 
them safely. If true, this is extremely important, but it has to be proved rather than 
just assumed. The same issue arises, of course, in the case of functional 
programming. "Pure" declarativeness of a program is promoted as an ideal 
stylistic desideratum but (as, e.g., in classical Lisp) hardly ever a feature of 
practical programs. The imperative features of "real" Lisp are in practice 
indispensible. The dominance of unashamedly imperative languages like C, C++, 
and Java in the "outside world" is rooted in their frank acceptance of the 
imperative facts of computational life. But this is precisely what earns them the 
scorn of the declarative purists. Surely this is an absurd situation. It is long 
overdue to put this issue to rest and to reconcile lofty but unrealistic ideals with 
the realities of actual software engineering practice. 

A similar issue arises within logic itself, quite apart from computation. If logic is 
to be a satisfactory science of reasoning, then it must face the following challenge. 
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19.4 To Explain the (Informal, Intuitive) / (Formal, Rigorous) Trade-off in 
Proofs 

Why is it that intuitive, easy-to-understand proofs tend to become more complex, 
less intelligible and less intuitive, when they are formalized in order to make them 
more rigorous? This is suspiciously like the trade-offs in the previous three 
challenges. What, anyway, is rigor? What is intuition? These concepts are 
epistemological rather than logical. We all experience this trade-off in our 
everyday logical experience, but we lack an explanation for it. It is just something 
we put up with, but at present it is a mystery. If logic cannot explain it, then logic 
is lacking something important. 

The prominence of constraint logic programming in current research raises the 
following challenge. 

19.5 To Understand the Limits of Extending Constraint Logic 
Programming 

As constraint solving is extended to even richer domains, there is a need to know 
how far automatic methods of constraint satisfaction can in fact feasibly be 
extended. It would appear that directed combinatorial search is at the bottom of 
most constraint solution techniques, just as it is in the case of systematic proof 
procedures. There must then be ultimate practical limits imposed on constraint- 
solving searches by sheer computational complexity. It would certainly seem to 
be so in the classic cases, for example, of Boolean satisfiability, or the Travelling 
Salesman Problem. The concept of constraint logic programming is open-ended 
and embarrassingly general. The basic problem is simply to find, or construct, an 
entity X which satisfies a given property P. Almost any problem can be thrown 
into this form. For example the writing of a program to meet given specifications 
fits this description. So does dividing one number Y by another number Z: it 
solves the problem to find a number R such that R = Y/Z. So does composing a 
fugue for four voices using a given theme. 

It is illuminating, as a background to this challenge, to recall the stages by which 
the increasingly rich versions of constraint logic programming emerged 
historically. Alain Colmerauer’s reformulation of unification for Prolog II 
originally led him to consider constraint programming [15]. lust as had Herbrand 
in 1930, and Prawitz in 1960, Colmerauer in 1980 saw unification itself as a 
constraint problem, of satisfying a system of equations in a domain of terms. 
After loosening the constraints to permit cyclic (infinite) terms as solutions of 
equations like x = f(x), which had the virtue of eliminating the need for an occur 
check, he also admitted inequations as well as equations. It became clear that 
unification was just a special case of the general concept of constraint solving in a 
given domain with given operations and relations, which led him to explore 
constraint solving in richer domains. Prolog III could also handle two-valued 
Boolean algebra and a numerical domain, involving equations, inequalities and 
infinite precision arithmetical operations. Thus logic programming morphed by 
stages into the more general process of finding a satisfying assignment of values to 
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a set of unknowns subjected to a constraint (i.e., a sentence) involving operations 
and relations defined over a given domain. The computer solves the constraint by 
finding or somehow computing values which, when assigned to its free variables, 
make it come out true. Later in the 1980s Joxan Jaffar and Jean-Louis Lassez 
further elaborated these ideas, thus deliberately moving logic programming into 
the general area of mathematical programming which had formed the heart of 
Operations Research since the 1940s. Constraint solving of course is an even 
older mathematical idea, going back to the classical methods of Gauss and 
Fourier, and to Lagrange, Bernouilli and the calculus of variations. In its most 
general form it is extremely ancient: it is nothing other than the fundamental 
activity of mathematics itself: to write down an open sentence of some kind, and 
then to find the values of its free variables, if any, which make it true. 

In summary: the challenge is to pull together all the diversity within the general 
notion of constraint satisfaction programming, and to try to develop a unified 
theory to support, if possible, a single formalism in which to formulate all such 
problems and a single implementation in which to compute the solutions to the 
solvable ones. 

It has not escaped the notice of most people in our field that despite our better 
mousetrap the world has not yet beaten a path to our door. We are challenged not 
just to try to make our mousetrap even better but to find ways of convincing 
outsiders. We need applications of existing LP and CLP technology which will 
attract the attention and enthusiasm of the wider computing world. Lisp has had 
an opportunity to do this, and it too has fallen short of perhaps over-hyped 
expectations of wide adoption. Logic programming still has vast unrealized 
potential as a universal programming tool. The challenge is to apply it to real 
problems in ways that outdo the alternatives. 

Kazunori Ueda and Catuscia Palamidessi both stress the importance of Concurrent 
Constraint Programming. Catuscia maintains that concurrency itself poses a 
fundamental challenge, whether or not it is linked to constraint programming. She 
even suggests that the notion of concurrent computation may require an extension 
or a reformulation of the theory of computability, although she notes that this 
challenge is of course not specific to computational logic. It is interesting to note 
that the early computing models of Turing and Post avoided the issue of 
concurrency entirely. 

19.6 To Find New Killer Applications for LP 

This challenge has always been with us and will always be with us. In general, 
advances and evolution in the methodology and paradigms of logic programming 
have repeatedly been stimulated and driven by demands imposed by applications. 
The first such application was the parsing of natural languages (Alain Colmerauer 
and Veronica Dahl both say this is still the most natural LP application). Future 
applications to natural language processing could well be killers. Jack Minker 
points out that the deductive retrieval of information from databases was one of 
the earliest applications and today still has an enormous unrealized potential. 
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Following the example of Burstall and Darlington in functional programming, 
Ehud Shapiro and others soon demonstrated the elegance and power of the 
paradigm in the specification, synthesis, transformation, debugging and 
verification of logic programs. Software engineering is a hugely promising 
application area. Kung-Kiu Lau and Dale Miller emphasize the need for software 
engineering applications dealing with programming in the large - the high level 
organization of modules in ways suitable for re-use and component-based 
assembly by users other than the original composers. 

Shapiro, Clark, Ueda and others then opened up the treatment of concurrency, 
shedding new light on the logic of message-passing and the nature of parallel 
processes through the remarkable properties of partial binding of logic variables. 
Shapiro and Takeuchi showed how the LP paradigm could embody the object- 
oriented programming style, and of course LP came to the fore in the 
representation of knowledge in the programming and control of robots and in 
other artificial intelligence systems. Already there are signs of further 
development in the direction of parallel and high-performance computing, 
distributed and network computing, and real-time and mobile computing. The 
challenge is to anticipate and stay ahead of these potential killer applications by 
enriching the presentation of the basic LP methodology to facilitate the efficient 
and smooth building-in of suitable special concepts and processes to deal with 
them. This may well (as it has in the past) call for the design of special purpose 
languages and systems, each tailored to a specific class of applications. Whatever 
form it takes, the challenge is to demonstrate the power of LP by actual examples, 
not just to expound its virtues in the abstract. 

Examples of killer applications will help, but it is better to teach people to fish for 
themselves rather than simply to throw them an occasional salmon or halibut. The 
challenge is to provide the world with an irresistably superior set of programming 
tools and accompanying methodology, which will naturally replace the existing 
status quo. 

19.7 To Enhance and Propagate the Declarative Programming Paradigm 

Major potential growth areas within CL include the development of higher order 
logic programming. Higher order logic has already been applied (by Peter 
Andrews and Dale Miller, for example) to the development of higher order 
theorem pro vers. The functional programming community has for years been 
preaching and illustrating the conceptual power of higher order notions in writing 
elegantly concise programs and making possible the construction and 
encapsulation of large, high level computational modules. The consequences for 
software engineering are many, but as yet the software engineers, even the more 
theoretically inclined among them, have not responded to these attractions by 
adopting the higher-order paradigm and incorporating it into their professional 
repertoire. 

The computational logic community should feel challenged to carry out the 
necessary missionary work here too, as well as to develop the necessary 
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programming tools and technical infrastructure. Dale Miller points out that 
mechanical theorem provers for higher order logics have already been successfully 
applied experimentally in many areas including hardware verification and 
synthesis; verification of security and communications protocols; software 
verification, transformation and refinement; compiler construction; and 
concurrency. The higher order logics used to reason about these problems and the 
underlying theorem prover technology that support them are also active areas of 
research. Higher order logic is however still a relatively esoteric corner of 
computational logic. Its conceptual basis has perhaps been unduly obscured in the 
past by an over-formal theoretical approach and by unnecessarily metaphysical 
conceptual foundations. The computational formalisms based on the elegant 
Martin-L6f theory of types are not yet ready to be launched on an industrial scale. 
It is a challenge to bring higher order methods and ideas down to earth, and to 
demonstrate to the computing world at large that the rewards are great and the 
intellectual cost is reasonable. Lambda-calculus computing has a simple 
operational rationale based on an equality logic of term rewriting. Its essential 
idea is that of the normalization of a given expression. Namely, a directed search 
is made for an equivalent expression which is in a form suitable as an answer. 
This process is also thought of as evaluation of the given expression. Under 
suitable patterns of rewriting (e.g., by so-called lazy evaluation) a successful 
search for a normal form is guaranteed to succeed if a normal form exists. In 
constraint satisfaction the essential idea is instantiation of a given expression: a 
directed search is made for an instance which is in a form suitable as an answer 
(e.g., if the given expression is a sentence, then the instance should be true). Both 
these ideas are simple yet powerful, and are extremely suitable as the basis for a 
pedagogical account of high level computation. 

It has been a source of weakness in logic programming that there have been two 
major paradigms needlessly pitted against each other, competing in the same 
marketplace of ideas. The challenge is to end the segregation and merge the two. 
There is in any case, at bottom, only one idea. So our final challenge is the 
following one. 

19.8 To Integrate Functional Programming with Logic Programming 

These are two only superficially different dialects of computational logic. It is 
inexplicable that the two idioms have been kept apart for so long within the 
computational logic repertory. We need a single programming language in which 
both kinds of programming are possible and can be used in combination with each 
other. There have been a number of attempts to devise programming formalisms 
which integrate the two. None have so far been taken up seriously by users. This 
may well be because the systems offered so far have been only experimental and 
tentative. Some experiments have grafted evaluation on to a logic programming 
host, as for example, in the form of the limited arithmetical expressions allowed in 
Prolog. Others have grafted constraint satisfying onto a functional programming 
host in the form of the "setof" construct. More recently there have been attempts 
to subsume both idioms within a unified system based on term rewriting, for 
example, Michael Hanus's integrated functional logic programming language 
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Curry [25], the Vesper formalism of Robinson and Barklnnd (in [23]), the Escher 
system of Lloyd (in [23]) and the Alma system of Apt and Bezem [24]. These 
nnified systems have hitherto been mere experiments, and have attracted few if 
any actual users. The system of Hanus is the currently most promising one. May 
its momentum increase and its user community thrive. The challenge is to create a 
nsable nnified public LP language which will attract every kind of user by its 
obvious superiority over the alternatives. 

Those are only some of the challenges which await us. 

20 Hilbert Has the Last Word 

Hilbert’s ending for his 1900 address was a stirring declaration of faith in the 
continning unity of his field. If we substitute "computational logic" for 
"mathematics", what he said on that occasion becomes exactly what we shonld be 
telling ourselves now. So let us borrow and re-use his words to end this address 
on a similar note. 

The problems mentioned are merely samples of problems, yet they will 
suffice to show how rich, how manifold and how extensive the 
[computational logic] of today is, and the question is urged upon us 
whether [computational logic] is doomed to the fate of those other 
sciences that have split up into separate branches, whose representatives 
scarcely understand one another and whose connection becomes ever 
more loose. I do not believe this nor wish it. [Computational logic] is in 
my opinion an indivisible whole, an organism whose vitality is 
conditioned upon the connection of its parts. For ... we are still clearly 
conscious of the similarity of the logical devices, the relationship of the 
ideas in [computational logic] as a whole and the numerous analogies in 
its different departments. ... So it happens that, with the extension of 
[computational logic], its organic character is not lost but only manifests 
itself the more clearly. But, we ask, with the extension of 

[computational logic] will it not finally become impossible for the single 
investigator to embrace all departments of this knowledge? In answer 
let me point out how thoroughly it is ingrained in [computational logic] 
that every real advance goes hand in hand with the invention of sharper 
tools and simpler methods which at the same time assist in understanding 
earlier theories and cast aside older more complicated developments. ... 

The organic unity of [computational logic] is inherent in the nature of 
this science .... That it may completely fulfil [its] high mission, may the 
new century bring it gifted masters and many zealous and enthusiastic 
disciples! 
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Abstract. Inductive logic programming (ILP) is built on a foundation 
laid by research in other areas of computational logic. But in spite of this 
strong foundation, at 10 years of age ILP now faces a number of new chal- 
lenges brought on by exciting application opportunities. The purpose of 
this paper is to interest researchers from other areas of computational 
logic in contributing their special skill sets to help ILP meet these chal- 
lenges. The paper presents five future research directions for ILP and 
points to initial approaches or results where they exist. It is hoped that 
the paper will motivate researchers from throughout computational logic 
to invest some time into “doing” ILP. 



1 Introduction 

Inductive Logic Programming has its foundations in computational logic, includ- 
ing logic programming, knowledge representation and reasoning, and automated 
theorem proving. These foundations go well beyond the obvious basis in definite 
clause logic and SLD-resolution. In addition ILP has heavily utilized such the- 
oretical results from computational logic as Lee’s Subsumption Theorem PH!, 
Gottlob’s Lemma linking implication and subsumption P2|, Marcinkowski and 
Pacholski’s result on the undecidability of implication between definite clauses 
and many others. In addition to utilizing such theoretical results, ILP de- 
pends crucially on important advances in logic programming implementations. 
For example, many of the applications summarized in the next brief section 
were possible only because of fast deductive inference based on indexing, par- 
tial compilation, etc. as embodied in the best current Prolog implementations. 
Furthermore, research in computational logic has yielded numerous important 
lessons about the art of knowledge representation in logic that have formed the 
basis for applications. Just as one example, definite clause grammars are cen- 
tral to several ILP applications within both natural language processing and 
bioinformatics . 

ILP researchers fully appreciate the debt we owe to the rest of computational 
logic, and we are grateful for the foundation that computational logic has pro- 
vided. Nevertheless, the goal of this paper is not merely to express gratitude, but 
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also to point to the present and future needs of ILP research. More specifically, 
the goal is to lay out future directions for ILP research and to attract researchers 
from the various other areas of computational logic to contribute their unique 
skill sets to some of the challenges that ILP now faces Q In order to discuss these 
new challenges, it is necessary to first briefly survey some of the most challenging 
application domains of the future. Section 2 provides such a review. Based on 
this review. Section 3 details five important research directions and concomitant 
challenges for ILP, and Section 4 tries to “close the sale” in terms of attracting 
new researchers. 



2 A Brief Review of Some Application Areas 



One of the most important application domains for machine learning in general 
is bioinformatics, broadly interpreted. This domain is particularly attractive for 
(1) its obvious importance to society, and (2) the plethora of large and growing 
data sets. Data sets obviously include the newly completed and available DNA se- 
quences for C. elegans (nematode). Drosophila (fruitfly), and (depending on one’s 
definitions of “completed” and “available”) man. But other data sets include 
gene expression data (recording the degree to which various genes are expressed 
as protein in a tissue sample), bio-activity data on potential drug molecules, 
x-ray crystallography and NMR data on protein structure, and many others. 
Bioinformatics has been a particularly strong application area for ILP, dating 
back to the start of Stephen Muggleton’s collaborations with Mike Sternberg 
and R oss King jHE]. Application areas include protein structure prediction 
E1S3, mutagenicity prediction m, and pharmacophore discovery Q (discov- 
ery of a 3D substructure responsible for drug activity that can be used to guide 
the search for new drugs with similar activity). ILP is particularly well-suited 
for bioinformatics tasks because of its abilities to take into account background 
knowledge and structured data and to produce human-comprehensible results. 
For example, the following is a potential pharmacophore for ACE inhibition (a 
form of hypertension medication) , where the spacial relationships are described 
through pairwise distances 0 



Molecule A is an ACE inhibitor if : 

molecule A contains a zinc binding site 
molecule A contains a hydrogen acceptor 
the distance between B and C is 7.9 +/- 
molecule A contains a hydrogen acceptor 
the distance between B and D is 8.5 +/- 
the distance between C and D is 2.1 +/- 
molecule A contains a hydrogen acceptor 
the distance between B and E is 4.9 +/- 



B, and 

C, and 

.75 Angstroms, and 

D, and 

.75 Angstroms, and 
.75 Angstroms, and 

E, and 

.75 Angstroms, and 



^ Not to put too fine a point on the matter, this paper contains unapologetic prosely- 
tizing. 

^ Hydrogen acceptors are atoms with a weak negative charge. Ordinarily, zinc-binding 
would be irrelevant; it is relevant here because ACE is one of several proteins in 
the body that typically contains an associated zinc ion. This is an automatically 
generated translation of an ILP-generated clause. 
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Fig. 1. ACE inhibitor number 1 with highlighted 4-point pharmacophore. 



the distance between C and E is 3.1 +/- .75 Angstroms, and 
the distance between D and E is 3.8 +/- .75 Angstroms. 

Figures 1 and 2 show two different ACE inhibitors with the parts of pharma- 
cophore highlighted and labeled. 

A very different type of domain for machine learning is natural language pro- 
cessing (NLP). This domain also includes a wide variety of tasks such as part-of- 
speech tagging, grammar learning, information retrieval, and information extrac- 
tion. Arguably, natural language translation (at least, very rough-cut transla- 
tion) is now a reality — witness for example the widespread use of Altavista’s Ba- 
belfish. Machine learning techniques are aiding in the construction of information 
extraction engines that fill database entries from document abstracts (e.g., |^) 
and from web pages (e.g., WhizBang! Labs, http ; //www.whizbanglabs . com). 
NLP became a major application focus for ILP in particular with the ESPRIT 
project ILP^. Indeed, as early as 1998 the majority of the application papers at 
the ILP conference were on NLP tasks. 

A third popular and challenging application area for machine learning is 
knowledge discovery from large databases with rich data formats, which might 
contain for example satellite images, audio recordings, movie files, etc. While 
Dzeroski has shown how ILP applies very naturally to knowledge discovery from 
ordinary relational databases 0, advances are needed to deal with multimedia 
databases. 

ILP has advantages over other machine learning techniques for all of the 
preceding application areas. Nevertheless, these and other potential applications 
also highlight the following shortcomings of present ILP technology. 
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Fig. 2. ACE inhibitor number 2 with highlighted 4-point pharmacophore. 

— Other techniques such as hidden Markov models, Bayes Nets and Dynamic 
Bayes Nets, and bigrams and trigrams can expressly represent the probabil- 
ities inherent in tasks such as part-of-speech tagging, alignment of proteins, 
robot maneuvering, etc. Few ILP systems are capable of representing or 
processing probabilities 0 

— ILP systems have higher time and space requirements than other machine 
learning systems, making it difficult to apply them to large data sets. Alter- 
native approaches such as stochastic search and parallel processing need to 
be explored. 

— ILP works well when data and background knowledge are cleanly expressible 
in first-order logic. But what can be done when databases contain images, 
audio, movies, etc.? ILP needs to learn lessons from constraint logic program- 
ming regarding the incorporation of special-purpose techniques for handling 
special data formats. 

— In scientific knowledge discovery, for example in the domain of bioinformat- 
ics, it would be beneficial if ILP systems could collaborate with scientists 
rather than merely running in batch mode. If ILP does not take this step, 
other forms of collaborative scientific assistants will be developed, supplant- 
ing ILP’s position within these domains. 

® It should be noted that Stephen Muggleton and Janies Cussens have been pushing 
for more attention to probabilities in ILP. Stephen Muggleton initiated this direction 
with an invited talk at ILP’95 and James Cussens has a recently-awarded British 
EPSRC project along these lines. Nevertheless, litte attention has been paid to this 
shortcoming by other ILP researchers, myself included. 
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In light of application domains and the issues they raise, the remainder of 
this paper discusses five directions for future research in ILP. Many of these 
directions require fresh insights from other areas of computational logic. The 
author’s hope is that this discussion will prompt researchers from other areas to 
begin to explore ILP0 

3 Five Directions for ILP Research 

Undoubtedly there are more than five important directions for ILP research. But 
five directions stand out clearly at this point in time. They stand out not only 
in the application areas just mentioned, but also when examining current trends 
in AI research generally. These areas are 

— Incorporating explicit probabilities into ILP, 

— Stochastic search, 

— Building special-purpose reasoners into ILP, 

— Enhancing human-computer interaction to make ILP systems true collabo- 
rators with human experts, 

— Parallel execution using commodity components. 

Each of these research directions can contribute substantially to the future 
widespread success of ILP. And each of these directions could benefit greatly 
from the expertise of researchers from other areas of computational logic. This 
section discusses these five research directions in greater detail. 



3.1 Probabilistic Inference: ILP and Bayes Nets 

Bayesian Networks have largely supplanted traditional rule-based expert sys- 
tems. Why? Because in task after task we (AI practitioners) have realized that 
probabilities are central. For example, in medical diagnosis few universally true 
rules exist and few entirely accurate laboratory experiments are available. In- 
stead, probabilities are needed to model the task’s inherent uncertainty. Bayes 
Nets are designed specifically to model probability distributions and to rea- 
son about these distributions accurately and (in some cases) efficiently. Conse- 
quently, in many tasks including medical diagnosis m, Bayes Nets have been 
found to be superior to rule-based systems. Interestingly, inductive inference, or 
machine learning, has turned out to be a very significant component of Bayes Net 
reasoning. Inductive inference from data is particularly important for developing 
or adjusting the conditional probability tables (CPTs) for various network nodes, 
but also is used in some cases even for developing or modifying the structure of 
the network itself. 

^ It is customary in technical papers for the author to refer to himself in the third 
person. But because the present paper is an invited paper expressing the author’s 
opinions, the remainder will be much less clumsy if the author dispenses with that 
practice, which I now will do. 
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But not all is perfection and contentment in the world of Bayes Nets. A 
Bayes Net is less expressive than first-order logic, on a par with propositional 
logic instead. Consequently, while a Bayes Net is a graphical representation, it 
cannot represent relational structures. The only relationships captured by the 
graphs are conditional dependencies among probabilities. This failure to capture 
other relational information is particularly troublesome when using the Bayes 
Net representation in learning. For a concrete illustration, consider the task of 
pharmacophore discovery. It would be desirable to learn probabilistic predic- 
tors, e.g., what is the probability that a given structural change to the molecule 
fluoxetine (Prozac) will yield an equally effective anti-depressant (specifically, 
serotonin reuptake inhibitor)? To build such a probabilistic predictor, we might 
choose to learn a Bayes Net from data on serotonin reuptake inhibitors. Unfor- 
tunately, while a Bayes Net can capture the probabilistic information, it cannot 
capture the structural properties of a molecule that are predictive of biological 
activity. 

The inability of Bayes Nets to capture relational structure is well known 
and has led to attempts to extend the Bayes Net representation [iSID] and to 
study inductive learning with such an extended representation. But the result- 
ing extended representations are complex and yet fall short of the expressivity 
of first-order logic. An interesting alternative for ILP researchers to examine is 
learning clauses with probabilities attached. It will be important in particular 
to examine how such representations and learning algorithms compare with the 
extended Bayes Net representations and learning algorithms. Several candidate 
clausal representations have been proposed and include probabilistic logic pro- 
grams, stochastic logic programs, and probabilistic constraint logic programs; 
Cussens provides a nice survey of these representations |S|. Study already has 
begun into algorithms and applications for learning stochastic logic programs 
m, and this is an exciting area for further work. In addition, the first-order 
representation closest to Bayes Nets is that of Ngo and Haddawy. The remain- 
der of this subsection points to approaches for, and potential benefits of, learning 
these clauses in particular. 

Clauses in the representation of Ngo and Haddawy may contain random 
variables as well as ordinary logical variables. A clause may contain at most one 
random variable in any one literal, and random variables may appear in body 
literals only if a random variable appears in the head. Finally, such a clause also 
has a Bayes Net fragment attached, which may be thought of as a constraint. This 
fragment has a very specific form. It is a directed graph of node depth two (edge 
depth one), with all the random variables from the clause body as parents of the 
random variable from the clause head HI Figure 3 provides an example of such a 
clause as might be learned in pharmacophore discovery (CPT not shown). This 
clause enables us to specify, through a CPT, how the probability of a molecule 
being active depends on the particular values assigned to the distance variables 

® This is not exactly the definition provided by Ngo and Haddawy, but it is an equiv- 
alent one. Readers interested in deductive inference with this representation are 
encouraged to see Ensnj. 
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Dl, D2, and D3. In general, the role of the added constraint in the form of a 
Bayes net fragment is to define a conditional probability distribution over the 
random variable in the head, conditional on the values of the random variables 
in the body. When multiple such clauses are chained together during inference, 
a larger Bayes Net is formed that defines a joint probability distribution over 
the random variables. 



drug(Molecule, Activity _Level) : - 

contains_hydrophobe(Molecule,Hydrophobe), 
contains_basic_nitrogen(Molecule, Nitrogen), 
contains_bydrogen_acceptor(Molecule, Acceptor), 
distance(Molecule,Hydropbobe,Nitrogen,D 1 ), 
distance(Molecule,Hydropbobe,Acceptor,D2), 
distance(Molecule,Nitrogen,Acceptor,D3). 

Fig. 3. A clause with a Bayes Net fragment attached (CPT not included). The 
random variables are Activity -Lev el, Dl, D2, and D3. Rather than using a hard 
range in which the values of Dl, D2, and D3 must fall, as the pharmacophores 
described earlier, this new representation allows us to describe a probability 
distribution over Activity -Level in terms of the values of Dl, D2, and D3. For 
example, we might assign higher probabilities to high Activity -Lev el as Dl gets 
closer to 3 Angstroms from either above or below. The CPT itself might be a 
linear regression model, i.e. a linear function of Dl, D2, and D3 with some fixed 
variance assumed, or it might be a discretized model, or other. 




I conjecture that existing ILP algorithms can effectively learn clauses of this 
form with the following modification. For each clause constructed by the ILP 
algorithm, collect the positive examples covered by the clause. Each positive 
example provides a value for the random variable in the head of the clause, 
and because the example is covered, the example together with the background 
knowledge provides values for the random variables in the body. These values, 
over all the covered positive examples, can be used as the data for constructing 
the conditional probability table (CPT) that accompanies the attached Bayes 
Net fragment. When all the random variables are discrete, a simple, standard 
method exists for constructing CPTs from such data and is described nicely in 
m. If some or all of the random variables are continuous, then under certain 
assumptions again simple, standard methods exist. For example, under one set 
of assumptions linear regression can be used, and under another naive Bayes can 
be used. In fact, the work by Srinivasan and Camacho pn] on predicting levels 
of mutagenicity and the work by Craven and colleagues on information 
extraction can be seen as special cases of this proposed approach, employing 
linear regression and naive Bayes, respectively. 

While the approach just outlined appears promising, of course it is not the 
only possible approach and may not turn out to be the best. More generally. 
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ILP and Bayes Net learning are largely orthogonal. The former handles rela- 
tional domains well, while the latter handles probabilities well. And both Bayes 
Nets and ILP have been applied successfully to a variety of tasks. Therefore, 
it is reasonable to hypothesize the existence and utility of a representation and 
learning algorithms that effectively capture the advantages of both Bayes net 
learning and ILP. The space of such representations and algorithms is large, so 
combining Bayes Net learning and ILP is an area of research that is not only 
promising but also wide open for further work. 

3.2 Stochastic Search 

Most ILP algorithms search a lattice of clauses ordered by subsumption. They 
seek a clause that maximizes some function of the size of the clause and coverage 
of the clause, i.e. the numbers of positive and negative examples entailed by the 
clause together with the background theory. Depending upon how they search 
this lattice, these ILP algorithms are classified as either bottom-up (based on 
least general generalization) or top-down (based on refinement). Algorithms are 
further classified by whether they perform a greedy search, beam search, admissi- 
ble search, etc. In almost all existing algorithms these searches are deterministic. 
But for other challenging logic/ AI tasks outside ILP, stochastic searches have 
consistently outperformed deterministic searches. This observation has been re- 
peated for a wide variety of tasks, beginning with the 1992 work of Kautz, 
Selman, Levesque, Mitchell, and others on satisfiability using algorithms such as 
GSAT and WSAT (WalkSAT) ISEHl- Consequently, a promising research direc- 
tion within ILP is the use of stochastic search rather than deterministic search 
to examine the lattice of clauses. A start has been made in stochastic search 
for ILP and this section describes that work. Nevertheless many issues remain 
unexamined, and I will mention some of the most important of these at the end 
of this section. 

ILP algorithms face not one but two difficult search problems. In addition to 
the search of the lattice of clauses, already described, simply testing the coverage 
of a clause involves repeated searches for proofs — “if I assume this clause is true, 
does a proof exist for that example?” The earliest work on stochastic search in 
ILP (to my knowledge) actually addressed this latter search problem. Sebag and 
Rouveirol 1321 employed stochastic matching, or theorem proving, and obtained 
efficiency improvements over Progol in the prediction of mutagenicity, without 
sacrificing predictive accuracy or comprehensibility. More recently, Botta, Gior- 
dana, Saitta, and Sebag have pursued this approach further, continuing to show 
the benefits of replacing deterministic matching with stochastic matching md. 

But at the center of ILP is the search of the clause lattice, and surprisingly 
until now the only stochastic search algorithms that have been tested have been 
genetic algorithms. Within ILP these have not yet been shown to significantly 
outperform deterministic search algorithms. I say it is surprising that only GAs 
have been attempted because for other logical tasks such as satisfiability and 
planning almost every other approach outperforms GAs, including simulated 
annealing, hill-climbing with random restarts and sideways moves (e.g. GSAT), 
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and directed random walks (e.g. WSAT) m- Therefore, a natural direction for 
ILP research is to use these alternative forms of stochastic search to examine 
the lattice of clauses. The remainder of this section discusses some of the issues 
involved in this research direction, based on my initial foray in this direction with 
Ashwin Srinivasan that includes testing variants of GSAT and WSAT tailored 
to ILP. 

The GSAT algorithm was designed for testing the satisfiability of Boolean 
GNF formulas. GSAT randomly draws a truth assignment over the n proposi- 
tional variables in the formula and then repeatedly modifies the current assign- 
ment by flipping a variable. At each step all possible flips are tested, and the flip 
that yields the largest number of satisfied clauses is selected. It may be the case 
that every possible flip yields a score no better (in fact, possibly even worse) 
than the present assignment. In such a case a flip is still chosen and is called 
a “sideways move” (or “downward move” if strictly worse). Such moves turn 
out to be quite important in GSAT’s performance. If GSAT finds an assignment 
that satisfies the GNF formula, it halts and returns the satisfying assignment. 
Otherwise, it continues to flip variables until it reaches some pre-set maximum 
number of flips. It then repeats the process by drawing a new random truth as- 
signment. The overall process is repeated until a satisfying assignment is found 
or a pre-set maximum number of iterations is reached. 

Our ILP variant of this algorithm draws a random clause rather than a 
random truth assignment. Flips involve adding or deleting literals in this clause. 
Applying the GSAT methodology to ILP in this manner raises several important 
points. First, in GSAT scoring a given truth assignment is very fast. In contrast, 
scoring a clause can be much more time consuming because it involves repeated 
theorem proving. Therefore, it might be beneficial to combine the “ILP-GSAT” 
algorithm with the type of stochastic theorem proving mentioned above. Second, 
the number of literals that can be built from a language often is infinite, so 
we cannot test all possible additions of a literal. Our approach has been to 
base any given iteration of the algorithm on a “bottom clause” built from a 
“seed example,” based on the manner in which the ILP system PROGOL m 
constrains its search space. But there might be other alternatives for constraining 
the set of possible literals to be added at any step. Or it might be preferable to 
consider changing literals rather than only adding or deleting them. Hence there 
are many alternative GSAT-like algorithms that might be built and tested. 

Based on our construction of GSAT-like ILP algorithms, one can imagine 
analogous WSAT-like and simulated annealing ILP algorithms. Gonsider WSAT 
in particular. On every flip, with probability p (user-specified) WSAT makes an 
randomly-selected efficacious flip instead of a GSAT flip. An efficacious flip is a 
flip that satisfies some previously-unsatisfied clause in the GNF formula, even if 
the flip is not the highest-scoring flip as required by GSAT. WSAT outperforms 
GSAT for many satisfiability tasks because the random flips make it less likely to 
get trapped in local optima. It will be interesting to see if the benefit of WSAT 
over GSAT for satisfiability carries over to ILP. The same issues mentioned above 
for ILP- GSAT also apply to ILP-WSAT. 



34 



David Page 



It is too early in the work to present concrete conclusions regarding stochastic 
ILP. Rather the goal of this section has been to point to a promising direction 
and discuss the space of design alternatives to be explored. Researchers with 
experience in stochastic search for constraint satisfaction and other logic/ AI 
search tasks will almost certainly have additional insights that will be vital to 
the exploration of stochastic search for ILP. 

3.3 Special-Purpose Reasoning Mechanisms 

One of the well-known success stories of computational logic is constraint logic 
programming. And one of the reasons for this success is the ability to integrate 
logic and special purpose reasoners or constraint solvers. Many ILP applications 
could benefit from the incorporation of special-purpose reasoning mechanisms. 
Indeed, the approach advocated in Section 3.1 to incorporating probabilities 
in ILP can be thought of as invoking special purpose reasoners to construct 
constraints in the form of Bayes Net fragments. The work by Srinivasan and 
Camacho mentioned there uses linear regression to construct a constraint, while 
the work by Craven and Slattery uses naive Bayes techniques to construct a 
constraint. The point that is crucial to notice is that ILP requires a “constraint 
constructor,” such as linear regression, in addition to the constraint solver re- 
quired during deduction. Let’s now turn to consideration of tasks where other 
types of constraint generators might be useful. 

Consider the general area of knowledge discovery from databases. Suppose 
we take the standard logical interpretation of a database, where each relation is 
a predicate, and each tuple in the relation is a ground atomic formula built from 
that predicate. Dzeroski and Lavrac show how ordinary ILP techniques are very 
naturally suited to this task, if we have an “ordinary” relational database. But 
now suppose the database contains some form of complex objects, such as im- 
ages. Simple logical similarities may not capture the important common features 
across a set of images. Instead, special-purpose image processing techniques may 
be required, such as those described by Leung and colleagues 1201191 . In addi- 
tion to simple images, special-purpose constraint constructors might be required 
when applying ILP to movie (e.g. MPEG) or audio (e.g. MIDI) data, or other 
data forms that are becoming ever more commonplace with the growth of mul- 
timedia. For example, a fan of the Bach, Mozart, Brian Wilson, and Elton John 
would love to be able to enter her/his favorite pieces, have ILP with a constraint 
generator build rules to describe these favorites, and have the rules suggest other 
pieces or composers s/he should access. As multimedia data becomes more com- 
monplace, ILP can remain applicable only if it is able to incorporate special- 
purpose constraint generators. 

Alan Frisch and I have shown that the ordinary subsumption ordering over 
formulas scales up quite naturally to incorporate constraints HD). Nevertheless, 
that work does not address some of the hardest issues, such as how to ensure the 
efficiency of inductive learning systems based on this ordering and how to design 
the right types of constraint generators. These questions require much further 
research involving real-world applications such as multimedia databases. 
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One final point about special purpose reasoners in ILP is worth making. 
Constructing a constraint may be thought of as inventing a predicate. Predi- 
cate invention within ILP has a long history p8l3fil40l25[ . General techniques 
for predicate invention encounter the problem that the space of “inventable” 
predicates is unconstrained, and hence allowing predicate invention is roughly 
equivalent to removing all bias from inductive learning. While removing bias 
may sound at first to be a good idea, inductive learning in fact requires bias 
[2.3124^ . Special purpose techniques for constraint construction appear to make 
it possible to perform predicate invention in way that is limited enough to be 
effective [3513] . 



3.4 Interaction with Human Experts 

To discover new knowledge from data in fields such as telecommunications, 
molecular biology, or pharmaceuticals, it would be beneficial if a machine learn- 
ing system and a human expert could act as a team, taking advantage of the 
computer’s speed and the expert’s knowledge and skills. ILP systems have three 
properties that make them natural candidates for collaborators with humans in 
knowledge discovery: 

Declarative Background Knowledge. ILP systems can make use of declara- 
tive background knowledge about a domain in order to construct hypotheses. 
Thus a collaboration can begin with a domain expert providing the learning 
system with general knowledge that might be useful in the construction of 
hypotheses. Most ILP systems also permit the expert to define the hypothe- 
sis space using additional background knowledge, in the form of a declarative 
bias. 

Natural Descriptions of Structured Examples. Feature-based learning 
systems require the user to begin by creating features to describe the exam- 
ples. Because many knowledge discovery tasks involve complex structured 
examples, such as molecules, users are forced to choose only composite fea- 
tures such as molecular weight — thereby losing information — or to invest 
substantial effort in building features that can capture structure (see |2Sj 
for a discussion in the context of molecules). ILP systems allow a structured 
example to be described naturally in terms of the objects that compose it, 
together with relations between those objects. The 2-dimensional structure 
of a molecule can be represented directly using its atoms as the objects and 
bonds as the relations; 3-dimensional structure can be captured by adding 
distance relations. 

Human- Comprehensible Output. ILP systems share with propositional- 
logic learners the ability to present a user with declarative, comprehensible 
rules as output. Some ILP systems can return rules in English along with 
visual aids. For example, the pharmacophore description and corresponding 
figures in Section 2 were generated automatically by PROGOL. 

Despite the useful properties just outlined, ILP systems — like other machine 
learning systems — have a number of shortcomings as collaborators with humans 
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in knowledge discovery. One shortcoming is that most ILP systems return a sin- 
gle theory based on heuristics, thus casting away many clauses that might be 
interesting to a domain expert. But the only currently existing alternative is 
the version space approach, which has unpalatable properties that include in- 
efficiency, poor noise tolerance, and a propensity to overwhelm users with too 
large a space of possible hypotheses. Second, ILP systems cannot respond to a 
human expert’s questions in the way a human collaborator would. They operate 
in simple batch mode, taking a data set as input, and returning a hypothesis 
on a take-it-or-leave-it basis. Third, ILP systems do not question the input data 
in the way a human collaborator would, spotting surprising (and hence possibly 
erroneous) data points and raising questions about them. Some ILP systems will 
flag mutually inconsistent data points but to my knowledge none goes beyond 
this. Fourth, while a human expert can provide knowledge-rich forms of hypoth- 
esis justification, for example relating a new hypothesis to existing beliefs, ILP 
systems merely provide accuracy estimates as the sole justification. 

To build upon ILP’s strengths as a technology for human-computer collabo- 
ration in knowledge discovery, the above shortcomings should be addressed. ILP 
systems should be extended to display the following capabilities. 

1. Maintain and summarize alternative hypotheses that explain or describe 
the data, rather than providing a single answer based on a general-purpose 
heuristic; 

2. Propose to human experts practical sequences of experiments to refine or 
distinguish between competing hypotheses; 

3. Provide non-numerical justification for hypotheses, such as relating them 
to prior beliefs or illustrative examples (in addition to providing numerical 
accuracy estimates); 

4. Answer an expert’s questions regarding hypotheses; 

5. Consult the expert regarding anomalies or surprises in the data. 

Addressing such human-computer interface issues obviously requires a variety of 
logical and AI expertise. Thus contributions from other areas of computational 
logic, such as the study of logical agents, will be vital. While several projects 
have recently begun that investigate some of these issuesjl developing collab- 
orative systems is an ambitious goal with more than enough room for many 
more researchers. And undoubtedly other issues not mentioned here will become 
apparent as this work progresses. 

3.5 Parallel Execution 

While ILP has numerous advantages over other types of machine learning, in- 
cluding advantages mentioned at the start of the previous section, it has two 

® Stephen Muggleton has a British EPSRC project on closed-loop learning, in which 
the human is omitted entirely. While this seems the reverse of a collaborative system, 
it raises similar issues, such as maintaining competing hypotheses and automatically 
proposing experiments. I am beginning a U.S. National Science Foundation project 
on collaborative systems with (not surprisingly) exactly the goals above. 
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particularly notable disadvantages — run time and space requirements. Fortu- 
nately for ILP, at the same time that larger applications are highlighting these 
disadvantages, parallel processing “on the cheap” is becoming widespread. Most 
notable is the widespread use of “Beowulf clusters” ^ and of “Condor pools” 
m, arrangements that connect tens, hundreds, or even thousands of personal 
computers or workstations to permit parallel processing. Admittedly, parallel 
processing cannot change the order of the time or space complexity of an algo- 
rithm. But most ILP systems already use broad constraints, such as maximum 
clause size, to hold down exponential terms. Rather, the need is to beat back 
the large constants brought in by large real-world applications. 

Yu Wang and David Skillicorn recently developed a parallel implementation 
of PROGOL under the Bulk Synchronous Parallel (BSP) model and claim su- 
perlinear speedup from this implementation m- Alan Wild worked with me at 
the University of Louisville to re-implement on a Beowulf cluster a top-down 
ILP search for pharmacophore discovery, and the result was a linear speedup 
m- The remainder of this section described how large-scale parallelism can be 
achieved very simply in a top-down complete search ILP algorithm. This was the 
approach taken in m From this discussion, one can imagine more interesting 
approaches for other types of top-down searches such as greedy search. 

The ideal in parallel processing is a decrease in processing time that is a lin- 
ear function, with a slope near 1, of the number of processors used. (In some rare 
cases it is possible to achieve super linear speed-up.) The barriers to achieving 
the ideal are (1) overhead in communication between processes and (2) compe- 
tition for resources between processes. Therefore, a good parallel scheme is one 
where the processes are relatively independent of one another and hence require 
little communication or resource sharing. The key observation in the design of 
the parallel ILP scheme is that two competing hypotheses can be tested against 
the data completely independently of one another. Therefore the approach ad- 
vocated here is to distribute the hypothesis space among different processors 
for testing against the data. These processors need not communicate with one 
another during testing, and they need not write to a shared memory space. 

In more detail, for complete search a parallel ILP scheme can employ a 
master-worker design, where the master assigns different segments of the hy- 
pothesis space to workers that then test hypotheses against the data. Workers 
communicate back to the master all hypotheses achieving a pre-selected mini- 
mum valuation score (e.g. 95 % accuracy) on the data. As workers become free, 
the master continues to assign new segments of the space until the entire space 
has been explored. The only architectural requirements for this approach are (1) 
a mechanism for communication between the master and each worker and (2) 
read access for each worker to the data. Because data do not change during a 
run, this scheme can easily operate under either a shared memory or message 
passing architecture; in the latter, we incur a one-time overhead cost of initially 
communicating the data to each worker. The only remaining overhead, on either 
architecture, consists of the time spent by the master and time for master- worker 
communication. In “needle in a haystack” domains, which are the motivation 
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for complete search, one expects very few hypotheses to be communicated from 
workers to the master, so overhead for the communication of results will be low. 
If it also is possible for the master to rapidly segment the hypothesis space in 
such a way that the segments can be communicated to the workers succinctly, 
then overall overhead will be low and the ideal of linear speed-up can be realized. 

4 Conclusions 

ILP has attracted great interest within the machine learning and AI communi- 
ties at large because of its logical foundations, its ability to utilize background 
knowledge and structured data representations, and its comprehensible results. 
But most of all, the interest has come from ILP’s application successes. Nev- 
ertheless, ILP needs further advances to maintain this record of success, and 
these advances require further contributions from other areas of computational 
logic. System builders and parallel implementation experts are needed if the ILP 
systems of the next decade are to scale up to the next generation of data sets, 
such as those being produced by Affymetrix’s (TM) gene expression microar- 
rays and Celera’s (TM) shotgun approach to DNA sequencing. Researchers on 
probability and logic are required if ILP is to avoid being supplanted by the 
next generation of extended Bayes Net learning systems. Experts on constraint 
satisfaction and constraint logic programming have the skills necessary to bring 
successful stochastic search techniques to ILP and to allow ILP techniques to 
extend to multimedia databases. The success of ILP in the next decade (notice I 
avoided the strong temptation to say “next millennium”) depends on the kinds 
of interactions being fostered at Computational Logic 2000. 
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Abstract. Generalized databases will be examined, in which attributes 
can be sets of attributes, or sets of sets of attributes, and other higher 
type constructs. A precise semantics will be developed for such databases, 
based on a higher type modal/intensional logic. 



1 Introduction 

In some ways this is an eccentric paper — there are no theorems. What I want 
to do, simply stated, is present a semantics for relational databases. But the 
semantics is rich, powerful, and oddly familiar, and applies to databases that 
are quite general. It is a topic whose exploration I wish to recommend, rather 
than a finished product I simply present. 

Relational databases generally have entities of some kind as values of at- 
tributes, though it is a small stretch to allow sets of entities as well. I want to 
consider databases that stretch things further, allowing attributes to have as 
values sets of sets of entities, and so on, but further, I also want to allow sets of 
attributes, sets of sets of attributes, and so on. There are quite reasonable ex- 
amples showing why one might find such things desirable, at least at low levels, 
and a very simple one will be given below. 

It is not enough to just allow eccentric attribute values — a semantics must 
also be supplied to give them meaning. And rather than looking to some version 
of classical logic, I will show that modal logic provides a very natural tool. Of 
course it must be higher type modal logic, to encompass the kinds of things I have 
been talking about. I will use the one presented in Q, which mildly generalizes 
work of Montague and Gallin |. 

This paper is a sequel to in which a modal/intensional approach to 
databases is developed in some detail at the first-order level. Once a full hi- 
erarchy of types is introduced things become complex, and no more than a 
sketch can be presented here. In particular, though a tableau system exists for 
the modal logic I use, it will not be discussed in this paper. 

It may be of interest that I did not get into this line of work from the database 
side. I began with attempts to treat various classic philosophical problems as 
simply as possible in a modal context — work culminating in y. This, in turn, led 
to an interest in higher type modal logics, connected with a desire to understand 
Godel’s ontological argument, Q. My work on this can be found in Databases 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 41^^2000. 
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came in, unnoticed, by a side door. But they are at the party, and it may be 
they will have a good time. 

2 A Sample Database 

In order to illustrate the higher-type constructs. I’ll create a miniature database 
of some complexity. I will take ground-level entities to be strings. Let’s say 
the Locomobile CompanTjstill exists, and manufactures cars, motorcycles, and 
pianos. Table Jshows the start of a database — more attributes will be added 
later. 



Table 1. Locomobile Sales List 



IDNumber 


Item 


Cylinders 


Engine 


Colors 


Air 


Conf ig 


1 


automobile 


2 


{A, B} 


{red, green, 
black} 


{no} 


T 


2 


aut omobile 


4 


{A} 


{green, black} 


{yes, no} 


T 


3 


motorcycle 


2 


{C, D} 


{blue, black} 


T 


T 


4 


piano 


T 


T 


T 


T 


{upright , 
grand} 



Notice that in Table ^some of the attributes have values that are ground 
objects — Cylinders, say — while some are sets of ground objects — Engine types, 
for instance. An entry of T indicates an attribute that is not relevant to the 
particular item. 

In the table above, let us say that for the 2 cylinder automobile the choice of 
engine type, A or B, is not up to the buyer, since both are functionally equivalent. 
But the choice of Colors, naturally, would be up to the customer. Similarly for 
the 4 cylinder. But let’s say that for the motorcycle, the engine type is something 
the customer chooses. Then let us have an additional attribute telling us, for each 
record, which (other) attributes are customer chosen. Rather than repeating the 
whole table. I’ll just give this single additional attribute in Table 2. 

Notice that in TableJ the Customer attribute has as values sets of attributes. 
Finally, many of the attributes for an item can be irrelevant, as has been indi- 
cated by T. Rather than explicitly having an ‘undefined’ value in our semantics, 
instead let us add additional attributes telling us which of the other attributes 
are relevant. 

Values of the RelevantO attribute, in Table 3, are sets of attributes whose 
values are ground level objects, values of Relevant 1 are sets of attributes whose 
values are sets of ground level objects, and values of Relevant2 are sets of 

^ The actual company was founded in 1899 to manufacture steam powered cars. It 
moved to luxury internal combustion automobiles in 1902, and went into receivership 
in 1922. When active, they manufactured four cars a day. 
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Table 2. Locomobile Customer Attribute 



IDNumber 


Customer 


1 


{Colors} 


2 


{Colors, Air} 


3 


{Engine, Colors} 


4 


{ Conf igur at ion} 



Table 3. Locomobile Relevancy Attribute 



IDNumber 


RelevantO 


Relevantl 


Relevant2 


1 


{IDNumber, Item, Cylinders} 


{Engine, Colors, Air} 


{Customer} 


2 


{IDNumber, Item, Cylinders} 


{Engine, Colors, Air} 


{Customer} 


3 


{IDNumber, Item, Cylinders} 


{Engine, Colors} 


{Customer} 


4 


{IDNumber, Item} 


{Configuration} 


{Customer} 



attributes whose values are sets of attributes whose values are sets of ground 
level objects. 

Finally, all this is really an instance of a relation schema, and that schema 
has a few constraints which I’ve implicitly been obeying. Clearly IDNumber is 
a key attribute. Also, an attribute belongs to the RelevantO, Relevant 1, or 
Relevant2 attribute of a record if and only if the attribute is defined for that 
record, that is, has a value other than _L. I’ll come back to the notion of constraint 
later on. 



3 Higher Order Modal Logic 

Shifting gears abruptly (something the Locomobile did smoothly) I now present 
a sketch of a higher order modal logic, taken from Q, and derived from via 
Q. The machinery is somewhat complex, and space here is limited. See Q tor a 
fuller discussion of underlying ideas. 

I’ll start with the notion of types. The key feature here is that there are both 
intensional and extensional types. 

Definition 1. The notion of a type, extensional and intensional, is given as 
follows. 

1. 0 is an extensional type. 

2. Ifti, . . . , tn are types, extensional or intensional, (ti, . . . ,tn) is an exten- 
sional type. 

3. If t is an extensional type, is an intensional type. 

A type is an intensional or an extensional type. 
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As usual, 0 is the type of ground-level objects, unanalyzed “things.” The 
type {ti, . . . , tn) is for n-ary relations in the conventional sense, where the com- 
ponents are of types ti, . . . , respectively. The type is the unfamiliar piece 
of machinery — it will be used as the type of an intensional object which, in a 
particular context, determines an extensional object of type t. All this will be 
clearer once models have been presented. 

For each type t I’ll assume there are infinitely many variable symbols of that 
type. I’ll also assume there is a set C constant symbols, containing at least an 
equality symbol for each type t. I denote the higher-order language built 

up from C by L{C). I’ll indicate types, when necessary, by superscripts, as I did 
with equality above. 

In formulating a higher order logic one can use comprehension axioms, or one 
can use explicit term formation machinery, in effect building comprehension into 
the language. I’ll follow the later course, but this means terms cannot be defined 
first, and then formulas. Instead they must be defined in a mutual recursion. 
Most of the items below are straightforward, but a few need comment. First, 
concerning the term formation machinery mentioned above, predicate abstrac- 
tion, it should be noted that (Aoi, . . . , is taken to be a term of intensional 

type. Its meaning can vary from world to world, simply because the behavior 
of the formula changes from world to world. Second, there is a new piece of 
machinery, |, mapping intensional terms to extensional ones. Think of it as the 
“extension of” operator — at a possible world it supplies the extension there for 
an intensional term. 

Definition 2. Terms and formulas of L{C) are defined as follows. 

1. A constant symbol or variable of L{C) of type t is a term of L{C) of type 
t. If it is a constant symbol, it has no free variable occurrences. If it is a 
variable, it has one free variable occurrence, itself. 

2. If is a formula of L{C) and a\, ..., Un is a sequence of distinct variables 

of types ti, . . . , tn respectively, then (Aai, . . . , is a term of L{C) of 

the intensional type '\ {t\, . . . ,tn) . It is called a predicate abstract, and its 
free variable occurrences are the free variable occurrences of <1, except for 
occurrences of the variables a\, ... , 

3. If T is a term of L{C) of type then [t is a term of type t. It has the same 
free variable occurrences that r has. 

4 . If T is a term of either type (ti, . . . , or type t(ti, ■ ■ ■ , tn), and ri, . . . , r„ 
is a sequence of terms of types t\, . . . , tn respectively, then r(ri, . . . , Tn) is 
a formula (atomic) of L{C). The free variable occurrences in it are the free 
variable occurrences 0/ r, ri, . . . , r„. 

5. If <P is a formula of L{C) so is The free variable occurrences of are 
those of<T. 

6. If<I and T are formulas of L{C) so is {<T/\T). The free variable occurrences 
of A <F) are those of together with those ofT. 

1. If<P is a formula of L{C) and a is a variable then {\/a)<P is a formula ofL{C). 
The free variable occurrences o/(Va)<? are those of<P, except for occurrences 
of a. 
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8. If (!> is a formula of L{C) so is □<?. The free variable occurrences o / are 

those ofT>. 

Other connectives, quantifiers, and modal operators have the usual definitions. 

The next thing is semantics. Actually, the only modal logic I’ll need will be 
S5, for which the accessibility relation, TZ, is an equivalence relation, but it does 
no harm to present the general case now. Note that the ground-level domain, 
T>, is not world dependent — in effect, type-0 quantification is possibilist and not 
actualist. 

Definitions. An augmented Kripke frame is a structure (t/,7?.,I?) where Q 
is a non-empty set (of possible worlds^, TZ is a binary relation on Q (called 
accessibility^ and T> is a non-empty set, the (ground-level) domain. 

Next I say what the objects of each type are, relative to a choice of ground- 
level domain and set of possible worlds. In classical higher order logic, Henkin 
models are standard. In these, rather than having all objects of higher types, 
one has “enough” of them. It is well-known that a restriction to “true” higher 
order classical models gives a semantics that is not axiomatizable, while Henkin 
models provide an axiomatizable version. A similar thing happens here, but the 
definition of the modal analog of Henkin models is fairly complex, because saying 
what it means to have “enough” objects requires serious effort. I will just give 
the “true” model version — the Henkin generalization can be found in Q. But I 
also note that, in applications to databases, ground level domains will often be 
finite. 

Definition 4. Let Q be a non-empty set (of possible worlds) and letT> be a non- 
empty set (the ground-level domain). For each type t, the collection lt,T>,Q], of 
objects of type t with respect to T> and Q, is defined as follows (V is the powerset 
operator). 

1 . io,v,gj = v. 

2. lih, ... ,tr,),v,gj = v{ih,v,gj X ■■■ X itr,,v,gj). 

3. i%v,g] = it,v,gf. 

O is an object of type t if O G \t, 2?, f/] . O is an intensional or extensional 
object according to whether its type is intensional or extensional. 

Now the terminology should be a little clearer. If O is extensional, it is a 
relation in the conventional sense. If O is intensional, it is a mapping that assigns 
an object to each possible world, that is, its designation can vary from state to 
state. Next we move to models, and remember, these are “true” models, and not 
a Henkin version. Much of this looks quite technical, but it reflects reasonable 
intuitions and, in fact, an intuitive understanding will be sufficient for this paper. 

Definition 5. A model for the language L{C) is a structure A4 = {g,TZ,V,T), 
where {g,TZ,'D) is an augmented frame and I is an interpretation, which meets 
the following conditions. 
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1. If A is a constant symbol of type t, I{A) is an object of type t. 

2. If is an equality constant symbol, is the equality relation on 



Definition 6. A mapping v is a valuation in the model M. = {Q ,TZ,V,2) if v 
assigns to each variable a of type t some object of type t, that is, v{a) G \t, V, 5] . 
An a variant of v is a valuation that agrees with v on all variables except a. 
Similarly for a\, ... , a„ variant. 

Finally, designation of a term, and truth of a formula, are defined by a si- 
multaneous recursion. 

Definition 7. Let A4 = {Q, IZ, V,2) be a model, let v be a valuation in it, and let 
r G Q be a possible world. A mapping {v*2*2), assigning to each term an object 
that is the designation of that term at 2 is defined, and a relation M.,2 \\-y <2 
expressing truth of <P at possible world 2 are characterized as follows. 

2 If A is a constant symbol of L{C) then {v *2 * 2){A) = 2{A). 

2. If a is a variable then (u * X * 2){a) = v{a). 

3. If T is a term of type jt then {v *2 * X')(J,r) = {v *2 * 2 ){t){2) 

4 . If (Aoi, . . . , is a predicate abstract of L{C) of type t(ti, . . . , tn), then 

(v *2 * 2){{Xai , . . . , Qf„.<?)) is an intensional object; it is the function that 
assigns to an arbitrary world A the following member of |(ti, ... , t„), 5 ] : 

{(w(ai), . . . , w{an)) \ w is an oi, ... , variant of v and A4, A Ih^j 

5. 2or an atomic formula r(ri, . . . , r„), 

(a) If T is of an intensional type, A4 , 2 ll-„ r(ri, . . . , r„) provided 

((u X)(n), ... ,{v*2 * X)(r„)) e {v*2 * 2 ){t){2). 

(b) If T is of an extensional type, M.,2 W-^ t{t\, . . . , r„) provided 
{{v *2 * 2 ){t\), . . . , (u * X * X)(r„)) G {v *2 * 2 ){t). 

6. M.,2 ll-„ -^<2 if it is not the case that At, X ll-„ <2. 

1. M,2\V„2> 22 if M,2\V„2> and M,2\V„'2. 

8. M.,2 ll-„ (\/a)(2 if M, 2 \\-y> <2 for every a-variant v' of v. 

9. At, 2 ll-„ If M, A ll-„ for all A G Q such that 2IZA. 

4 A Modal Interpretation 

So far two separate topics, databases and modal logic, have been discussed. It 
is time to bring them together. I’ll show how various database concepts embed 
naturally into a modal setting. Think of the database as having an informal 
semantics, and the embedding into modal logic as supplying a precise, formal 
version. 

First of all, think of a record in a database as a possible world in a modal 
model. This is not at all far-fetched — conceptually they play similar roles. When 
dealing with databases, records are behind the scenes but are not first-class 
objects. That is, an answer to a query might be a record number, but it will 
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not be a record. In a modal logic possible worlds have a similar role — they are 
present in the semantics, but a modal language does not refer to them directly. 

There is no reason to assume some records outrank others, whatever that 
might mean, so I’ll take the accessibility relation to be the one that always 
holds. This means our modal operators are those of S5. 

In the little Locomobile database considered earlier, ground-level objects were 
strings. I’ll carry that over to the modal setting now — the ground level domain 
will consist of strings. Clearly this choice is not a critical issue. 

Attributes are a key item in interpreting a database modally. Fortunately 
there is a natural counterpart. An attribute assigns to each record some en- 
tity of an appropriate kind. In a modal model, an interpreted constant symbol 
of intensional type assigns to each possible world an object of an appropriate 
type. I’ll simply provide an intensional constant symbol for each attribute, and 
interpret it accordingly. 

By way of illustration, let’s create a modal language and model correspond- 
ing to the particular database presented in Section H It is an example that is 
sufficiently general to get all the basic ideas across. 

To specify the language, it is enough to specify the set C of constant symbols, 
and their respective types. These will be ground level strings, which give us type 0 
constant symbols, and various attributes, which give us intensional constant 
symbols of various types. The strings from the Locomobile example are 1, 2, 3, 
4, automobile, motorcycle, piano. A, B, C, D, red, green, black, blue, yes, 
no, upright, grand, all of which are taken as type 0 constant symbols. The 
attributes provide the following higher type constant symbols: IDNumber, Item, 
and Cylinders, all of type tO; Engine, Colors, Air, and Config, all of type 
t(0); Customer, of type T(T(0))j RelevantO, of type t(T0)j Relevantl, of type 
t(t(0)); and Relevant2, of type T(T(T(0)))- 

Now that we have our modal language, L{C), the next job is to create a 
specific modal model, corresponding to the Locomobile tables. 

Let Q be the set {A, A 2 , /a, Tj}, where the intention is that each of these 
corresponds to one of the four records in the database given in Section H Specif- 
ically, A corresponds to the record with an IDNumber of i. As noted above. I’ll 
use an S5 logic, so TZ simply holds between any two members of Q. 

Let T> be the set of strings used in the Table entries of Section^ specifically, 
{1, 2, 3, 4, automobile, motorcycle, piano. A, B, C, D, red, green, black, blue, 
yes, no, upright, grand} (thus these are treated as both constant symbols of 
the language and as members of the ground level domain). 

Finally the interpretation X is specified. On constant symbols of type 0, X is 
the identity function — such constant symbols designate themselves. For instance, 
I(piano) = piano. And for the intensional constant symbols, we make them be- 
have as the Locomobile tables of SectionHspecify. For instance, X(lDNumber) is 
the function that maps A to X{1) = 1, A to X{2) = 2, and so on. X(Engine) 
is the function that maps A to {1(A), 1(B)} = {A, B}, A to {1(A)} = {A}, 
A to {X(C),I(D)} = {C,D}, and has some arbitrary value on A- Likewise 
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X(RelevantO) is the function that maps -^2 and Is to {X(lDNumber),X(ltem), 
X(Cylinders)}, and maps to {I(lDNumber),X(ltem)} 

This completes the definition of a language and a model corresponding to 
the database of Section ^ I’ll call the model M.l from now on. 

5 Queries 

Databases exist to be queried. With higher type constructs present, a care- 
ful specification of behavior is needed to determine how queries behave. Modal 
models take care of this very simply, since we have a precise definition of truth 
available. The question is how to translate queries into the modal language. I’ll 
give some natural language examples of queries for the Locomobile database, 
and then I’ll provide formal versions in the modal language L(C) specified in 
Section J For each I’ll consider how the formal version behaves in the model 
Ml that was constructed in Section J It will be seen that the formal behavior 
matches intuition quite nicely. 

Example 1. Query: Which items have 2 cylinders? Here and in the other exam- 
ples, I’ll use an item’s IDNumber to uniquely identify it. As a first attempt at 
formalizing this query, we might ask for the value of the attribute IDNumber in 
worlds where the value of Cylinders is 2. In effect, the modal operators □ and 
O act like quantifiers over possible worlds, or records. And we can ask for the 
value of an attribute at a world by using the extension-of operator, J,. This leads 
us to the following type |(0) predicate abstract, in which a is a variable of type 
0, and = is the equality symbol of type (0, 0). 



(Aa.O[(J,IDNumber = a) A (J,Cylinders = 2)]) (1) 

The problem with this is that the Cylinders attribute is undefined for pianos 
in Table Q In Q I specifically allowed partially defined objects, but with a 
full hierarchy of higher types available, I thought better of that approach here. 
Instead I introduced “relevancy” attributes. An entry of T in a table indicates 
an irrelevant attribute; no value can have a meaning for the record. In a modal 
model constant symbols of intensional type are total, but values corresponding to 
T are entirely arbitrary, and should not be considered in queries. Consequently, 
must be revised to the following. 



(Ao;.0[(J,IDNumber = a) A RelevantO(Cylinders) A (|Cylinders = 2)]) (2) 

Since this is the first example. I’ll do it in some detail, beginning with a 
verification that Q is well-formed. For later examples, things will be more ab- 
breviated. 

The constant symbol IDNumber is of type |0, so J,IDNumber is of type 0, by 
part 3 of Definition H The variable a is of type 0 and = is of type (0,0), so 
= (IDNumber, a) is an atomic formula by part 4 of Definition^ This we write 
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more conventionally as (J,IDNumber = a). In a similar way (J,Cylinders = 2) is an 
atomic formula. Finally, RelevantO is of type t(T0) and Cylinders is of type "fO, 
so RelevantO(Cylinders) is an atomic formula by part 4 of Definitiorflagain. It 
follows that 0 [(J,IDNumber = a) ARelevantO(Cylinders) A (J,Cylinders = 2)] is 
a formula. Then Q is a predicate abstract of type t(0), by part 2 of Definition^ 
Now if r is a constant of type 0, by part 4 of Definition^ 

(Aa.O[(J,IDNumber = a) A 

RelevantO(Cylinders) A (J,Cylinders = 2)])(r) ^ ^ 

is a formula. The claim is, it is valid in the model A4 l if and only if r is 1 or 3, 
which is exactly what we would expect intuitively. (Valid in the model means it 
is true at each world of it.) I’ll check this in some detail for 3. 

Let r be an arbitrary world of the model, and let v be an arbitrary valuation. 
I want to verify the following. 

A4l, (Aa.O[(J,IDNumber = a) A 

RelevantO(Cylinders) A (|Cylinders = 2)])(3) 

By part 5a of Definition^ this is equivalent to 

[v *1 *■ r){3) £ (v *1 *■ T')((Aa.O[(J,IDNumber = a) A 
RelevantO(Cylinders) A (|Cylinders = 2)]))(T) 

Now, (u * X * r){3) = X(3) = 3, so by part 4 of Definitionnwe must show 

A4l, r Ihu) 0 [(J,IDNumber = a) A RelevantO(Cylinders) A (|Cylinders = 2)] 

where w is the a-variant of v such that w{a) = 3. And this is so because we 
have the following. 

A4l, T3 Ihu) (ilDNumber = a) A RelevantO(Cylinders) A (|Cylinders = 2) 
I’ll check two of the components. To verify that 

A 4 l, T3 Ih^j (IlDNumber = a) 



we need 



{{w *X * /a) (IlDNumber), {w *X * l3)(a)) £ {w *X * /3)(=). 

But (w*X*/3) (IlDNumber) = (w*X*/3)(lDNumber)(/3) = X(lDNumber)(X3) = 3 , 
and (w*X * X3)(a) = w{a) = 3 . And equality symbols are always interpreted as 
equality on extensional objects. 

Finally I’ll verify that 

A4l,T 3 Ihuj RelevantO(Cylinders). 

This will be the case provided we have the following, by part 5a of Definition^ 
(w *X * X3) (Cylinders) £ {w *X * X3)(RelevantO)(X3) 
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Now, (Cylinders) = I(Cylinders), and (w*X*/ 3 )(RelevantO)(/ 3 ) = 

X(RelevantO)(/ 3 ) = {X(lDNumber),X(ltem),X(Cylinders)}, and we are done. 

Equation Q has been verified in the case where r is 1. The case where it is 
3 is similar. If r is 2, it fails because of the (J,Cylinders = 2) clause. And the 
case where r is 4 fails because of the RelevantO(Cylinders) clause. 

I’ll conclude the section with a few more examples of somewhat greater com- 
plexity. There will be no detailed analysis for these. 

Example 2. Query: what choices does a customer have when purchasing a four- 
cylinder car? This turns into the following predicate abstract, where a is of type 
t(0) and (3 is of type 0. (I’ve omitted relevancy clauses because Item is always 
relevant, and for automobile items Cylinders is always relevant. These will be 
among the various constraints discussed in the next section.) 

(Aa, /3.0[(J,Item = automobile) A ((.Cylinders = 4) 

(4) 

A Customer(a) A a(/3)]) 

Abbreviating Q by r, we have r(ri,T 2 ) is valid in AIl just in case (ti,T 2 ) is 
one of 



(Colors, green) 
(Colors, black) 
(Air, yes) 
(Air, no) 



Example 3. Query: what features can a customer choose, that are available for 
more than one product? This gives us the following predicate abstract, in which 
a is of type |(0), and /3, 7, and 5 are of type 0. 

(Aa, /?.Customer(a) A 

(37)(3<5){^(7 = 5)A 

(5) 

0[('fIDNumber = 7) A a{(3)] A 
0[('fIDNumber — 5) f\ a(/3)]}) 

Equation iQ validly applies, in Ml, to just the following. 

(Colors, green) 

(Colors, black) 



6 Constraints 

The Locomobile example is really an instance of a database scheme. In order to 
qualify as an instance, certain constraints must be met. So far, these have been 
implicit, but now it is time to state them precisely. This provides additional 
examples of the modal machinery at work. 
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I’ve been treating IDNumber as a key attribute. I now want to make this a 
formal requirement. Ordinarily, to say something is a key is to say there cannot 
be two records that have a common value on this attribute. In a modal setting, 
this means the constant symbol IDNumber cannot be interpreted to have the 
same value at two possible worlds. But possible worlds cannot be referred to 
directly in our modal language. What we can say instead is that, in any model, 
worlds agreeing on a value for IDNumber must agree on every attribute. Since we 
have a full type theory here, this cannot be said with a single formula — we need 
an infinite family of them, one for each intensional type. Consider the following 
formula, where a is of type x is of type 0 and y is of type t. 



(Va)(Aa;, y.D[(a; =J,IDNumber) D (y =|a)])(|IDNumber, |a) (6) 

Requiring validity of ^ in a model is equivalent to requiring that two worlds 
where IDNumber is interpreted identically are worlds that agree on values of all 
intensional attributes of type '\t. For the Locomobile example, we only need 5 
instances: for types fO, T(0), T(T0), T(T(0)), and T(T(T(0)))- 

FormulaH is actually of more general interest than would appear at first 
glance. In ^ I noted that such a formula is a relative rigidity expression — it 
requires that all intensional objects of type t ^ be rigid relative to IDNumber. 
Such requirements can be more elaborate, requiring rigidity relative to some 
combination of attributes. They can also be less elaborate, requiring absolute 
rigidity. As such, they relate to Kripke’s notion of rigid designator in but a 
further discussion would take us too far afield here. 

In Examplejl noted that Item should always be relevant. Clearly so should 
IDNumber. I also noted that Cylinders should be relevant for items that were 
automobiles. This means we should require validity of the following. 



RelevantO(ltem) 

Relevant 0( IDNumber) 

(|Item = automobile) D RelevantO(Cylinders) 

To be precise, for a modal model to be considered as an instance of the 
Locomobile scheme, the various constraints above must be valid formulas in it. 

This can be turned into a proof-theoretic condition as well. Consider the 
tables of Section J again. It is not hard to see that the first line of Table 1 
corresponds to the following formula. 



0[(J,IDNumber == 1) A (|Item = automobile) A (|CyIinders = 2) A 
Engine(A) A Engine(B) A 

Colors(red) A Colors(green) A Colors(black) A 
Air(no)] 



Similarly for the other lines, and tables. Now, to say we have presented an 
instance of the Locomobile database scheme amounts to saying the constraint 
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formulas given earlier, combined with the various formulas derived from the 
tables and representing individual records, make up a consistent set. 

Consistency can, of course, be checked using a proof procedure, and the 
higher type modal logic used here does have a tableau system, see Q. But that 
system is complete relative to a Henkin model version of our semantics, and is 
not complete relative to the “true” semantics given in Section^ Also, a tableau 
procedure is not a decision method. I leave it as an open problem whether, for 
formulas of the particular forms that arise in database applications, a decision 
procedure can be extracted from the tableau method. 

7 Conclusion 

As promised, I have not proved any theorems. I have, however, provided a precise 
modal semantics that can be applied naturally to databases containing higher 
type constructs. Issues of practicability of implementation have been ignored. 
Issues of decidability for fragments directly applicable to databases have been 
ignored. I wanted to present the basics with the hope that others would find 
the subject of sufficient interest to pursue questions like these. I hope I have 
succeeded, at least a little. 
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Abstract. In Apt and Bezem we provided a computational in- 

terpretation of first-order formulas over arbitrary interpretations. Here 
we complement this work by introducing a denotational semantics for 
first-order logic. Additionally, by allowing an assignment of a non-ground 
term to a variable we introduce in this framework logical variables. 

The semantics combines a number of well-known ideas from the areas of 
semantics of imperative programming languages and logic programming. 
In the resulting computational view conjunction corresponds to sequen- 
tial composition, disjunction to “don’t know” nondeterminism, existen- 
tial quantification to declaration of a local variable, and negation to the 
“negation as finite failure” rule. The soundness result shows correctness 
of the semantics with respect to the notion of truth. The proof resembles 
in some aspects the proof of the soundness of the SLDNF-resolution. 



1 Introduction 



Background 



To explain properly the motivation for the work here discussed we need to go 
back to the roots of logic programming and constraint logic programming. Logic 
programming grew out of the seminal work of Robinson on the resolu- 

tion method and the unification method. First, Kowalski and Kuehner 
introduced a limited form of resolution, called linear resolution. Then Kowalski 
proposed what we now call SLD-resolution. The SLD-resolution is both 
a restriction and an extension of the resolution method. Namely, the clauses are 
restricted to Horn clauses. However, in the course of the resolution process a 
substitution is generated that can be viewed as a result of a computation. Right 
from the outset the SLD-resolution became then a crucial example of the com- 
putation as deduction paradigm according to which the computation process is 
identified with a constructive proof of a formula (a query) from a set of axioms 
(a program) with the computation process yielding the witness (a substitution). 

This lineage of logic programming explains two of its relevant characteristics: 



1. the queries and clause bodies are limited to the conjunctions of atoms, 

2. the computation takes place (implicitly) over the domain of all ground terms 
of a given first-order language. 



J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 53^^2000. 
@ Springer-Verlag Berlin Heidelberg 2000 
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The restriction in item 1 . was gradually lifted and through the works of Clark 
and Lloyd and Topor one eventually arrived at the possibility of 

using as queries and clause bodies arbitrary first-order formulas. This general 
syntax is for example available in the language Godel of Lloyd and Hill 

A way to overcome the restriction in item 2. was proposed in 1987 by Jaffar 
and Lassez in their influential CLP(X) scheme that led to constraint logic pro- 
gramming. In this proposal the computation takes place over an arbitrary inter- 
pretation and the queries and clause bodies can contain constraints, i.e., atomic 
formulas interpreted over the chosen interpretation. The unification mechanism 
is replaced by a more general process of constraint solving and the outcome of 
a computation is a sequence of constraints to which the original query reduces. 



This powerful idea was embodied since then in many constraint logic pro- 
gramming languages, starting with the CLP(77.) language of Jaffar, Michaylov, 
Stuckey, and Yap 



in which line ar constrai nts over reals were allowed, 
and the CHIP language of Dincbas et al. in which linear constraints 

over finite domains, combined with constraint propagation, were introduced. A 
theoretical framework for CHIP was provided in van Hentenryck 



This transition from logic programming to constraint logic programming in- 
troduced a new element. In the CLP(X) scheme the test for satisfiability of a se- 
quence of constraints was needed, while a proper account of the CHIP computing 
process required an introduction of constraint propagation into the framework. 
On some interpretations these procedures can be undecidable (the satisfiability 
test) or computationally expensive (the “ideal” constraint propagation). This 
explains why in the realized implementations some approximation of the former 
or limited instances of the latter were chosen for. 



So in both approaches the computation (i.e., the deduction) process needs 
to be parametrized by external procedures that for each specific interpretation 
have to be provided and implemented separately. In short, in both cases the 
computation process, while parametrized by the considered interpretation, also 
depends on the external procedures used. In conclusion: constraint logic pro- 
gramming did not provide a satisfactory answer to the question of how to lift 
the computation process of logic programming from the domain of all ground 
terms to an arbitrary interpretation without losing the property that this process 
is effective. 



Arbitrary interpretations are important since they represent a declarative 
counterpart of data types. In practical situations the selected interpretations 
would admit sorts that would correspond to the data types chosen by the user 
for the application at hand, say terms, integers, reals and/or lists, each with the 
usual operations available. It is useful to contrast this view with the one taken 
in typed versions of logic programming languages. For example, in the case 
of the Godel language (polymorphic) types are provided and are modeled by 
(polymorphic) sorts in the underlying theoretic model. However, in this model 
the computation still implicitly takes place over one fixed domain, that of all 
ground terms partitioned into sorts. This domain properly captures the built- 
in types but does not provide an account of user defined types. Moreover, in 
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this approach different (i.e., not uniform) interpretation of equality for different 
types is needed, a feature present in the language but not accounted for in the 
theoretical model. 

Formulas as Programs 

The above considerations motivated our work on a computational interpretation 
of first-order formulas over arbitrary interpretations reported in Apt and Bezem 
This allowed us to view first-order formulas as executable programs. 
That is why we called this approach formulas as programs. In our approach the 
computation process is a search of a satisfying valuation for the formula in ques- 
tion. Because the problem of finding such a valuation is in general undecidable, 
we had to introduce the possibility of partial answers, modeled by an existence 
of run-time errors. 

This ability to compute over arbitrary interpretations allowed us to extend 
the computation as deduction paradigm to arbitrary interpretations. We noted 
already that the SLD-resolution is both a restriction and an extension of the res- 
olution method. In turn, the formulas as programs approach is both a restriction 
and an extension of the logic programming. Namely, the unification process is 
limited to an extremely simple form of matching involving variables and ground 
terms only. However, the computation process now takes place over an arbitrary 
structure and full-first order syntax is adopted. 

The formulas as programs approach to programming has been realized in the 
programming language Alma-0 that extends imperative programming 

by features that support declarative programming. In fact, the work reported in 
Apt and Bezem provided logical underpinnings for a fragment of Alma-0 

that does not include destructive assignment or recursive procedures and allowed 
us to reason about non-trivial programs written in this fragment. 

Rationale for this Paper 

The computational interpretation provided in Apt and Bezem can be 

viewed as an operational semantics of first-order logic. The history of semantics of 
programming languages has taught us that to better understand the underlying 
principles it is beneficial to abstract from the details of the operational semantics. 
This view was put forward by Scott and Strachey ^5^1 their proposal of 
denotational semantics of programming languages according to which, given a 
programming language, the meaning of each program is a mathematical function 
of the meanings of its direct constituents. 

The aim of this paper is to complement the work of by providing a 

denotational semantics of first-order formulas. This semantics combines a num- 
ber of ideas realized in the areas of (nondeterministic) imperative programming 
languages and the field of logic programming. It formalizes a view according to 
which conjunction can be seen as sequential composition, disjunction as “don’t 
know” nondeterminism, existential quantification as declaration of a local vari- 
able, and it relates negation to the “negation as finite failure” rule. 
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The main result is that the denotational semantics is sound with respect 
to the truth definition. The proof is reminiscent in some aspects of the proof 
of the soundness of the SLDNF-resolution of Clarke The semantics of 

equations allows matching involving variables and non-ground terms, a feature 
not present in and in Alma-0. This facility introduces logical variables in 

this framework but also creates a number of difficulties in the soundness proof 
because bindings to local variables can now be created. 

First-order logic is obviously a too limited formalism for programming. In 
we discussed a number of extensions that are convenient for program- 
ming purposes, to wit sorts (i.e., types), arrays, bounded quantification and 
non-recursive procedures. This leads to a very expressive and easy to program 
in subset of Alma-0. We do not envisage any problems in incorporating these 
features into the denotational semantics here provided. A major problem is how 
to deal with recursion. 

The plan of the paper is as follows. In the next section we discuss the dif- 
ficulties encountered when solving arbitrary equations over algebras. Then, in 
Section 5 we provide a semantics of equations and in Section J we extend it to 
the case of first-order formulas interpreted over an arbitrary interpretation. The 
resulting semantics is denotational in style. In Section^we relate this semantics 
to the notion of truth by establishing a soundness result. In SectionHwe draw 
conclusions and suggest some directions for future work. 

2 Solving Equations over Algebras 

Consider some fixed, but arbitrary, language of terms L and a fixed, but arbitrary 
algebra J for it (sometimes called a pre-interpretation). A typical example is the 
language defining arithmetic expressions and its standard interpretation over the 
domain of integers. 

We are interested in solving equations of the form s = t over an algebra, that 
is, we seek an instantiation of the variables occurring in s and t that makes this 
equation true when interpreted over ff . By varying L and we obtain a whole 
array of specific decision problems that sometimes can be solved efficiently, like 
the unification problem or the problem of solving linear equations over reals, and 
sometimes are undecidable, like the problem of solving Diophantine equations. 

Our intention is to use equations as a means to assign values to variables. 
Consequently, we wish to find a natural, general, situation for which the problem 
of determining whether an equation s = t has a solution in a given algebra is 
decidable, and to exhibit a “most general solution”, if one exists. By using most 
general solutions we do not lose any specific solution. 

This problem cannot be properly dealt with in full generality. Take for exam- 
ple the polynomial equations over integers. Then the equation — 3a; -I- 2 = 0 
has two solutions, {a;/!} and {a;/2}, and none is “more general” than the other 
under any reasonable definition of a solution being more general than another. 

In fact, given an arbitrary interpretation, the only case that seems to be of 
any use is that of comparing a variable and an arbitrary term. This brings us to 
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equations of the form x = t, where x does not occur in t. Such an equation has 
obviously a most general solution, namely the instantiation {x/t}. 

A dual problem is that of finding when an equation s = t has no solution in 
a given algebra. Of course, non-unifiability is not a rescue here: just consider the 
already mentioned equation x"^ — ix + 2 = Q the sides of which do not unify. 

Again, the only realistic situation seems to be when both terms are ground 
and their values in the considered algebra are different. This brings us to equa- 
tions s = t both sides of which are ground terms. 



3 Semantics of Equations 

After these preliminary considerations we introduce specific “hybrid” objects in 
which we mix the syntax and semantics. 

Definition 1. Consider a language of terms L and an algebra J for it. Given 
a function symbol f we denote by fj the interpretation of f in J . 

— Consider a term of L in which we replace some of the variables by the ele- 
ments of the domain D. We call the resulting object a generalized term. 

— Given a generalized term t we define its f7-evaluation as follows: 

• replace each constant occuring in t by its value in J , 

• repeatedly replace each sub-object of the form /(di, . . ., dn) where f is a 
function symbol and c?i, . . ., d„ are the elements of the domain D by the 
element fj{d\, .. .,dn) of D. 

We call the resulting generalized term a j7-term and denote it by \t\j. Note 
that if t is ground, then \t\j is an element of the domain of J . 

— By a f7-substitution we mean a finite mapping from variables to J -terms 

which assigns to each variable x in its domain a J-term different from x. 
We write it as {xi/hi, . . . ,Xn/hn}. □ 

The f7-substitutions generalize both the usual substitutions and the valu- 
ations, which assign domain values to variables. By adding to the language L 
constants for each domain element and for each ground term we can reduce the 
f7-substitutions to the substitutions. We preferred not to do this to keep the 
notation simple. 

In what follows we denote the empty ^^-substitution by e and arbitrary jj- 
substitutions by 6, p, 7 with possible subscripts. 

A more intuitive way of introducing f7-terms is as follows. Each ground term 
of s of L evaluates to a unique value in jj . Given a generalized term t replace 
each maximal ground subterm of t by its value in jj- The outcome is the f7-term 

Plj- 

We define the notion of an application of a f7-substitution 6 * to a generalized 
term t in the standard way and denote it by t9. If t is a term, then t9 does not 
have to be a term, though it is a generalized term. 
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Definition 2. 

— A composition of two j7-substitutions 0 and rj, written as 9r], is defined as 
the unique fT -substitution 7 such that for each variable x 

XI = 

□ 

Let us illustrate the introduced concepts by means of two examples. 

Example 1. Take an arbitrary language of terms L. The Herbrand algebra Her 
for L is defined as follows: 

— its domain is the set HU l of all ground terms of L (usually called the 
Herbrand universe), 

— if / is an n-ary function symbol in L, then its interpretation is the mapping 
from {HU l)^ to HU l which maps the sequence ti, . . . , of ground terms 
to the ground term f{ti , . . . , tn)- 

Consider now a term s. Then equals s because in Her every ground 

term evaluates to itself. So the notions of a term, a generalized term and a Her- 
term coincide. Consequently, the notions of substitutions and iLer-substitutions 
coincide. □ 

Example 2. Take as the language of terms the language AE of arithmetic ex- 
pressions. Its binary function symbols are the usual • ( “times” ),-!-( “plus” ) and 
— (“minus”), and its unique binary symbol is — (“unary minus”). Further, for 
each integer k there is a constant k. 

As the algebra for AE we choose the standard algebra Int that consists of 
the set of integers with the function symbols interpreted in the standard way. In 
what follows we write the binary function symbols in the usual infix notation. 

Consider the term s = a: -I- (((3 -I- 2) • 4) — y). Then equals a; -I- (20 — y). 

Further, given the Aif-substitution 9 := {a;/6 — z, y/3} we have s9 = (6 — 
+ (((3 -I- 2) • 4) — 3) and consequently, |s6<]^^ = (6 — z) -I- 17. Further, given 
rj := {z/4}, we have 9rj = {x/2, y/3, z/4}. □ 

To define the meaning of an equation over an algebra H we view j7-substi- 
tutions as states and use a special state 

— error, to indicate that it is not possible to determine effectively whether a 
solution to the equation s9 = t9 in J exists. 

We now define the semantics |-] of an equation between two generalized terms 
as follows: 



|s = tl(6l) := 



' {9{s9/\t9\j}} if s9 is a variable that does not occur in t9, 
{ 6 *{f 6 */|s 6 *] jr}} if t9 is a variable that does not occur in s9 
and s9 is not a variable, 

{9} if \s9\j and \t9\j are identical, 

0 if s9 and t9 are ground and \s9\j yf 

{error} otherwise. 
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It will become clear in the next section why we collect here the unique out- 
come into a set and why we “carry” 9 in the answers. 

Note that according to the above definition we have |s = t](6*) = {error} 
for the non-ground generalized terms s9 and tO such that the i/-terms |s0]j- 
and \tOJj are different. In some situations we could safely assert then that 
|s = t](6<) = {6} or that |s = t](6*) = 0. For example, for the standard alge- 
bra Int for the language of arithmetic expressions we could safely assert that 
\x + X = 2- x\{9) = {9} and |a; -I- 1 = x] (6*) =0 for any Aif-substitution 9. 

The reason we did not do this was that we wanted to ensure that the seman- 
tics is uniform and decidable so that it can be implemented. 

4 A Denotational Semantics for First-Order Logic 

Consider now a first-order language with equality C. In this section we extend 
the semantics |-] to arbitrary first-order formulas from C interpreted over an 
arbitrary interpretation. |-] depends on the considered interpretation but to 
keep the notation simple we do not indicate this dependence. This semantics 
is denotational in the sense that meaning of each formula is a mathematical 
function of the meanings of its direct constituents. 

Fix an interpretation X. X is based on some algebra J . We define the notion 
of an application of a i/-substitution 0 to a formula (j) of C, written as (j)9, in the 
usual way. 

Consider an atomic formula p{ti, . . ., t„) and a >7-substitution 9. We denote 
by Px the interpretation of p in X. 

We say that 

- p(ti, . . .,tn)9 is true ifp(ti, . . ., t„)6* is ground and (|ti6*]j, . . ., e pi, 

- p{ti, . . ,,tn)9 is false ifp(ti, . . ., is ground and Hti9jj, . . Itn9jj) ^ px- 

In what follows we denote by Subs the set of fL-substitutions and by 7^(4), 
for a set A, the set of all subsets of A. 

For a given formula (j) its semantics |(/)] is a mapping 

|(/)] : Subs V{Subs U {error}). 

The fact that the outcome of |</'](6*) is a set refiects the possibility of a 
nondeterminism here modeled by the disjunction. 

To simplify the definition we extend |-] to deal with subsets of SubsA {error} 
by putting 

|(/)] (error) := {error}, 
and for a set X C Subs U {error} 

mix) := IJ M(e). 
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Further, to deal with the existential quantifier, we introduce an operation 
DROPx, where x is a variable. First we define DROPx on the elements of SubsU 
{error} by putting for a J'-substitution 6 



DROPx(e) := 



0 if a; is not in the domain of 9, 
?7 if 0 is of the form r] l±l {a;/s}. 



and 

DROPxierror) := error. 

Then we extend it element-wise to subsets of Subs U {error}, that is, by 
putting for a set X C Subs U {error} 

DROPx(X) := [DROPxie) \e€ X}. 

|-] is defined by structural induction as follows, where A is an atomic formula 
different from s = t: 

( {9} if A9 is true, 

- |A](0) := < 0 if A9 is false, 

{ {error} otherwise, that is if A9 is not ground, 

- I<^i A cj)2l{9) := M(I<^il(0)), 

- I</>i V (j)2\{9) |(/>il(6l) U \(j)2l{9), 

( {9} if m{9) = 0, 

- l^4,j{9):= n if0GW(0), 

I {error} otherwise, 

- pz (j)l{9) := DROPy{\4>{x/y}\{9)), where y is a fresh variable. 

To better understand this definition let us consider some simple examples 
that refer to the algebras discussed in Examples HandH 

Example 3. Take an interpretation I based on the Herbrand algebra Her. Then 
|/(a;) = z A g{z) = g{f{x))j{{x/g{y)}) = lg{z) = g{f{x))j{9) = {0}, 
where 9 := {x/ g{y), z/ f{g{y))}. On the other hand 

bifix)) = giz)ji{x/giy)}) = {error}. 



□ 



Example 4- Take an interpretation X based on the standard algebra AE for the 
language of arithmetic expressions. Then 

b = z- l ^ z = x + 2]({a;/l}) = {z = x + 2]({a;/l, y/z - 1}) = {a;/l, y/2, z/3}. 

Further, 

b+l = z - ll({y/l, z/3}) = {y/1, z/3} 
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and even 

|a; • (y -h 1) = (u + 1) • (z - l)l({a:/t; -h 1, y/1, z/3}) = {x/v + 1, y/1, z/3}. 
On the other hand 

|y — 1 = z — l](e) = {error}. 



□ 



The first example shows that the semantics given here is weaker than the 
one provided by the logic programming. In turn, the second example shows that 
our treatment of arithmetic expressions is more general than the one provided 
by Prolog. 

This definition of denotational semantics of first-order formulas combines a 
number of ideas put forward in the area of semantics of imperative programming 
languages and the field of logic programming. 

First, for an atomic formula A, when AO is ground, its meaning coincides with 
the meaning of a Boolean expression given in de Bakker page 270]. In 

turn, the meaning of the conjunction and of the disjunction follows page 

270] in the sense that the conjunction corresponds to the sequential composition 
operation and the disjunction corresponds to the “don’t know” nondeter- 
ministic choice, denoted there by U. 

Next, the meaning of the negation is inspired by its treatment in logic pro- 
gramming. To be more precise we need the following observations the proofs of 
which easily follow by structural induction. 



Note 1. 

(i) If y G then rj — 9j for some f7-substitution 7. 

(ii) If (f>9 is ground, then |</'](0) C {9}. □ 

First, we interpret |</'](0) n Subs 7^ 0 as the statement “the query (f)9 suc- 
ceeds”. More specifically, if 77 G |</)](0), then by Note^i) for some 7 we have 
77 = 6*7. 

In general, 7 is of course not unique: take for example 9 := {x/O} and rj = 9. 
Then both rj = 9e and 77 = 99. However, it is easy to show that if 77 is less general 
than 9, then in the set {7 | 77 = 9j} the f7-substitution with the smallest domain 
is uniquely defined. In what follows given f7-substitutions 77 and 9 such that 77 is 
less general than 9, when writing rj = 9"f we always refer to this uniquely defined 
7- 

Now we interpret 6*7 G |</>](6*) as the statement “7 is the computed answer 
substitution for the query (f>9” . In turn, we interpret |</)](0) = 0 as the statement 
“the query 4>9 finitely fails” . 

Suppose now that |(^](0)nS'u6s 7^ 0, which means that the query (j)9 succeeds. 
Assume additionally that (f>9 is ground. Then by Note H]ii) 9 G |</'](0) and 
consequently by the definition of the meaning of negation |^<^](0) = 0, which 
means that the query ^(j)9 finitely fails. 
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In turn, suppose that |</>](6*) = 0, which means that the query (j)9 finitely 
fails. By the definition of the meaning of negation |~'(/)](6*) = {6*}, which means 
that the query succeeds with the empty computed answer substitution. 

This explains the relation with the “negation as finite failure” rule according 
to which for a ground query Q\ 

— HQ succeeds, then finitely fails, 

— if Q finitely fails, then succeeds with the empty computed answer sub- 
stitution. 

In fact, our definition of the meaning of negation corresponds to a general- 
ization of the negation as finite failure rule already mentioned in Clark 
according to which the requirement that Q is ground is dropped and the first 
item is replaced by: 

— if Q succeeds with the empty computed answer substitution, then finitely 
fails. 

Finally, the meaning of the existential quantification corresponds to the 
meaning of the block statement in imperative languages, see, e.g., de Bakker 
page 226], with the important difference that the local variable is not 
initialized. From this viewpoint the existential quantifier 3a; corresponds to the 
declaration of the local variable x. The DROPx operation was introduced in 
Clarke to deal with the declarations of local variables. 

We do not want to make the meaning of the formula 3a; (j) dependent on 
the choice of y. Therefore we postulate that for any fresh variable y the set 
DROPy{\(j){x/y}\{9)) is a meaning of 3a; (j) given a J'-substitution 9. Conse- 
quently, the semantics of 3a; (j) has many outcomes, one for each choice of y. 
This “multiplicity” of meanings then extends to all formulas containing the ex- 
istential quantifier. So for example for any variable y different from x and z 
the J'-substitution {z/f{y)} is the meaning of 3a; (z = /(a;)) given the empty 
J'-substitution e. 



IIBTiCII 



5 Soundness 

To relate the introduced semantics to the notion of truth we first formalize the 
latter using the notion of a J'-substitution instead of the customary notion of a 
valuation. 

Consider a first-order language C with equality and an interpretation X for 
it based on some algebra J . Let 6* be a J'-substitution. We define the relation 
X \=g (j) for a formula (j) by structural induction. First we assume that 9 is defined 
on all free variables of (j) and put 

— X \=g s = t \s9\j and \t9\j coincide, 

- X\=e p{ti, . . ., t„) iff p{ti, . . ,,tn)9 is ground and Hti9jj, . . Itn9jj) e pi- 
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In other words, T \=g p(ti, . . t„) iff p{ti , . . is true. The definition extends 
to non-atomic formulas in the standard way. 

Now assume that 9 is not defined on all free variables of (j). We put 

— T \=g 4> iST \=0 yxi, . . yxn4> where xi, . . .,Xn is the list of the free variables 
of (j) that do not occur in the domain of 6 . 

Finally, 

— I \= (p X \=0 (f) for all J'-substitutions 9. 

To prove the main theorem we need the following notation. Given a PJ- 
substitution rj := {xi/h\, . . . ,Xn/hn\ we define (rj) := x\ = hi A . . . A = 

hji- 

In the discussion that follows the following simple observation will be useful. 



Note 2. For all fA-substitutions 9 and formulas (j> 

I^0PiSI^{9)^p. 



□ 

The following theorem now shows correctness of the introduced semantics 
with respect to the notion of truth. 

Theorem 1 (Soundness). 

Consider a first-order language C with equality and an interpretation X for 
it based on some algebra J . Let p be a formula of C and 9 a -substitution. 

(i) For each -substitution rj G |</'](6*) 

X \=^ p. 



(a) If error ^ then 



k 

X\=(p9^ V 3yi(?7i), 

i=l 

where |</'](6*) = {9rji, . . ., 9rjk\, and for i G [l..fc] is a sequence of variables 
that appear in the range of rji. 

Note that by (ii) if |</'](6*) = 0, then 



\=0 



In particular, if |</)](£) = 0, then 



X ^ ^(j). 
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Proof. The proof proceeds by simultaneous induction on the structure of the 
formulas. 



(f) is s = t. 

If 77 G then three possibilities arise. 

1. s 0 is a variable that does not occur in tO. 

Then |s = t](0) = {9{s9 /\tO\j}} and consequently 77 = 9{s9/\t9\j}. So 
I \=n {s = t) holds since 577 = \t9\j and trj = t9. 

2. t9 is a variable that does not occur in s9 and s9 is not a variable. 

Then |s = tj{9) = {9{t9 /\s9\j}}. This case is symmetric to 1. 

3. \s9\j and \t9\j are identical. 

Then rj — 9, so I \=r^ {s = t) holds. 

If error ^ then four possibilities arise. 

1. s 6 * is a variable that does not occur in t9. 

Then |s = t](0) = {9{s9/\t9\j}}. We have I \= {s = t)9 s9 = 

2. t9 is a variable that does not occur in s9 and s9 is not a variable. 

Then |s = t](0) = {9{t9 /\s9\j}}. This case is symmetric to 1. 

3. \s9\j and \t9\j are identical. 

Then |s = t](0) = {9}. We have |s = t]( 6 *) = {9e} and T \=e s = t, so 
X \= {s = t)9 ^ (e), since (e) is vacuously true. 

4. s9 and t9 are ground f7-terms and \s9\j yf j. 

Then |s = tj{9) = 0 and X ^(s = t), so X ^ (s = t)9 ^ falsum, where 
falsum denotes the empty disjunction. 

(/) is an atomic formula different from s = t. 

If 77 G |<^1(0), then T] = 9 and (j)9 is true. So X \=g (j), i.e., X \=^j 4>. 

If error ^ |<^](0), then either |<^](0) = {9} or |<^](0) = 0. In both cases the 
argument is the same as in case 3. and 4. for the equality s = t. 

Note that in both cases we established a stronger form of (zz) in which each 
list Yi is empty, i.e., no quantification over the variables in appears. 

(p is (pi A (f> 2 - This is the most elaborate case. 

If 77 G |<^](0), then for some J'-substitution 7 both 7 G |<^i](0) and 77 G 
[<^ 21 ( 7 )- By induction hypothesis both X pi and X \=n p 2 - But by Noteji) 
77 is less general than 7 , so X \=rj pi and consequently X \=rj pi A p 2 - 

If error ^ then for some X C Subs both |</)i]( 6 *) = X and error ^ 

lp 2 }{rj) for all 77 G X. 

By induction hypothesis 



k 

X\= pi9(^ y 3yi(77i), 
2=1 
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where X = { 6 * 771 , . . ., 6 * 77 ^} and for i G is a sequence of variables that 

appear in the range of rji. Hence 



k 

I \={(j)i A 4>2)9 \J (3yi(77i) A (/> 26 »), 
SO by appropriate renaming of the variables in the sequences 

k 

I\= {4>1 A 4>2)9 ^ \/ 3yi((77i) A (p2d). 

i=l 

But for any j7-substitution S and a formula ip 

J \= {5) A Ip ^ {5) A ipS, 



I \= {(pi A (p2)6 {\! 3yi{{rji) A (p20r]i)- 

Further, we have for i G [l..k] 



(1) 



W(6*77i) = {6»77i7ij I j e 
for some fA-substitutions 7 ^^, . . 7 , 7 ^. So 

l(pi A (p2j{0) = {6»77i7ij I i G [l..k],j G [1..AJ}. 

By induction hypothesis we have for i G 

U 

1 \= (p20rii^ V 3vi 7 ( 717 ), 
i=i 

where for i G and j G [1..-6J V 17 is a sequence of variables that appear in 
the range of 717 . 

Using iQ by appropriate renaming of the variables in the sequences Vij we 
now conclude that 

fc ii 

I \= {(pi A (p2)0 ^ vv 3yi3vij((77i) A (7ij»> 

i=i i=i 
SO 

k £i 

I \= {(pi A (p2)0 ^ V V 3y,3v,.,(77,7,.,), 

i=ij=i 

since the domains of rji and 71 j are disjoint and for any jA-substitutions 7 and 
6 with disjoint domains we have 



X ^ ( 7 ) A {6) ^ ( 7 ( 5 ). 
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4>\s 4>i\j (j) 2 - 

If ?7 G then either rj G or 77 G |</' 2 l(^), so by induction hypoth- 

esis either I \=n (j)i or 1 \=^ (p 2 - In both cases 1 \=^ (pi V (p 2 holds. 

If error ^ then for some J'-substitutions rji, . . .,rjk 

UiW) = ■ ■ ;S'nk}, 

where fc > 0 , for some J^-substitutions ? 7 fc+i, . . rjk+i, 

l(p2j{0) = {9r]k+i, . . 0r]k+i}, 

where ^ > 0 , and 

l<Pi V (p 2 l{d) = {dm, ■ ■ ; 9r]k+i}- 

By induction hypothesis both 

k 

I\= (pi9^^ \J 3yi{m) 

i=l 

and 

k+i 

I^(p29^ \f 3yi{m) 

z— fc +1 

for appropriate sequences of variables y^. So 

k+i 

I\={(piy (p2)9 ^ \J 3yi(?7i). 

i=l 

(p is -^(pi- 

If ?7 G |</']( 6 *), then rj = 9 and |</'i]( 6 *) = 0- By induction hypothesis X \=g ~‘(pi, 
i.e., I \=jj ~^(pi. 

If error ^ then either |</']( 6 *) = {9} or |</<]( 6 *) = 0. In the former 

case |</']( 6 *) = {9e}, so [(/'iKfi*) = 0- By induction hypothesis X \=0 ->(pi, i.e., 
X ^ {^(pi)9 ^ (e), since (e) is vacuously true. In the latter case 9 G |</'i](0), so 
by induction hypothesis X \=e (pi, i.e., X ^ {-^(pi)9 ^ falsum. 

(p is 3x (pi- 

If ?7 G |</']( 6 *), then 77 G DROPy{\(pi{x/y}\{9)) for some fresh variable y. So 
either (if y is not in the domain oi rj) rj G I<(’i{3;/2/}](^) or for some jZ-term 
s we have 77 l±l {y/s} G \(pi{x / y{\{9) . By induction hypothesis in the former 
case X \=rf (pi{x/y{ and in the latter case X \=yw{y/s} <Pi{x/y}- In both cases 
X \= 3y {(pi{x/y}r]), so, since y is fresh, X ^ (3y (pi{x/y})r] and consequently 
X ^ (3a; (pi)rj, i.e., X 3a; (pi. 

If error ^ |<('1(6*)) then error ^ \<Pi{x / yy\{9) , as well, where y is a fresh 
variable. By induction hypothesis 

k 

X \= (pi{x/y}9 ^ \J 3yi(77i), 



( 2 ) 
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where 

= {O'qi,. ■ ^erjk} (3) 

and for i G is a sequence of variables that appear in the range of 77 ^. 

Since y is fresh, we have J \= 3y {(j)i{x/y}6) ^ {3y (j)i{x/y})6 and X ^ 
{3y 4>i{x/y})9 ^ (3a; 4>i)9. So Q implies 



k 

I \= (3a; \f 3y3yi{r]i). 



But for i G [l..k] 



I h ^y{Vi) ^ ^y{DROPy{r]i)), 
since y/s G rji^ then the variable y does not appear in s. So 

k 

I \= (3a; (j)i)e \J 3y i3y {D RO Py {r]i)) . (4) 

Now, by B 



[3a; </.il(0) = {DROPyieiji ), . . ., DROPy{eyk)}- 
But y does not occur in 9, so we have for i G 

DROPy{9r]i) = 9DROPy{r]i) 



and consequently 

[3a; <i>i}{9) = {9DROPy{yi ), . . ., 9DROPy{yu)}- 
This by virtue of ifl concludes the proof. 



□ 



Informally, (i) states that every computed answer substitution of (f>9 validates 
it. It is useful to point out that (ii) is a counterpart of Theorem 3 in Clark 
^2^3’ Intuitively, it states that a query is equivalent to the disjunction of its 
computed answer substitutions written out in an equational form (using the ( 77 ) 
notation). In our case this property holds only if error is not a possible outcome. 
Indeed, if [s = t](0) = {error}, then nothing can be stated about the status of 
the statement I \= {s = t)9. 

Note that in case error ^ [<(>](0), {ii) implies (i) by virtue of NoteH On the 
other hand, if error G [</)](0), then (z) can still be applicable while (ii) not. 

Additionally existential quantifiers have to be used in an appropriate way. 
The formulas of the form 3y(?7) also appear in Maher in connection 

with a study of the decision procedures for the algebras of trees. In fact, there 
are some interesting connections between this paper and ours that could be 
investigated in a closer detail. 
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6 Conclusions and Future Work 



In this paper we provided a denotational semantics to first-order logic formulas. 
This semantics is a counterpart of the operational semantics introduced in Apt 
and Bezem The important difference is that we provide here a more 

general treatment of equality according to which a non-ground term can be 
assigned to a variable. This realizes logical variables in the framework of Apt 
and Bezem This feature led to a number of complications in the proof 

of the Soundness Theorem Q 

One of the advantages of this theorem is that it allows us to reason about 
the considered program simply by comparing it to the formula representing its 
specification. In the case of operational semantics this was exemplified in Apt 
and Bezem by showing how to verify non-trivial Alma-0 programs that 

do not include destructive assignment. 

Note that it is straightforward to extend the semantics here provided to other 
well-known programming constructs, such as destructive assignment, while con- 
struct and recursion. However, as soon as a destructive assignment is introduced, 
the relation with the definition of truth in the sense of Soundness Theorem 
lost and the just mentioned approach to program verification cannot be anymore 
applied. In fact, the right approach to the verification of the resulting programs 
is an appropriately designed Hoare’s logic or the weakest precondition semantics. 

The work here reported can be extended in several directions. First of all, it 
would be useful to prove equivalence between the operational and denotational 
semantics. Also, it would interesting to specialize the introduced semantics to 
specific interpretations for which the semantics could generate less often an er- 
ror. Examples are Herbrand interpretations for an arbitrary first-order language 
in which the meaning of equalities could be rendered using most general uni- 
fiers, and the standard interpretation over reals for the language defining linear 
equations; these equations can be handled by means of the usual elimination 
procedure. In both cases the equality could be dealt with without introducing 
the error state at all. 

Other possible research directions were already mentioned in Apt and Bezem 
These involved addition of recursive procedures, of constraints, and pro- 
vision of a support for automated verification of programs written in Alma-0. 
The last item there mentioned, relation to dynamic predicate logic, was in the 
meantime extensively studied in the work of van Eijck who, starting with 

Apt and Bezem defined a number of semantics for dynamic predicate 

logic in which the existential quantifier has a different, dynamic scope. This work 
was motivated by applications in natural language processing. 
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Abstract. In this paper I give a brief overview of recent work on uncertainty in 
AI, and relate it to logical representations. Bayesian decision theory and logic 
are both normative frameworks for reasoning that emphasize different aspects 
of intelligent reasoning. Belief networks (Bayesian networks) are representations 
of independence that form the basis for understanding much of the recent work 
on reasoning under uncertainty, evidential and causal reasoning, decision anal- 
ysis, dynamical systems, optimal control, reinforcement learning and Bayesian 
learning. The independent choice logic provides a bridge between logical repre- 
sentations and belief networks that lets us understand these other representations 
and their relationship to logic and shows how they can extended to first-order 
mle-based representations. This paper discusses what the representations of un- 
certainty can bring to the computational logic community and what the computa- 
tional logic community can bring to those studying reasoning under uncertainty. 



“It is remarkable that a science which began with the consideration of 
games of chance should become the most important object of human know- 
ledge.. .The most important questions of life are, for the most part, really only 
problems of probability." 

“The theory of probabilities is at bottom nothing but common sense re- 
duced to calculus.” 

— Pierre Simon de Laplace (1794-1827) 

1 Introduction 

There are good normative arguments for using logic to represent knowledge (Nilsson, 
1991; Poole, Mackworth and Goebel, 1998). These arguments are usually based on rea- 
soning with symbols with an explicit denotation, allowing relations amongst individu- 
als, and permitting quantification over individuals. This is often translated as needing (at 
least) the first-order predicate calculus. Unfortunately, the first-order predicate calculus 
has very primitive mechanisms for handling uncertainty, namely, the use of disjunction 
and existential quantification. 



J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, PP- 70^|2000. 
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There are also good normative reasons for using Bayesian decision theory for deci- 
sion making under uncertainty (Von Neumann and Morgen stern, 1953; Savage, 1972). 
These arguments can be intuitively interpreted as seeing decision making as a form 
of gambling, and that probability and utility are the appropriate calculi for gambling. 
These arguments lead to the assignment of a single probability to a proposition; thus 
leading to the notion of probability of a measure of subjective belief. The probability of 
a proposition for an agent is a measure of the agent’s belief in the truth of the proposi- 
tion. This measure of belief is a function of what the agent knows. Probability theory 
can be seen as the study of how knowledge affects belief. 

It is important to note that decision theory has nothing to say about representa- 
tions. Adopting decision theory doesn’t mean adopting any particular representation. 
While there are some representations that can be directly extracted from the theory, 
such as the explicit reasoning over the state space or the use of decision trees, these 
become intractable as the problem domains become large; it is like theorem proving by 
enumerating the interpretations. Adopting logic doesn’t mean you have to enumerate 
interpretations or generate the semantic tree (Chang and Lee, 1973), nor does adopting 
decision theory mean you have to use analogous representations. 

First, I will talk about knowledge representation, in which tradition this representa- 
tion is built. Then I will introduce belief networks. The ICL will then be presented from 
three alternate viewpoints: as a semantic framework in terms of choices made by agents, 
in terms of hrst-order belief networks (Bayesian networks) and as a framework for a ab- 
duction and argumentation. I then discuss work on diagnosis, dynamical systems and 
learning from the uncertainty point of view and relate it to logical representations. 

1.1 Knowledge Representation 

In order to understand where this work fits in, FigureH(from (Poole et ah, 1998)) shows 
the knowledge representation (KR) view. Given a problem we want a solution to, we 
find a representation for the problem; using this representation we can do computation 
to find an answer that can then be interpreted as a solution to the problem. 




Fig. 1. Knowledge Representation Framework 



When considering representations, there are a number of often competing consider- 
ations: 
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- The representation should be rich enough to be able to contain enough information 
to actually solve the problem. 

- The representation should be as close to the problem as possible. We want the 
representation to be as “natural” as possible, so that a small changes in the problem 
result in small changes in the representation. 

- We want the representation to be amenable to efficient computation. This does not 
necessarily mean that the representation needs to be efficient in the worst case (be- 
cause that usually invalidates the first consideration). Rather we would like to be 
able to exploit features of the problem for computational gain. This means that the 
representation must be capable of expressing those features of the problem that can 
be exploited computationally. 

- We want to be able to learn the representation from data and from past experiences 
in solving similar problems. 

Belief networks (or Bayesian networks) (Pearl, 1988) are of interest because they pro- 
vide a language that is represents the sort of knowledge a person may have about a 
domain, because they are rich enough for many applications, because features of the 
representation can be exploited for computational gain, and because they can be learned 
from data. Unfortunately, the underlying logic of belief networks is propositional. We 
cannot have relations amongst individuals as we can, for example, in the first-order 
predicate calculus. 



2 Belief Networks 

Probability specifies a semantic construction and not a representation of knowledge. A 
belief network (Pearl, 1988) is a way to represent probabilistic knowledge. The idea is 
to represent a domain in terms of random variables and to explicitly model the inter- 
dependence of the random variables in terms of a graph. This is useful when a random 
variable only depends on a few other random variables, as occurs in many domains. 
Belief networks form the foundation from which much of the work on uncertainty in 
AI is built. 

Suppose we decide to represent some domain using the random variable^ 
a;i , . . . , Xn- Let’s totally order the variables. It is straightforward to prove: 

P{Xi,. . .,Xn) 

= P{xi)P{X2\Xi)P{x^\Xi,X2) ■ ■ ■ P{Xn\Xl ■ ■ ■ Xn-l) 
n 

= - 

i=l 

For each variable Xi suppose there is some minimal set C {a;i, . . . , Xi-i} such that 
P{Xi\xi, . . . , Xi-i) = P{xi\lTj:J 

’ Or in terms of propositions. A proposition is a random variable with two possible values true 
and false (these are called Boolean random variables). In examples, I will often write x = true 
as X and x = false as ^x. 
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That is, once you know the values of the variables in knowing the values of other 
predecessors of Xi in the total ordering will not change your belief in Xi. The elements 
of the set are known as the parents of variable Xi. We say Xi is conditionally in- 
dependent of its predecessors given its parents. We can create a graph where there is 
an arc from each parent of a node into that node. Such a graph, together with the condi- 
tional probabilities for P{xi\TTxi) for each variable Xi is known as a belief network or 
a Bayesian network (Pearl, 1988; Jensen, 1996). 

Example 1. An example belief network is given in Figure^ The parents of projec- 




Fig.2. A belief network for an overhead projector (we discuss the node in bold) 



torJampjon are powerjn^rojector and lamp_works. Note that this graph does not 
specify how power Jn_projector depends on projector Jampjon and lampjworks. It does, 
however, specify that powerJn_proJector is independent of power JnJbuilding, 
alanj-eadingjbook and the other non-descendent given these parents. Separately we 
need a specification of how each variable depends on its parents. 

There are a few important points to notice about a Bayesian network: 

- By construction, the graph defining a Bayesian network is acyclic. 

- Different total orderings of the variables can result in different Bayesian networks 
for the same underlying distribution. 

- The size of a conditional probability table for P{xi\Ttx^) is exponential in the num- 
ber of parents of Xi. 
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Typically we try to build belief networks so that the total ordering results in few par- 
ents and a sparse graph. Belief networks can be constructed taking into account just 
local information, the information that has to he specihed is reasonably intuitive, and 
there are many domains that have concise representations as belief networks. There 
are algorithms that can exploit the sparseness of the graph for computational gain 
(Lauritzen and Spiegelhalter, 1988; Dechter, 1996; Zhang and Poole, 1996), exploit 
the skewness of distributions (Poole, 1996a), use the structure for stochastic simulation 
(Henrion, 1988; Pearl, 1987; Dagum and Luhy, 1997) or exploit special features of the 
conditional probabilities (Zhang and Poole, 1996; Poole, 1997b; Jordan, Ghahramani, 
Jaakkola and Saul, 1997). They can be learned from data (Heckerman, 1995). 

Notice that there is nothing causal about the definition of a belief network. However, 
there have been much work on relating belief networks and causality (Pearl, 1999; Pearl, 
2000). There are a number of good reasons for this: 

- If the direct clauses of a variable are its parents, one would expect that causation 
would follow the independence of belief networks. Thus if you wanted to represent 
causal knowledge a belief network would be appropriate. 

- There is a conjecture that representing knowledge causally (with direct causes as 
parents) results in a sparser network that is more stable to changing contexts. This 
seems to be born out by experience of many people in building these networks. 

- A causal network also lets us predict the effect of an intervention: what happens 
of we change the value of a variable. This is important when we want an agent to 
affect the value of a variable (e.g., to decide whether to smoke). 

However, it must be emphasised that a belief network can represent non-causal rela- 
tionships as well. 

3 The Independent Choice Logic 

The independent choice logic (ICL) is a knowledge representation that can be seen in a 
number of different ways (see Figure^: 

- It is a way to add Bayesian probability to the predicate logic. In particular we want 
to have all uncertainty to he handled by probabilities (or for decision problems, as 
choices of various agents). So we start with logic programs, which can be seen as 
predicate logic with no uncertainty (no disjunctive assertions), and have indepen- 
dent choices that have associated prohahility distributions. A logic program speci- 
fies what follows from the choices made. 

- It is a way to lift Bayesian networks into a first-order language. In particular a 
Bayesian network can be seen as a deterministic system with “noise” (independent 
stochastic) inputs (Pearl, 1999; Pearl, 2000). In the ICL, the deterministic system 
is modelled as a logic program. Thus we write the conditional probabilities in rule 
form. The noise inputs are given in terms of independent choices. 

- It is a sound way to have prohahilities over assumptions. Explaining observations 
means that we use abduction; we find the explanations (set of hypotheses) that 
imply the observations, and from these we make predictions. This reasoning is 
sound probabilistic inference in the ICL. 
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Fig. 3. ICL Influences 



The ICL started off as Probabilistic Horn Abduction (Poole, 1991a; Poole, 1991b; 
Poole, 1993a; Poole, 1993b) (the first three had a slightly different language). The 
independent choice logic extends probabilistic Horn abduction in allowing for multi- 
ple agents making choices (Poole, 1997a) (where nature is a special agent who makes 
choices probabilistically) and in allowing negation as failure in the logic (Poole, 2000a). 



3.1 The Language 

In this section we give the language and the semantics of the ICL. This is simplified 
slightly; the general ICL allows for choices by various agents (Poole, 1997b) which lets 
us model decisions in a decision-theoretic (single agent) or game-theoretic (multiple 
agents) situation. 

We assume that we have atomic formulae as in a normal logical language (Lloyd, 
1987). We use the Prolog convention of having variables in upper case, and predicate 
symbol and function symbols in lower case. 

A clause is either an atom or is of the form 

h ^ ai A ■ ■ ■ A Qk 

where h is an atom and each Oi is an atom or the negation of an atom. 

A logic program is a set of clauses. We assume the logic program is acyclic|(Apt 
and Bezem, 1991). 

^ All recursions for variable-free queries eventually halt. We disallow programs such as {a <— 
-ifl} and {a <— -i6, b <— -la}. We want to ensure that there is a unique model for each logic 
program. 
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An atomic choice is an atom that does not unify with the head of any clause. An 
alternative is a set of atomic choices. A choice space is a set of alternatives such that 
an atomic choice can be in at most one alternative. 

An ICL theory consists of 

F the facts, an acyclic logic program 
C a choice space 

Pq a probability distribution over the alternatives in C. That is Pq : UC — > [0, 1] such 
that 

Vx e C ^ Po(a) = 1 
aex 



Example 2. Here is a meaningless example: 

C = {{C 1 ,C 2 ,C 3 }, {61,62}} 

F = { / ^ Cl A 61, / ^ C3 A 62, 
d-^ Cl, d <— ^C2 A 61 , 
e ^ /, e ^ ~^d} 

Po(ci) = 0.5 Po(c 2 ) = 0.3 Po(c3) = 0.2 
Po(^^i) =0.9 Po(62) = 0.1 



3.2 Semantics 



The semantics is defined in terms of possible worlds. Here we present the semantics for 
the case of a finite choice space, where there are only finitely many possible worlds. 
The more general case is considered in other places (Poole, 1997b; Poole, 2000a). 

A total choice for choice space C is a selection of exactly one atomic choice from 
each alternative in C. 

There is a possible world for each total choice. What is true in a possible world 
is defined by the atoms chosen by the total choice together with the logic program. In 
particular an atom is true if it in in the (unique) stable modejof the total choice together 
with the logic program (Poole, 2000a). The measure of a possible world is the product 
of the values Po{a) for each a selected by the total choice. 

The probability of a proposition is the sum of the measures of the possible worlds 
in which the proposition is true. 



Example 3. In the ICL theory of example^ there are six possible worlds: 



wi h Cl 61 / d e 

W2 h C2 61 ~^f ~^d e 
W3 h C3 bi ~^f d 
W4 \= Cl b2 ^ f d ~^c 
W5 h C2 62 -^d e 

wq h C3 ^2 f ^d e 



P{wi) = 0.45 
P{w2) = 0.27 
P{w3) = 0.18 
P{w4) = 0.05 
P{w5) = 0.03 
pIwq) = 0.02 

' The acyclicity of the logic program and the restriction that atomic choices don’t unify with the 
head of clauses guarantees there there is a single model for each possible world. 
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The probability of any proposition can be computed by summing the measures of the 
worlds in which the proposition is true. For example 

P(e) = 0.45 + 0.27 + 0.03 + 0.02 = 0.77 

3.3 ICL and Belief Networks 

It may seem that, with independent alternatives, that the ICL is restricted in what it can 
represent. This is not the case; in particular it can represent anything the is representable 
by a Belief network. Moreover the translation is local, and (if all variables and alterna- 
tives are binary) there is the same number of alternatives as there are free parameters in 
the belief network. 

Example 4. If we had Boolean variables a, b and c, where b and c are the parents of a, 
we will have rules such as 

a <— 6 A A aifbnc 

where aifbnc is an atomic choice where Po{aifbnc) has the same value as the conditional 
probability as P{a\b, ^c) in the belief network. This generalizes to arbitrary discrete 
belief networks in the analogous way (Poole, 1993b). 

This representation lets us naturally specify context-specific independence 
(Boutilier, Friedman, Goldszmidt and Koller, 1996; Poole, 1997b), where, for example, 
a may be independent of c when b is false but be dependent when b is true. Context- 
specific independence is often specified in terms of a tree for each variable; the tree 
has probabilities at the leaves and parents of the variable on the internal nodes. It is 
straightforward to translate these into the ICL. 

Example 5. In the belief network of Figure Q we can axiomatize how 
power_in_pwjector depends on projector Jampjon and lamp_works: 

projector Jamp_on <— 
power _in_projector A 
lampjworks A 
projector _wor king _ok. 
projector Jamp_on <— 
power Jnjprojector A 
-^lampjworks A 
working jwith_faulty damp. 

We also have the alternatives: 

{projector jwor king _ok, projector Jbroken} 

{working jwith_faulty damp, notjwor king jwith_faulty damp} 

The ICL lets us see the relationship of Belief networks to logical languages. The 
logic programs are standard logic programs (they can even have negation as failure 
(Poole, 2000a)). Viewing them as logic programs gives us a natural way to lift belief 
networks to the first-order case (i.e., with logical variables universally quantified over 
individuals). 
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3.4 ICL, Abduction, and Logical Argumentation 



The ICL can also be seen as a language for abduction. In particular, if all of the atomic 
choices are assumable (they are abducibles or possible hypotheses). An explanatioi| 
for 5 is a consistent set of assumables that implies g. A set of atomic choices is consis- 
tent if there is at most one element in any alternative. 

An explanation can be seen as an argument based on explicit assumptions about 
what is true. Each of these explanations has an associated probability obtained by com- 
puting the product of the probabilities of the atomic choices that make up the expla- 
nation. The probability of g can be computed by summing the probabilities of the 
explanations for g (Poole, 1993b; Poole, 2000a). 

If we want to do evidential reasoning and observe obs, we compute 



P{g\obs) 



P{g A obs) 
P{obs) 



In terms of explanations, we can first hnd the explanations for obs (which would give 
us P{obs)) and then try to extend these explanations to also explain g (this will give us 
P{g A obs)). Intuitively, we explain all of the observations and see what these expla- 
nations also predict. This is similar to proposals in the nonmonotonic reasoning com- 
munity to mix abduction and default reasoning (Poole, 1989; Shanahan, 1989; Poole, 
1990). 

We can also bound the prior and posterior probabilities by generating only a few of 
the most plausible explanations (either top-down (Poole, 1993a) or bottom-up (Poole, 
1996b)). Thus we can use inference to the best explanations to do sound (approximate) 
probabilistic reasoning. 



3.5 Reasoning in the ICL 

To do reasoning in the ICL we can either do 

- variable elimination (marginalization) to simplify the model (Poole, 1997b). We 
sum out variables to reduce the detail of the representation. This is similar to partial 
evaluation in logic programs. 

- Generating some of the explanations to bound the probabilities (Poole, 1993a; 
Poole, 1996a). If we generated all of the explanations we could compute the prob- 
abilities exactly, but there are combinatorially many explanations. 

- Stochastic simulation; generating the needed atomic choices stochastically, and es- 
timating the probabilities by counting the resulting proportions. 

^ We need to extend the definition of explanation to account for negation as failure. The expla- 
nation of -la are the duals of the explanations of a (Poole, 2000a). 

^ This assumes the bodies for the rules for each atom a are mutually exclusive. This is a common 
practice in logic programming and the rules obtained from the translation from belief networks 
have this property. We need to do something a bit more sophisticated if the rules are not disjoint 
(Poole, 2000a). 
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4 Relating Work in Other Fields 

4.1 Reasoning about Actions 

In this section I will review some of the work about actions outside of the logic camp. 
See Shanahan (1997) for a review of the logicist approach to representing actions; I do 
not have the space to review this here. 

Much work in AI, dynamical systems, stochastic control, and operations research is 
built on the motion of a Markov process (see for example (Luenberger, 1979; Bertsekas, 
1995; Boutilier, Dean and Hanks, 1999)), where there is a state variable that depends 
on the previous state and the action being carried out. In general, we don’t observe the 
state, but only get to observe what our sensors provide. When an agent makes a decision 
the only information available is the history of observations and actions. 

One case with no control is the hidden Markov model (HMM); this can be seen as a 
simple belief network as in Figure^ In this figure st is random variable representing the 




® © © 




Fig. 4. Belief network corresponding to a hidden Markov model 



state at tim^ t and ot is a random variable representing the observation at time t. The 
probabilities we need to specify are P(so), P{st\st-i) and P{ot\st). These represent 
the initial state, the system dynamics and the observation model respectively. 

We can use the general mechanism to convert this to a logic program. The result 
looks like: 

state{S, r) <— r > 0 A state{Sl, T — 1) A trans{Sl, S) 

where there is an alternative for each state si 

{trans{si, sO), trans(sz, si), . . . , trans{si, sn)} 

where the states are sO, si, ... , sn. We only need to include those transitions that have 
a non-zero probability. Omitting the zero probabilities can be exploited in sparse matrix 
computations. 

® This is either fixed time steps or is based on the times of interesting events. In the latter case 
T + 1 is the time of the next interesting event (or the state that results from the action). There 
is also a large body of work on continuous time dynamical systems that I won’t review. 
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We don’t want to specify each state by name, but would rather describe the prop- 
erties of states. That is we describe the states in terms of random variables (or propo- 
sitions). In the probabilistic literature this is known as dynamic belief networks (or 
dynamic Bayes networks) (Dean and Kanazawa, 1989; Dean and Wellman, 1991). In a 
dynamic belief network we divide the state into a number of random variables and then 
specify how each variable depends on values at the sam^and previous times. 

In the ICL, the direct translation results in rules like: 

a(T) ^ai(T-l)A . . . A afc(T - 1) A 6i(T) A . . .br{T) A n{T) 

where the Oi and bi are literal fluents and n{T) is an atomic choice (there is a different 
atomic choice for each combinations of the Oi and bj). 

When we have a control problem, (such as in Markov decision processes) we have 
to choose the actions based on the information available (the history of actions of and 
observations). In this case, using the same representation as we used for conditional 
probabilities, a policy in the ICL is represented as a logic program that specifies what 
an agent will do based on its history (Poole, 1997a). We can also use conditional plans 
to represent policies (Poole, 1998; Bacchus, Halpern and Levesque, 1999). 

There are many dimensions on which to compare different representations for dy- 
namics: 

- deterministic versus stochastic dynamics; whether an action from a state results in 
a known state or results in a distribution over states. 

- goal versus values; whether we can only say that some goal needs to be achieved, 
or we give a cardinal rating of all of the resulting states, (for example rating how 
bad a possible undesirable state is). 

- finite stage versus infinite stage; whether we plan for a specific given number of 
future actions or for an indeterminate number of future actions. 

- fully observable versus partial observability; whether the agent gets to observe (or 
knows) the actual state it is in when it has to decide what to do, or whether it has 
only limited and noisy sensors of the state. 

- explicit state space versus states described in terms of properties (using random 
variables or propositions); whether there is a single state variable or the state is 
factored into a number of random variables. 

- zeroth-order versus first-order; whether we can quantify over individuals or not. 

- given dynamics and rewards versus dynamics and rewards acquired through inter- 
action with the world; whether we must learn through trial and error the dynamics 
and the value or whether the dynamics is provided. 

- single agent versus multiple agents 

- perfect rationality versus bounded rationality; whether we can assume that the agent 
has unbounded computation or whether it must act within time and space limita- 
tions (Simon, 1996; Horvitz, 1989; Russell and Subramanian, 1995; Russell, 1997). 

’’ We need to be able to specify how variables depend on other variables at the same time to 

account for correlated action effects. This could also he achieved hy inventing new variables 

(that represent a common cause that makes two effects correlated). Of course, we still must 

maintain the acyclicity of the resulting belief network. 
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For each of these choices, the left-hand alternative is simpler than the right-hand one. 
We know how to build agents that only have a few of the right-hand sides. Flowever, 
when we have more of the right-hand sides, we know that the problems are much more 
computationally difficult. 

For example, when there stochastic dynamics, values, inhnite stages and partially 
observable, we get partially observable Markov decision processes (POMDPs) 
(Cassandra, Kaelbling and Littman, 1994). Even the most efficient exact algorithms 
known (Cassandra, Littman and Zhang, 1997) can only work for a few hundred statej 
Interestingly, these exact algorithms are essentially backward conditional planning al- 
gorithms, where multiple conditional plans are maintained. The difficult problem is to 
determine which plans stochastically dominate others (see Poole, 1998, for a review). 

Similarly, where there are multiple agents, determining locally optimal solutions 
for each agent (Nash equilibria) is exponentially more difficult than the corresponding 
single-agent case (Kollerand Megiddo, 1992). 
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- (a) classical planning (e.g.. Strips (Fikes and Nilsson, 1971) or the Situation Calculus 
(McCarthy and Hayes, 1969)) 

- (b) decision-theoretic planning (Boutilier, Dearden and Goldszmidt, 1995; Boutilier et ah, 
1999) 

- (c) influence diagrams (Howard and Matheson, 1984) 

- (d) reinforcement learning (Sutton and Barto, 1998; Kaelbling, Littman and Moore, 1996; 
Bertsekas andTsitsiklis, 1996) 

- (e) hidden Markov models (Jurafsky and Martin, 2000; Rabiner, 1989) 

- (f) game theory: the extensive form of a game (Von Neumann and Morgenstem, 1953; Or- 
deshook, 1986; Myerson, 1991; Fudenberg and Tirole, 1992) 



Fig. 5. Comparing Models of Dynamics 



There are excellent online resources on POMDPs by Tony Cassandra 
( iccD :/ /WWW . cs . Drown . eau/ researcn/ ai/Domac/ inaex . ncmi i and Michael 
Littman nr r d • / / www .r’n.miK'R.Rm]/ miirrman/r nm os / DomnD - DaoR.nrTni . 
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Figure J shows various representations and how they differ on the dimensions 
above. What is important to notice is that they share the same underlying notion of 
dynamics and the translation into belief networks (and ICL) is like that of the HMMs). 

Reinforcement learning (Sutton and Barto, 1998; Kaelbling et al., 1996; Bertsekas 
and Tsitsiklis, 1996) is an interesting case of the general paradigm of understanding 
dynamics under uncertainty. While there has been much work with states described 
in terms of properties, virtually all of this learns the the value function (or the state 
transition function and the reward function) in terms of neural networks. There is one 
notable exception; Chapman and Kaelbling (1991) use decision trees (which can easily 
be converted into rules) to represent value functions (Q-functions). 

One other interesting comparison is with hidden Markov models that have been 
used extensively in speech recognition (Rabiner, 1989; Jurafsky and Martin, 2000). In 
other work, Hobbs, Stickel, Appelt and Martin (1993) use a language similar to the 
independent choice logic (but with “costs” that are added; these costs can be seen a log- 
probabilities) to represent a way to combine syntax, semantic and pragmatic preferences 
into a coherent framework. The ICL show a way how these two, seemingly unrelated 
pieces of work can be combined into a coherent framework. 

4.2 Model-Based Diagnosis 

There is a large body of work on model-based diagnosis using belief networks and 
decision analysis tools based on these such as influence diagrams (Henrion, Breese and 
Horvitz, 1991). Essentially we write a forward simulation of the system, making explicit 
the possible faults and the uncertainty involved in the working of normal and faulty 
components. In terms of the ICL, we write a logic program that implies the outputs 
from the inputs, the status of the components and the stochastic mechanisms. There is a 
strong relationship between the search methods for belief networks and the traditional 
methods for model-based diagnosis (Poole, 1996a). 

4.3 Bayesian Leaning 

There is a large body of work on learning and belief networks. This means either: 

- Using the belief network as a representation for the problem of Bayesian learn- 
ing of models (Buntine, 1994). In Bayesian learning, we want the posterior distri- 
bution of hypotheses (models) given the data. To handle multiple cases, Buntine 
uses the notion of plates that corresponds to the use of logical variables in the ICL 
(Poole, 2000b). Poole (2000b) shows the tight integration of abduction and induc- 
tion. These papers use belief networks to learn various representations including 
decision trees and neural networks, as well us unsupervised learning. 

- Learning the structure and probabilities of belief networks (Heckerman, 1995). We 
can use Bayesian learning or other learning techniques to learn belief networks. One 
of the most successful methods is to learn a decision tree for each variable given 
its predecessors in a total ordering (Friedman and Goldszmidt, 1996; Chlckering, 
Heckerman and Meek, 1997), and then search over different total orderings. It is 
straightforward to translate from these decision trees to the ICL. 
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The ICL can also be compared to the stochastic logic programs of Muggleton (1995). 
Stochastic logic programs allow for annotated logic programs of the form: 

p : h ^ ai A . . . A Ofc 

This can be seen as similar to the ICL rule: 

h ^ ai A ... A Qk A Up 

where Up is an atomic choice with Po{np) = p. The definition of stochastic logic 
programs has problems with programs such as: 

1.0 : a ^ 6 A c 
0.5 : b 
1.0 : b 

Intuitively a should have probability one half (as it is true whenever b is true, and b is 
true half the time). Stochastic logic programs double-count b, which is used in the proof 
for a twice. The use of atomic choices lets us not double count, as we keep track of the 
assumptions used (and only use them once in the set of assumptions for a goal). The 
semantics of the ICL is simpler than the semantics for stochastic logic programs; all of 
the clauses in the ICL have their standard meaning. 

The ICL has the potential to form the basis for an integration of inductive logic pro- 
gramming (Muggleton and De Raedt, 1994; Quinlan and Cameron-Jones, 1995; Mug- 
gleton, 1995) with reinforcement learning and leaning of belief networks. 

5 Conclusion 

This paper has provided a too-brief sketch of work in uncertainty in AI. I aimed to 
show that belief networks provide a way to understand much of the current work in 
stochastic dynamical systems, diagnosis and learning under uncertainty. The ICL pro- 
vides a bridge between that work and the work in the logic community. Eventually 
we will need to build systems with first-order representations and reason about uncer- 
tainty, dynamics and learning. Hopefully I have provided some idea of how this could 
be achieved. There is still much work to be done. 
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Abstract. We describe a system for the synthesis of logic programs 
from specifications based on higher-order logical descriptions of appro- 
priate refinement operations. The system has been implemented within 
the proof planning system XClam. The generality of the approach is such 
that its extension to allow synthesis of higher-order logic programs was 
straightforward. Some illustrative examples are given. The approach is 
extensible to further classes of synthesis. 



1 Introduction 

Earlier work on the synthesis of logic programs has taken the approach of con- 
structing a program in the course of proving equivalence to a specification, which 
is written in a richer logic than the resulting program. 

Typically, quantifiers and thus binding of variables are present in the specifi- 
cation, and have to be manipulated correctly. We extend earlier work using as far 
as possible a declarative reading in a higher-order logic. The higher-order proof 
planning framework which we employ provides a more expressive language for 
writing methods, allows some methods to be entirely replaced by higher-order 
rewrite rules, and automatically takes care of variable scoping. While allowing 
first-order examples to be dealt with more easily than is possible in a less power- 
ful proof planning language, we can also synthesise higher-order logic programs 
with minimal change to the underlying machinery. 

The paper is organised as follows. Q covers earlier work in the area; Q 
describes the proof planning framework used here. the methods used 

in the synthesis task, flshows how these methods apply for synthesis of higher- 
order programs, and ^presents discussion and future work. We concentrate in 
this paper on the proof planning level, and omit technical details of the logic. 
The code and examples are available at: 

ittD : / /aream. aai . ea. ac .uic/ sottware/ systems/ lamcaa-ciam/ insvntn/ 



2 Background 

Our starting point is work on program synthesis via automatic proofs of equiv- 
alence between a specification in predicate calculus, and an implementation in 
a restricted, executable, subset of the logic. The work in gives the 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 87-^^2000. 
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general principles, and following this work, we also aim to automate and control 
the synthesis process using proof planning (see ^ . 

The specifications of a program we will be working with are complete speci- 
fications of the form: 

\/x. predfx) specfx) (1) 

predfx) is the predicate whose definition we wish to synthesise, specfx) is a log- 
ical formula describing the program. The aim is to prove an equivalence with a 
synthesised program, in a restricted logic, initially that of horn programs (Horn 
programs translate straightforwardly into pure Prolog programs) in the termi- 
nology of Q, i.e. to find a horn body: hornfx) such that the specification will 
follow from the following program definition: 

Va;. pred{x) ^ horn{x) (2) 

The program is normally initially completely undetermined, and is therefore 
represented by a meta-variable| 

Unifications which are carried out (for example during rewriting) as the 
proof of this equivalence is constructed instantiate the (initially only one) meta- 
variables in the program. This technique of successive instantiation of meta- 
variables during the construction of a proof is known as middle-out reasoning 
P. Refinement operators in the form of derived inference rules allow the problem 
to be decomposed, while partially instantiating the synthesised program. 

We are also interested in a more general problem, parameterised synthesis, 
which allows a much more flexible representation for the syntax of specification. 
It adds conditions to the synthesis of programs. So a specification is of the form: 

Va;. condfx) — > Vy. pred{x, y) ^ specfx, y) (3) 

Additional kinds of specifications such as those described in Q could also 
be considered. 

Various aspects of this work suggest that a higher-order logical description is 
appropriate for the task, and that indeed a formulation in a higher-order meta- 
logic would provide a better foundation for this approach - see for example 
A higher-order formulation gives us a direct treatment of quantification 
and variable binding, respecting a-conversion of bound variables, and scoping 
restrictions on variable instantiations that occur in the synthesis process. In 
addition both first-order logic and higher-order logic can be represented. 

Thus the instantiation of higher-order variables standing for as yet unde- 
termined program structure is given a declarative treatment. The higher-order 
approach also extends easily to synthesis of programs in a higher-order logic. 

Unification of higher-order terms is provided by AProlog, which uses a version 
of Huet’s algorithm. There may therefore be more than one higher-order unifier, 
and unification may not terminate. In practice, this does not seem to hinder the 

^ Meta- variables are not variables of the specification/proof calculus, but instead vari- 
ables of the proof system we use to reason about this calculus, i.e. they are variables 
at the metalevel. They may be instantiated to terms in this calculus. 
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synthesis process, but this is a topic which should be investigated further. In 
contrast, Kraan restricts unification to higher-order patterns 

Although we use a language with full higher-order unification many of its 
uses are for higher-order matching of a pattern to a sub-term of a specification. 
Higher-order matching appears in existing work on functional program transfor- 
mation and synthesis, for example in 

3 Proof Planning 

A proof of a theorem can be attained by applying sound derivation rules to 
certain axioms until the theorem is reached. Alternatively, one can start with a 
theorem and back-chain through the rules until axioms are reached. The search 
space defined by these rules, however, is too large to be exhaustively searched 
for anything except the most trivial theorems. So some heuristic search control 
must be used to guide the search. 

Certain sequences of steps following schematic patterns are commonly used 
to prove theorems. These sequences of steps are called tactics. When to apply 
certain tactics can be recognised from the syntactic form of the current goal 
to be proved and the outcome of applying these tactics can be easily derived 
from the goal. The \Clam system uses objects called methods which detail 
the conditions and results of applying such tactics. The stated preconditions of 
applying a tactic allow methods to encode heuristic control knowledge about 
planning a proof. 

So, instead of searching the space of applying derivation rules, XClam searches 
the space of methods at the meta-level. On succeeding with the search it pro- 
duces a proof plan which details which tactics have to be applied. This plan 
can then be used to construct a proof of the theorem in terms of the original 
derivation rules. Further search control can be added by linking the methods 
together via methodicals, the planning analogue of tacticals. 

The methods in XClam are compound data structures consisting of: 

— The name of the method. 

— The syntactic form of a goal to which the method can be applied. 

— The preconditions that goals must meet for the method to be applied. 

— The effects that hold of subgoals after the method is applied. 

— The form of the subgoal(s) after the method is applied. 

— The tactic which implements the method. 

Methodicals link the methods together to control search. They are functions 
which take methods as arguments and return a new method. 
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4 Controlling the Synthesis Process 

4.1 Example 1: Symbolic Evaluation 

For an example method used in XClam to prove theorems, we consider symbolic 
evaluation. This method rewrites a term in the goal formula to an equivalent 
term. An example rewrite rule is: 

plus{s{X),Y) :=i> s{plus{X,Y)) 

where A, Y are meta-level variables. The left hand side of the rewrite is matched 
with a term in the goal and rewritten to the right hand side. 

The soundness of a rewrite is usually based on an underlying equivalence, or 
equality, such as: 

Vx, Vy. plus{s{x),y) = s{plus{x),y) 

With such underlying equivalences we can soundly replace a term in a goal 
matching the left hand side of a rewrite with the right hand side. The resultant 
goal with the rewritten term will be equivalent to the previous goal. Therefore, 
proving the new goal will also prove the old goal. Rewriting with implications is 
also carried out, with appropriate checking of polarity. 

The use of higher-order rewrite rules can reduce the amount of special- 
purpose machinery needed by the theorem prover since some proof steps which 
would normally be implemented using separate machinery can be expressed as 
higher-order rewrite rules (in the style of Q), for example: 



3a;. Q(x) A (a; = E) A P{x) Q{Y) A P{Y). 



This rewrite cannot be stated as a first order rewrite and proved useful in 
several synthesis proofs. Many such rewrites need to be duplicated to cope with 
associative and commutative permutations of a pattern and A-C matching could 
have been useful but was not implemented in XClam. 

Thus the method sym_eval is specified as follows. 



Input Goal: 
Output Goal: 



Precondition: 

Postcondition: 

Tactic: 



Any. 

The same as the input goal with any sub-term 
of the goal rewritten if it matches the left hand 
side of a rewrite in a prestored list. The rewrit- 
ing is done exhaustively so no rewritable sub- 
term will exist in the output goal. 

The goal must contain a subterm that matches 
the left hand side of a stored rewrite. 

None 

A rewrite can be taken as a simple proving 
step or as a compound step consisting of rea- 
sonings about equalities in the hypothesis or 
background theory. 
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4.2 Example 2: Induction 

The method of induction splits a goal containing a universally quantified vari- 
able into base case and step case goals. The splitting of the goal is performed 
by matching the goal to one of a prestored set of induction schemes. The induc- 
tion scheme used is important since it determines the recursive structure of the 
program. 

To illustrate, here is the goal in the synthesis of subset: 

yi,j. subset{i,j) ^ H{i,j) 

h 

Vi,j. subset{i, j) \/x. member{x,i) — > member{x, j) 

Here, the capitalised H represents a meta-variable to be instantiated to the 
program body. 

Appling the induction method on variable i will split the goal into two 
subgoalsB 

Base Case 

Vj. subset{nil, j) ^ H{nil,j) 
h 

Vi,j. subset{nil, j) ^ \/x. member {nil, i) member{x, j) 

Step Case 

Vj. subset{t,j) ^ H{t,j) 
h 

Vj. subset{h :: t,j) <-> Va;. member{x, h ::t) ^ member{x, j) 

The program meta-variable H is now partially instantiated with a recursive 
structure matching the induction scheme: 

H = Xx. Xy. {x = nil) A B{x, y) V 

3a;', xs. x = x' :: xs A S{x' , xs, y) 

Where B and S are new higher-order meta-variables. B will be instantiated 
during the proof of the base case goal and S during the step case. This illustrates 
the parallel between induction in the proof and recursion in the program. 

4.3 Example 3: Unrolling 

An example of a method added to specifically aid logic program synthesis is 
unrolling. This is a technique for eliminating existential quantifiers. It performs 
a structural case split based on the type of the variable quantified. For example 
the following rewrite could be used: 

3a; : nat. P{x) :=^ P{0) V 3a;' : nat. P{s{x')) 
h and t are newly introduced constants. 
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This performs a structural case split on the variable x into its base case and a 
constructor case. Many inductive function definitions are defined for either side 
of a structural split such as this, for example this definition of list append: 



app{nil, Y) Y app{H y. T,Y) H y. app{T, Y) 

So unrolling an existential quantifier in this way can often allow a rewrite rule to 
be applied. This method comes up reasonably often in synthesis of logic programs 
since logic programs often include existential quantifiers. For example, during an 
induction in the synthesis of backn: 

Vn, x.backn{n, x, h:: z) 3k. app{k, x) = h :: z A length{x) = 

the existential quantifier can be unrolled to give term: 



app{nil, x) = h y z\/ 3k' , k" . app{k' :: fc", x) = h :: z 

This can be rewritten into the goal and the proof can continue since the definition 
of app can be used. 

The technique is applied when directed to by rippling Q, a heuristic which 
restricts the application of rewriting in order to successively reduce the differ- 
ences between an induction hypothesis and conclusion. 

One problem with unrolling is that it does not terminate. In fact, any ap- 
plication of an unrolling step can be immediately followed by another unrolling 
step so it easily causes looping. A heuristic is needed to decide when to apply it. 
The one chosen was that an unrolling step can only be applied once per inductive 
step case proof. This ensures termination but may limit the number of programs 
that can be synthesised. 

The method unroll is specified as follows. 



Input Goal: 
Output Goal: 



Precondition: 



Postcondition: 

Tactic: 



A goal containing an existential quantifier. 

The same as the input goal with the existentially 
quantified subterm replaced with its structural case 
split. 

A rewrite must exist that will be applicable only af- 
ter the split. This is directed by rippling. The un- 
rolling method cannot have been used previously in 
the proof of the current step case goal. 

None 

This is a higher-order rewrite. So the appropriate 
tactic for rewriting can be used. 



backn is the relation between a number n, a list and the suffix of the same list of 
length n 



3 



Logic Program Synthesis in a Higher-Order Setting 93 

4.4 Methods Used by the System 

A brief description of the different proof planning methods used is given in Table 
B The methods are tried in the following order: symbolic evaluation, tautology 
check, induction, appeal to program, auxiliary synthesis. If a method succeeds 
then the the methods are tried again in the same order on the resultant goal(s). 
The exception to this is step case goal(s) of induction where the methods of 
rippling, unrolling, shared variable introduction and case splitting are repeatedly 
tried in that order. The resulting planning engine was successfully tested on a 
number of synthesis examples, including all those from 



Table 1. Methods used by XClam 



Method 


Description 


symbolic evaluation 


Performs rewriting. See Section^^ 


conditional rewriting 


Performs rewriting depending on whether a con- 
dition attached to the rewrite rule is fulfilled. 


case split 


Splits a goal into several goals with different sides 
of a case split in their hypotheses. This is applied 
so that a conditional rewrite can be applied. 


tautology checking 


Completes the proof plan if the goal is a tautology 
i.e. true by virtue of its logical connectives. 


induction 


Splits a universally quantified goal into base case 
and step case goals as in mathematical induction. 


rippling 


Annotates the goal so the rippling heuristic can 
be used. Rippling is a heuristic that only allows 
rewriting steps that reduce the difference between 
the conclusion and the hypothesis of a step case 
goal of induction. 


unrolling 


Performs a structural case split on an existential 
quantifier. See Section^H 


shared variable 
introduction 


This method introduces an existentially quantified 
variable that is shared across an equality i.e. it 
performs the rewrite: P{Q) = R 3z.P{z) — 

R A Q = z. This is directed by rippling. 


appeal to the program 


This method tries to finish the proof plan by uni- 
fying the program body in the hypothesis with the 
specification in the goal. For this to succeed the 
specification must have been transformed to the 
executable logic subset we are interested in. 


auxiliary synthesis 


This method tries to synthesise a predicate that 
is equivalent to a sub-formula of the current goal. 
This auxiliary predicate can then be used to pro- 
duce a full synthesis. 



5 Synthesising Higher-Order Logic Programs 

Given our approach, it is natural to consider the synthesis of programs that 
are themselves in higher-order logic; in particular, programs in AProlog ^3. We 
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were also interested in parameterised synthesis. Surprisingly, both of these were 
successfully carried out with only minor modifications to the system developed 
for the first-order case, supporting our case that higher-order proof planning 
provides a good framework for program synthesis. Section gives some exam- 
ples of how XClam encodes and manipulates the logic while Sections and 
^3 describe the results of higher-order program synthesis and parameterised 
synthesis. 

5.1 Encoding of the Object Logic 

The proof planner XClam reasons about formulae in a generic typed higher-order 
logic. First-order terms in this logic are represented by objects of AProlog type 
oterm and formulas are represented by objects of AProlog type form. 

Functions in the object logic are represented in AProlog as terms of function 
type. Stored within the system are predicates describing the object level type 
of the function and its arity. For example the function plus is represented by 
the AProlog function plus. The object level type and arity of this function are 
stored as predicates describing plus. Quantifiers are represented as higher-order 
functions, taking as arguments an object type and a function to a formula and 
returning a function. 

This leads to a very neat representation of formulae. For example, below is a 
formula stating the commutativity of plus (note that functions are curried and 
x\ is AProlog syntax for lambda abstraction of variable x)| 

forall nat x\ (forall nat y\ (eq (x plus y) (y plus x))) 

One advantage of this representation is that the bound variables x and y are 
bound by lambda abstraction. The programming language takes care of some of 
the reasoning of the proof planner. For example, equality modulo a-conversion 
is handled by AProlog. 

This representation can be extended to handle higher-order quantifiers needed 
to reason about higher-order logic programsjFor example we can have a quanti- 
fier f orallpl to quantify over first order predicates and can represent statements 
about them, for example: 

f orallpl p\ (exists nat x\ (p x) ) or (forall nat x\ (not (p x))) 



5.2 Higher-Order Program Synthesis 

Synthesising higher-order programs is different from synthesising first-order pro- 
grams in the following way: 

^ forall, nat and eq are all terms defined in AProlog, not part of the programming 
langnage itself. 

® Fnnctions of the object-level logic are represented by fnnctions in the meta-level 
logic; a consequence of this simple encoding is that there is one quantifier for each 
arity of fnnction/predicate over which we wish to quantify. A less direct encoding 
could avoid this inconvenience. 
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— The specification of the programs involves quantification over higher-order 
objects. 

— The program definition contains quantification over higher-order objects. 

— The program may not be restricted to horn clauses, so it becomes harder to 
know when a program is synthesised. 

The last point is relevant when trying to synthesise programs in a language 
such as AProlog where the executable subset of logic is large but the notion of 
consequence is different to that in the logic we are proof planning in (in particular 
when proving in AProlog there is no inductive consequence). 

In order to synthesise higher-order programs, XClam needs to be extended to 
recognise V quantifiers over higher-order objects, such as the f orallpl predicate 
mentioned in the previous section. 

Significantly, this was the only change needed to the code in XClam to do 
higher-order program synthesis. An example specification of a higher-order logic 
program is the alljiold predicate: 

Vp, 1. allJiold{p, 1) ^ \/x. member{x, 1) p{x) 

Which yields synthesised program: 

Vp, 1. alLhold{p, 1) ^ I = nil V {3h, t. I = h :: t A p{h) A alLhold{p, t)) 

This synthesis uses the methods of symbolic evaluation, tautology checking, 
induction, rippling and shared variable introduction (see tabled . 

5.3 Parameterised Synthesis 

Parameterised synthesis performs synthesis where the specification holds under a 
certain condition. Specifications are of the form Q in Section^ which effectively 
allows synthesis proofs to be parameterised and capture a group of syntheses 
in one go. Two examples which show the parameterisation were successfully 
synthesised. 

The examples capture the type of synthesis that converts a function into a 
relation where we know how to recursively evaluate a function. Example syn- 
theses of this type were the syntheses of rapp and rplus. Two parameterised 
syntheses can be done (one for lists and one for natural numbers). Here is the 
(higher-order) natural number specification (note that the meta-predicate prog 
is to indicate that its argument is allowed to appear in the final synthesised 
program body): 

V/, /l,/2. (prop(/l) A prog{f2) 

f{zero) = /I A Vz. f{s{x)) = f2{f{x)) 

Vy, z. rnat{f, /I, /2, y, z) ^ f{y) = z) 



This yields the synthesised (higher-order) program : 
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V/, /I, /2, y, z. rnat{f, /I, /2, y, z) ^ {y = zero A z = /I) V 

{3y', z'. y = s(y') A z = /2(z') A 
rnat{f,flJ2,y',z')) 

Parameterised syntheses promise to provide a framework for more sophisti- 
cated synthesis. The programs that can be synthesised using this method needs 
investigation. The type of syntheses that could be achieved include: 



Synthesis Based on Assumptions. Some programs are based on assumptions 
about the input data (in the case of logic programming on assumptions about one 
or more of the arguments of a relation). For example, some sorting algorithms 
are based on assumptions about the data distribution of the elements of the list 
being sorted, multiplication in the case where one of the arguments in a power of 
two is often handled with a different program than general multiplication. Such 
programs can be synthesised from conditional specifications. 



General Classes of Synthesis. Many syntheses follow the same pattern of 
proof. Parameterised synthesis allows these general syntheses to be performed. 
One example is given in the results of this project but other general patterns 
will exist. 

The advantage of performing these general syntheses is that they are much 
more likely to match future specifications and be reused as components (see 
Section ^ 3 . 

Examples of higher-order and parameterised synthesis are in 

6 Discussion 

6.1 Comparison with Other Systems 

Synthesis in Clam, Kraan. A similar system to the one presented is given 
in ^ 3 . The XClam implementation can synthesise all the examples given in this 
work. However, in a method is given to automatically obtain certain lemmas 
based on the properties of propositional logic; these were hand-coded into our 
system. The same technique would work with the more recent proof-planner. 

The advantage of the XClam (implemented in AProlog) over the Clam (im- 
plemented in Prolog) system is the ease with which one can move to higher-order 
programs. Using AProlog as a meta-logic we can assure that code written for the 
first-order case will be compatible with the higher-order case. This is due to the 
fact that higher-order quantification can be raised to the programming language 
level and does not need to be dealt with at the level of the actual program except 
in relatively few areas. 



Lau and Prestwich. In Lau and Prestwich present a synthesis system 
based on the analysis of folding problems. The system is similar to synthesis by 
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proof planning in that both systems apply transformation steps in a top down 
fashion. 

The system presented here is different from Lau and Prestwich’s system is 
several ways. Firstly, Lau and Prestwich’s system only synthesises partially cor- 
rect programs and not necessarily complete ones, whereas XClam synthesises 
totally correct programs. 

Secondly, Lau and Prestwich’s work requires user interaction in the specifica- 
tion of the recursive calls of the program before synthesis and in the choosing of 
strategies during synthesis. We aim at fully automated synthesis. The recursive 
form of a program synthesised by proof planning is decided by the choice of in- 
duction scheme and which variable the induction is performed on. The amount 
of user interaction in Lau and Prestwich’s system does allow more control over 
the type of program synthesis and can synthesise certain programs which are 
beyond this work (in several types of sorting algorithms are synthesised, for 
example) . 

Higher-order program synthesis has not been tried by Lau and Prestwich’s 
methods. 



Schema-Based Synthesis. In schema-based synthesis (or transformation) 
common programming patterns are encoded as pairs {Pi,P2), where the Pi are 
program patterns which contain meta-variables. Synthesis proceeds recursively 
by finding a schema whose first element matches part of the specification. This 
part is then replaced by the appropriately instantiated second element of the 
schema. The majority of schema-based synthesis systems are either mostly man- 
ually guided (for example Q), or apply schemas exhaustively (for example ^]). 
In order to achieve automation, we can associate applicability heuristics to pro- 
gram synthesis schemas, which then become much like proof planning methods 

1 - 

Higher-order program synthesis has not been covered by schema based ap- 
proaches. Q represents schemas in AProlog to make them more extensible. It is 
feasible that this approach could be adapted to higher-order program schemas. In 
Q, an approach is given for synthesising definite-clause grammars which could 
represent higher-order schemas. The synthesis process depends on sample in- 
put/output pairs and so is more like inductive program synthesis rather than 
the deductive approach given here. 

One way of viewing parameterised synthesis is the synthesis of program 
schemas. 

6.2 Further Work 

Empirical Testing. We have successfully synthesised many examples from the 
existing literature. However, as in many AI systems, the extent of the system is 
only obtainable by empirical investigation. More work is needed to fully discover 
which kinds of algorithm we can synthesise given the current heuristic techniques 
encoded in the proof planner. 
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Further Heuristic Control. The proof planning framework of methods and 
methodicals can be extended to enlarge the class of programs that can be syn- 
thesised. For example, searching and sorting algorithms along with certain more 
complicated higher order programs such as filtering a list could not be synthe- 
sised given current work. Progress is likely to involve analyzing the techniques 
used to create certain types of program. In particular, the choice of induction 
and induction variable in a proof determine the structure of recursion in a pro- 
gram. Increasing the planner’s ability to find and choose induction schemes will 
doubtless lead to greater power of synthesis. 



Component Based Synthesis. When people write programs, they often reuse 
a lot of existing code. In contrast, our system can synthesise programs from 
specifications but each synthesis is individual and synthesised programs are not 
reused. This is clearly a limitation, which we would like to address in the future. 

One form of program reuse can be achieved by deriving rewrite rules from 
previously synthesised programs, and using these during the synthesis of new 
programs. 

As pointed out in Q, however, exact matches between specifications and 
specifications of stored program fragments are rare, and a specialised matching 
system is required. 

6.3 Summary 

We have provided a higher-order formulation of logic program synthesis that 
subsumes earlier work in the area. To implement this work some general features 
needed to be added to XClam and also some methods particular for synthesis 
were created. 

The extended flexibility allowed higher-order programs to be synthesised as 
well as other first-order programs that were beyond other approaches. We believe 
the use of AProlog and the A Clam system were key to allowing these extensions 
with practically no change to the code. Some questions remain on judging the 
correctness of higher-order program syntheses. However, the extensions indicate 
the system is capable of being developed to achieve quite powerful and flexible 
fully automated syntheses. 
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A Sample Example Synthesis Results 

Here is a sample of some of the specifications from which A Clam can successfully 
synthesis programs. 



A.l First-Order Programs 



Name 


Specification 


subset 


Vz,j. subset{i, j) ^ \/x. member{x,i) member{x, j) 


max 


\/x, 1. max{x, 1) member{x, 1) A Vy. {member{y, 1) leq{y, x)) 


adds 


\/w, X, y, z. add3{x, y,z,w)^w-\-{x-\-y) = z 


replicate 


\fx, y. replicate{x , y) \/z.member{z, y) ^ z = x 


front 


\/x, y. front{x, y) ^ 3k. app{x, k) = y 


frontn 


\/x, y, n. frontn{x, y, n) ^ (3fc. app{x, k) = y) A {length{x) = n) 



A. 2 Higher-Order Horn Clause Examples 



Name 


Specification 


listE 


Vp, X, y. [listE p X y) ^ [p x) A [member x y) 


alljiold 


V/, 1. [allJiold f 1) ^ yx. [member x 1) ^ [f x) 


takep 


[3z, k. [app X z :: k) = y 

Vp, X, y. [takep p x y) ^ A Vn. [member n x) ^ [p n) 

A ~^[pz)) 


subsetp 


^ / 7 , N (V 2 . [member z x) ^ [member z y)) A 

Vp, X, y. [subsetp p x y) ^ ^ ^ 



A. 3 Parameterised Synthesis 



Name 


Specification 


mat 


[prog /I) A 

wr fo t /2) A , V®, y. [mat f fl f 2 x y) ^ 

Ji/ 1 / A [f zero) = fl A ' [f x) = y 

[yx. [f [s x)) = (/2 [f x))) 


rlst 


[prog /I) A 

Wf m f‘2) A , yx,y. [rlst f fl f2 X y) ^ 

hJ 1 / A[f nil) = fl A ' [f x) = y 

[yh,t. [f h-.-.t) = [f 2 h[ft))) 
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Abstract. In recent work it has been shown that infinite state model 
checking can be performed by a combination of partial deduction of logic 
programs and abstract interpretation. It has also been shown that par- 
tial deduction is powerful enough to mimic certain algorithms to decide 
coverability properties of Petri nets. These algorithms are forward al- 
gorithms and hard to scale up to deal with more complicated systems. 
Recently, it has been proposed to use a backward algorithm scheme in- 
stead. This scheme is applicable to so-called well-structured transition 
systems and was successfully used, e.g., to solve coverability problems 
for reset Petri nets. In this paper, we discuss how partial deduction can 
mimic many of these backward algorithms as well. We prove this link in 
particular for reset Petri nets and Petri nets with transfer and doubling 
arcs. We thus establish a surprising link between algorithms in Petri net 
theory and program specialisation, and also shed light on the power of 
using logic program specialisation for infinite state model checking. 



1 Introduction 

Recently there has been interest in applying logic programming techniques to 
model checking. Table-based logic programming and set-based analysis can be 
used as an efficient means of performing explicit model checking Despite 

the success of model checking, most systems must still be substantially simplified 
and considerable human ingenuity is required to arrive at the stage where the 
push button automation can be applied ^3 . Furthermore, most software systems 
cannot be modelled directly by a finite state system. For these reasons, there 
has recently been considerable interest in infinite model checking. This, by its 
very undecidable nature, is a daunting task, for which abstraction is a key issue. 

Now, an important question when attempting infinite model checking in prac- 
tice is: How can one automatically obtain an abstraction which is finite, but still 
as precise as required? A solution to this problem can be obtained by using ex- 
isting techniques for the automatic control of logic program specialisation 
More precisely, in program specialisation and partial evaluation, one faces a very 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 101^^ 2000. 
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similar (and extensively studied) problem: To be able to produce efficient spe- 
cialised programs, infinite computation trees have to be abstracted in a finite 
but also as precise as possible way. To be able to apply this existing technology 
we simply have to model the system to be verified as a logic program (by means 
of an interpreter). This obviously includes finite LTS, but also allows to express 
infinite state systems. This translation is often very straightforward, due to the 
built-in support of logic programming for non-determinism and unification. First 
successful steps in that direction have been taken in gave a first for- 

mal answer about the power of the approach and showed that when we encode 
ordinary Petri nets as logic programs and use existing program specialisation al- 
gorithms, we can decide the so-called “coverability problems” (which encompass 
quasi-liveness, boundedness, determinism, regularity,...). This was achieved by 
showing that the Petri net algorithms by Karp-Miller Q and Finkel | can be 
exactly mimicked. Both algorithms are forward algorithms, i.e. they construct 
an abstracted representation of the whole reachability tree of a Petri net starting 
from the initial marking. However, to decide many coverability problems, such a 
complete abstraction is not necessary or even not precise enough for more com- 
plicated systems. To decide coverability problems for a wider class of transition 
systems, namely well structured transition systems, in a backward algo- 

rithm scheme was proposed instead. This scheme has been successfully applied, 
e.g., to reset Petri nets. 

In this paper we discuss how partial deduction can mimic these backward 
algorithms as well. We prove this correspondence in particular for reset Petri 
nets, since for many problems they lie on the “border between decidability and 
undecidability” Thus, in addition to establishing a link between algorithms 
in Petri net theory and program specialisation, our results also shed light on the 
power of using logic program analysis and specialisation techniques for infinite 
state model checking. 

2 (Reset) Petri Nets and the Covering Problem 

In this paper we want to study the power of partial deduction based approaches 
for model checking of infinite state systems. To arrive at precise results, it makes 
sense to focus on a particular class of infinite state systems and properties which 
are known to be decidable. One can then examine whether the partial deduc- 
tion approach provides a decision procedure and how it compares to existing 
algorithms. In this section, we describe such a decidable class of properties and 
systems, namely covering problems for Petri nets, reset Petri nets, and well- 
structured transition systems. We start out by giving definitions of some impor- 
tant concepts in Petri net theory {J. 

Definition 1. A Petri net U is a tuple {S, T, F, Mfi) consisting of a finite set of 
places S, a finite set of transitions T with S' H T = 0 and a flow relation F which 
is a function from (S x T) U (T x S) to IN . A marking M for Ft is a mapping 
S IN . Mq is a marking called initial. 
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A transition t G T is enabled in a marking M iffWs G S : M(s) > F(s,t). 
An enabled transition can be fired, resulting in a new marking M' defined by 
'is G S : M'{s) = M{s) — F{s,t) + F{t,s). We will denote this by M[t)M' . 
By M[ti, . . . ,tk)M' we denote the fact that for some intermediate markings 
Ml, Mk-i we have M[ti)Mi, . . Mk-i[tk)M' . 

We define the reachability tree RT{II) inductively as follows: Let Mq be the 
label of the root node. For every node n of RT{II) labelled by some marking 
M and for every transition t which is enabled in M , add a node n' labelled M' 
such that M[t)M' and add an arc from n to n! labelled t. The set of all labels 
of RT{n) is called the reachability set of II, denoted RS{II). The set of words 
given by the labels of finite paths of RT (II) starting in the root node is called 
language of IT , written L{II) . 

For convenience, we denote M > M' iff M(s) > M'(s) for all places s G S. 
We also introduce pseudo-markings, which are functions from S to IN U {w} 
where we also define Vn G IN : u > n and uj-\-n = u! — n=uj-\-uj = uj. Using 
this we also extend the notation Mk-i[ti, . . ., tk)M' for such markings. 

Reset Petri Nets and WSTS’s. One can extend the power of Petri nets by 
adding a set of reset arcs R C (S x T) from places to transitions: when the 
associated transition fires the number of tokens in the originating place is reset 
to zero. Such nets were first introduced in Q, and we adapt all of the above 
concepts and notations in the obvious way. 

Well-structured transition systems (WSTS) are a further generalisation 

of Petri nets. They cover reset Petri nets but also Petri nets with transfer arcs, 
post self-modifying nets, as well as many formalisms not directly related to Petri 
nets (Basic Process Algebras, Context-free grammars. Timed Automata,. . . ). To 
define WSTS we first need the concept of a well-quasi order: 

Definition 2 . A sequence S\,S2, ■ ■ ■ of elements of S is called admissible wrt a 
binary relation <5 on Sx S iff there are no i < j such that si <s ■ ^6 ^o,y l^o,t 
<5 is a well-quasi relation (wqr) iff there are no infinite admissible sequences 
wrt <s- A well quasi order (wqo) is a reflexive and transitive wqr. 

A well-structured transition system (WSTS) is a structure (S', —*■,<) 

where S is a (possibly infinite) set of states, SxS a set of transitions, and: 

( 1 ) S X S is a wqo and 

(2) < is (upward) compatible wrt — for all si < ti and si — > S2 there exists a 
sequence t\ —>* t2 such that S2 < ^2- 

Reset Petri nets can be modelled as a WSTS (S, — <) with S being the set 
of markings, M M' if for some t we have M[t)M' and using the corresponding 
< order on markings seen as vectors of numbers (this order is a wqo) . 

Coverability Analysis. The covering problem is a classical problem in Petri 
net theory and is also sometimes referred to as the control-state reachability 
problem. The question is: given a marking M is there a marking M' in RS{IT) 
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which covers M, i.e., M' > M. This problem can be analysed using the so-called 
Karp-Miller-tree KM {II) which is computed as follows: 

1. start out from a tree with a single node labelled by the initial marking Mq; 2. 
repeatedly pick an unprocessed leaf labelled by some M ; for every transition t 
such that M\t)M' and such that there is no ancestor M" = M' do: a. generalise 
M' by replacing all M'{p) by uj such that there is an ancestor M" < M' and 
M"{p) < M'{p) b. create a child of M labelled by M' . 

The intuition behind step 2a. is that if from M" we can reach the strictly 
larger marking M' we then extrapolate the growth by inserting w’s. For example 
for M” = (0, 1, 1) and M' = (1, 2, 1) we will produce (tu, uj, 1). This is sufficient 
to ensure termination of the procedure and thus finiteness of KM {II). 

Some of the properties of ordinary Petri nets decidable by examining KM {II) 
are| boundedness, place-boundedness, quasi-liveness of a transition t (i.e. is 
there a marking in RT{II) where t is enabled), and regularity of L{II) (cf. 

^ 9 )’ 

The quasi-liveness question is a particular instance of the covering problem, 
which can be decided using the Karp-Miller tree simply by checking whether 
there is a pseudo-marking M' in KM {II) such that M' > M. For example if 
there is a marking {uj,uj, 1) in KM{II) then we know that we can, e.g., reach a 
marking greater or equal to (10, 55, 1). 

The reason why this approach is correct is the monotonicity of ordinary 
Petri nets: if M[ti , . . . , tk)M' and M” > M (the condition to introduce uj) then 
M"[t\, . . . ,tk)M"' for some M'" > M' (i.e., we can repeat the process and 
produce ever larger markings and when an uj is generated within KM {II) for a 
particular place s we can generate an arbitrarily large number of tokens in . 

Unfortunately, this monotonicity criterion is no longer satisfied for Petri nets 
with reset arcs! More precisely, when we have M[ti, . . .,tk)M' with M' > M 
(the condition to introduce u) we still have that . . . , tk)M" for some M" 

but we no longer have M” > M' (we just have M" > M'). This means that, 
when computing the Karp-Miller tree, the generation of uj places is sound but no 
longer “precise,” i.e., when we generate an uj we are no longer guaranteed that 
an unbounded number of tokens can actually be produced. The Karp-Miller tree 
can thus no longer be used to decide boundedness or coverability. 

Example 1. Take for example a simple reset Petri net with two transitions U, 
and two places si, S 2 depicted in Fig.^ Transition t\ takes one token in si and 
putting one token in S 2 and resetting si. Transition t 2 takes one token from S 2 
and producing 2 tokens in si. Then we have (1,0) [U) (0, 1) [t^) (2,0) and the 
Karp-Miller procedure generates a node labelled with (w, 0) even though the net 
is bounded! 



^ It was shown in | that these problems can also be decided using minimal coverability 
graphs, which are often significantly smaller. 

^ However, it does not guarantee that we can generate any number of tokens. To 
decide whether we can, e.g., reach exactly the marking (10, 55, 1) the Karp-Miller 
tree is not enough. 
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Fig. 1. Reset Petri from Ex. Q 



It turns out that boundedness (as well as reachability) is actually undecidable 
for Petri nets with reset arcs Q. However, the covering problem (and thus, 
e.g., quasi-liveness) is still decidable using a backwards algorithm which 

works for any WSTS for which < and pb{.) (see below) can be computed. 

Given a WSTS {S, <) and a set of states / G S' we define: 

- the upwards-closure I ={y\y>xAxGl} 

- the immediate predecessor states of I: Pred{I) = {y\y^xAxGl} 

- all predecessor states of I, Pred*{I) = {y \ y x A x G 1} 

- pb{I) = [J^^jpb{x) where pb{x) is a finite basis of t Pred{'\ {a;}) (i.e., pb{x) 

is a finite set such that t pb{x) =| Pred{'\ {a;})). 

The covering problem for WSTS is as follows: given two states s and t can 
we reach t' > t starting from s. Provided that < is decidable and pb{x) exists 
and can be effectively computed, the following algorithm can be used to 

decide the covering problem: 

1. Set Kq = {t} and j = 0 

2 . Kj+i = KjUpb(Kj) 

3. if t Kj+i ^ T Kj then increment j and goto 2. 

4. return true if 3 s' G Kj with s' < s and false otherwise 

This procedure terminates and we also have the property that t Ui = 
Pred*(t {t}) At step 4. we test whether s G| Kj, which thus corresponds 
to s G Pred*(t {t}) (because we have reached the fixpoint), i.e., we indeed check 
whether s — >■* for some t' > t. 

pb{M) can be effectively computed for Petri nets and reset Petri nets by 
simply executing the transitions backwards and setting a place to the minimum 
number of tokens required to fire the transition if it caused a reset on this place: 

pb{M) = {P' \ 3t eT : ( P[t)MA 

'ds G S : P'{s) = (F(s, t) if (s, t) G R else P(s)) ) } 

We can thus use the above algorithm to decide the covering problem. In the 
remainder of the paper we will show that, surprisingly, the exact same result can 
be obtained by encoding the (reset) Petri net as a logic program and applying a 
well-established program specialisation technique! 
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3 Partial Evaluation and Partial Deduction 

We will now present the essential ingredients of the logic program specialisation 
techniques that were used for infinite model checking in 

Throughout this article, we suppose familiarity with basic notions in logic 
programming. Notational conventions are standard. In particular, we denote 
variables through (strings starting with) an uppercase symbol, while constants, 
functions, and predicates begin with a lowercase character. 

In logic programming full input to a program P consists of a goal <— Q and 
evaluation corresponds to constructing a complete SLD-tree for PU Q}, i.e., 
a tree whose root is labeled by <— Q where children of nodes are obtained 
by first selecting a literal of the node and then resolving it with the clauses of P. 
For partial evaluation, static input takes the form of a partially instantiated goal 
<— Q' and the specialised program should be correct for all runtime instances 
<— Q'9 of ^ Q' . A technique which achieves this is known under the name of 
partial deduction, which we present below. 



3.1 Generic Algorithm for Partial Deduction 

The general idea of partial deduction is to construct a finite number of finite 
but possibly incompletij trees which “cover” the possibly infinite SLD-tree for 
PU{^ Q'} (and thus also all SLD-trees for all instances of <— Q'). The derivation 
steps in these SLD-trees are the computations which have been pre-evaluated 
and the clauses of the specialised program are then extracted by constructing one 
specialised clause (called a resultant) per branch. These incomplete SLD-trees 
are obtained by applying an unfolding rule: 

Definition 3. An unfolding rule is a function which, given a program P and a 
goal <— Q, returns a non- trivia^ and possibly incomplete SLD-tree t for PU {<— 
Q}. We also define the set of leaves, leaves{T), to be the leaf goals ofr. 

Given closedness (all leaves are an instance of a specialised atom) and in- 
dependence (no two specialised atoms have a common instance), correctness of 
the specialised program is guaranteed Independence is usually (e.g. ^^Q) 
ensured by a renaming transformation. Closedness is more difficult to ensure, 
but can be satisfied using the following generic algorithm based upon 
This algorithm structures the atoms to be specialised in a global tree: i.e., a tree 
whose nodes are labeled by atoms and where A is a descendant of B if spe- 
cialising B lead to the specialisation of A. Apart from the missing treatment 
of conjunctio ns the following is basically the algorithm implemented in the 
ECCE system which we will employ later on. 

® An incomplete SLD-tree is a SLD-tree which, in addition to success and failure 
leaves, also contains leaves where no literal has been selected for a further derivation 
step. 

^ A trivial SLD-tree has a single node where no literal has been selected for resolution. 
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Algorithm 3.1 {Generic Partial Deduction Algorithm) 

Input: a program P and a goal <— A 

Output: a set of atoms or conjunctions A and a global tree 7 
Initialisation: 7 := a “global” tree with a single unmarked node, labelled by A 

repeat 

pick an unmarked leaf node L in 7 

if covered{L, 7) then mark L as processed 

else 

W = whistle{L, 7) 
if W A then 

label{L) abstract(L, W, 7 ^ 
else 

mark L as processed 

for all atoms A G leaves{U{P,label{L))) do 
add a new unmarked child C of L to 7 
label{C) := A 

until all nodes are processed 
output A ~ {label{A) | A G 7} and 7 



The above algorithm is parametrised by an unfolding rule U, a predicate 
covered{L,^), a whistle function whistle{L,^) and an abstraction function 
abstract{L,W,^). Intuitively, covered{L,^) is a way of checking whether L or 
a generalisation of L has already been treated in the global tree 7. Formally, 
covered{L, 7) = true must imply that 3M G 7 such that M is processed or 
abstracted and for some substitution 0: lahel{M)9 = label{L). A particular im- 
plementation could be more demanding and, e.g., return true only if there is 
another node in 7 labelled by a variant of L. 

The other two parameters are used to ensure termination. Intuitively, the 
whistle{L,^) is used to detect whether the branch of 7 ending in L is “danger- 
ous”, in which case it returns a value different from fail (i.e., it “blows”). This 
value should be an ancestor W of L compared to which L looked dangerous (e.g., 
L is bigger than W in some sense) . The abstraction operation will then compute 
a generalisation of L and W, less likely to lead to non-termination. Formally, 
abstract{L, W, 7) must be an atom which is more general than both L and W. 
This generalisation will replace the label of W in the global tree 7. 

If the Algorithm^Jterminates then the closedness condition of is satisfied, 
i.e., it is ensured that together the SLD-trees ri, . . . , form a complete descrip- 
tion of all possible computations that can occur for all concrete instances <— A9 
of the goal of interest ^ 



Q. We can then produce a totally correct specialised 
program. On its own, Algorithm^^does not ensure termination (so its strictly 
speaking not an algorithm but a procedure). To ensure termination, we have to 
use an unfolding rule that builds finite SLD-trees only. We also have to guaran- 
tee that infinite branches in the global tree 7 will be spotted by the whistle and 
that the abstraction can not be repeated infinitely often. 

® Alternatively one could remove all descendants of W and change the label of W. 
This is controlled by the parent abstraction switch in ecce. 
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3.2 Concrete Algorithm 

We now present a concrete partial deduction algorithm, which is online (as 
opposed to offline) in the sense that control decisions are taken during the 
construction of 7 and not beforehand. It is also rather naive (e.g., it does not 
use characteristic trees Q; also the generic Algorithm does not include 
recent improvements such as conjunctions constraints or abstract 

interpretation ^3). However, it is easier to comprehend (and analyse) and will 
actually be sufficiently powerful for our purposes (i.e., decide covering problems 
of reset Petri nets and other WSTS’s). 

Unfolding Rule. In this paper we will use a very simple method for ensuring 
that each individual SLD-tree constructed by U is finite: we ensure that we 
unfold every predicate at most once in any given tree! 

Whistle. To ensure that no infinite global tree 7 is being built-up, we will 
use a more refined approach based upon well-quasi orders: In our context we 
will use a wqo to ensure that no infinite tree 7 is built up in Algorithm^^by 
setting whistle to true whenever the sequence of labels on the current branch 
is not admissible. A particularly useful wqo (for a finite alphabet) is the pure 
homeomorphic embedding 

Definition 4. The (pure) homeomorphic embedding relation < on expressions 
is inductively defined as follows (i.e. < is the least relation satisfying the rules): 

1. X <Y for all variables A, Y 

2. s < f{ti , . . . , tn) if s <ti for some i 

3. f{si,...,Sn) < fih, . . . ,tn) if^i G n} : Si <U. 

Notice that n is allowed to be 0 and we thus have c < c for all constant and 
proposition symbols. The intuition behind the above definition is that A ^ H iff 
A can be obtained from B by “striking out” certain parts, or said another way, 
the structure of A reappears within B. We have f{a,b) < p{f{g{a),b)). 
Abstraction. Once the whistle has identified a potential non-termination one 
will usually compute generalisations which are as precise as possible (for partial 
deduction): The most specific generalisation of a finite set of expressions S, 
denoted by msg{S), is the most specific expression M such that all expressions 
in S are instances of M. E.g., msg{{p{Q, s(0)), p(0, s(s(0)))}) = p(0, s(A)). The 
msg can be computed 

Algorithm 3.2 We define an instance of Algorithm^^as follows: 

- U unfolds every predicate just once 

- cover ed{L, 7 ) = true if there exists a processed node in 7 whose label is 
more general than L 

- whistle{L, 7 ) = M iff M is an ancestor of L such that label{M) < label{L) 
and whistle^ (L, 7 ) = fail if there is no such ancestor. 

- abstract{L,W,^) = msg{L,W). 

Algorithm terminates for any program P and goal <— Q (this can be 
proven by simplified versions of the proofs in or ^ 3 ) . 
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4 Encoding (Reset) Petri Nets as Logic Programs 

It is very easy to implement (reset) Petri nets as (non-deterministic) logic pro- 
grams (see also Q). FigureOcontains a particular encoding of the reset Petri 
Net from Ex.^and a simple predicate reachable searching for reachable mark- 
ings in RS{n). To model a reset arc (as opposed to an ordinary arc), one simply 
allows the trans/3 facts to carry a 0 within the post-marking. Other nets can 
be encoded by changing the trans/3 facts and the initialjnarking fact. 

Based upon such a translation, pursued the idea that model check- 

ing of safety properties amounts to showing that there exists no trace which 
leads to an invalid state, i.e., exploiting the fact that VDsa/e = ->30(-'sa/e). 
Proving that no trace leads to a state where ^safe holds is then achieved by a 
semantics-preserving program specialisation and analysis technique. For this, an 
instance of Algorithm^Jwas applied to several systems, followed by an abstract 
interpretation based upon (we will return to later in the paper) . 



reachable(R) initial_marking(M) , reachable (Tr ,R,M) . 
reachableC [] , State, State) . 
reachable ( [Action I As] , Reach, Instate) 

trans (Action, Instate ,NewState) , reachable (As , Reach, NewState) . 
trans(tl, [s (SI) , S2] , [0 , s (S2)] ) . 
trans(t2, [Sl,s(S2)] , [s (s (SI) ) , S2] ) . 
initial_marking( [s(0) ,0] ) . 



Fig. 2. Encoding a Reset Petri net as a logic program 

As was shown in this approach actually gives a decision procedure for 
coverability, (place-)boundedness, regularity of ordinary Petri nets. One can even 
establish a one-to-one correspondence between the Karp-Miller tree KM {II) and 
the global tree produced by (an instance of) partial deduction Q. 

As we have seen, boundedness is undecidable for Petri nets with reset arcs 
H so the partial deduction approach, although guaranteed to terminate, will 
no longer give a decision procedure. (However, using default settings, ecce can 
actually prove that the particular Reset net of Fig. His bounded.) 

But let us turn towards the covering problem which is decidable, but using 
the backwards algorithm we presented in Section H To be able to use partial 
deduction on this problem it seems sensible to write an “inverse” interpreter for 
reset Petri nets. This is not very difficult, as shown in Fig.fl exploiting the fact 
that logic programs can be run backwards. 

We can use this program in Prolog to check whether a particular marking 
such as (2, 0) can be reached from the initial marking: 

I ?- search_initiaI(T, [s(s(0)) ,0] ) . 

T = [t2,tl] 

Unfortunately, we cannot in general solve covering problems using Prolog or 
even XSB-Prolog due to their inability of detecting infinite failures. For example. 
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search_initial ([], State) initial_marking (State) . 
search_initial ( [Action I As] , Instate) : - 

trans(Action,PredState, Instate) , search_initial (As,PredState) . 
transCtl, [s(Pl) ,P2] , [0,s(P2)] ) . 
trans(t2, [Pl,s(P2)] , [s (s(Pl) ) ,P2] ) . 
initial_marking( [s(0) ,0] ) . 



Fig. 3. Backwards Interpreter for Reset Petri nets 



the query ?-search_LnitiaI(T, [s(s(s(_Xl))) ,_X2] ), checking whether (3,0) can 
be covered from the initial situation will loop in both Prolog or XSB-Prolog. 
However, the logic program and query is still a correct encoding of the covering 
problem: indeed, no instance of search_LnitiaI(T, [s(s(s(_Kl))) ,_K2] ) is in the 
least Herbrand model. Below, we will show how this information can be extracted 
from the logic program using partial deduction, even to the point of giving us a 
decision procedure. 

We will denote by C{II, Mq) the variation of the logic program in Fig. | 
encoding the particular (reset) Petri net U with the initial marking MqB 



5 Coverability of Reset Petri Nets by Partial Deduction 

We will now apply our partial deduction algorithm to decide the covering prob- 
lem for reset Petri nets. For this we need to establish a link between markings 
and atoms produced by partial deduction. 

First, recall that an atom for partial deduction denotes all its instances. So, 
if during the partial deduction we encounter searchjLnitial(T, [Ml, . . . ,Mk] ) 
this represents all markings (mi , . . . , rrik) such that for some substitution 6 we 
have Vi: Mi0 = \mi\. For example the term s(s(s(X))) corresponds to the set 
represented by the number 3 in Section Q (where a number n represents all 
numbers m > n). The following is a formalisation of the encoding of natural 
numbers as terms that will occur when specialising C{U, Mq): 

- \i\ = X ifz = 0 and where JV is a fresh variable 

- [z] = s(|’z — 1]) otherwise 

From now on, we also suppose that the order of the places in Mq is the same as 
in the encoding in FiguresHH^’^^ define |"(mi, . . . , mfc)] = . . ., [mfc]]. 

Lemma 1. Let M and M' he two markings. Then: 

1. M < M' iff I’M] is more general than |"M']. 

2. M<M' iff [M] < [M']. 

3. M < M' iff I’M] is strictly more general than I’M']. 

I I {M} = {M' I 39 with [M'] = \M]9}. 

® To keep the presentation as simple as possible, contrary to we do not perform 
a preliminary compilation. We compensate this by using a slightly more involved 
unfolding rule (in only a single unfolding step is performed). 
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We can now establish a precise relationship between the computation of pb{.) 
and SLD-derivations of the above logic program translation: 

Lemma 2. Let II be Petri Net with reset arcs, and M be a marking for II . 
Then Mi G pb{M) iff there exists an incomplete SLD- derivation of length 2 for 
C{II,Mq) U search_initial{T, |"M])} leading to <— search Jnitial{T' , \Mi\). 
Also, Mq {M} iff there exists an SLD-refutation of length 2 for (7(77, Mq) U 
{<— searchJnitial{T, [M])}. 

However, partial deduction atoms are more expressive than markings: e.g., we 
can represent all (mi, m2, m3) such that mi > 0, m2 = mi + 1, and m3 = 1 by: 
searchJ.nitial(T, [s(X) ,s(s(X)) ,s(0)] ). In other words, we can establish a 
link between the number of tokens in several places via shared variables and 
we can represent exact values for placesj However, such information will never 
appear, because a) we start out with a term which corresponds exactly to a 
marking, b) we only deal with (reset) Petri nets and working backwards will yield 
a new term which corresponds exactly to a marking (as proven in Lemma H 
c) the generalisation will never be needed, because if our whistle based upon 
^ blows then^y LemmaH the dangerous atom is an instance of an already 
processed one| 

Theorem 1. Let 77 be Petri Net with reset arcs with initial marking Mq and let 
P be the residual program obtained by Algorithm^^^ applied to C{LI,Mq) and 
<— search_initial{T' , [7l7c] ). Then P contains facts iff there exists a marking M' 
in RT{LI) which covers Me, i.e., M' > Me 

The above theorem implies that when we perform a bottom-up abstract in- 
terpretation after partial deduction using, e.g., (as done in we will 

be able to deduce failure of ^ search_initial{T' , |"7l7c]) if and only if RT{LI) 
does not cover 7l7c! The following example illustrates this. When applying Al- 
gorithm (using the ecce system) to specialise the program in Fig. Q for 
<— search_initial{T' , [(3,0)]) we get: 

/* Specialised Predicates: 

search_initial 1(A,B,C) search_initial(C , [s (s (s (B) ) ) , A] ) . 

search_initial 2(A,B) search_initial (B, [s (A) , s (Cl) ] ) . 

search_initial 3(A,B) search_initial (B, [A, s (s (Cl) ) ] ) . */ 

search_initial (A, [s(s(s (B) ) ) ,C] ) search_initial 1(C,B,A). 

search_initial 1 (A,B, [t2 I C] ) search_initial 2(B,C). 

search_initial 2 (s(A) , [t2 I B] ) search_initial 3(A,B). 

search_initial 3(0,[tl|A]) search_initial 2(B,A). 

search_initial 3 (s(s(A) ) , [t2 I B] ) search_initial 3(A,B). 

^ More precisely, each atom represents a linear set L C of markings L = {b + 
Uip' I m £ JV} with b,p'‘ £ and the restriction that — (fi • ■ • 1 !)• 

® This also implies that a similar result to Theorem J for reset Petri nets, might be 
obtained by using OLDT abstract interpretation in place of partial deduction. 
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After which the most specific version abstract interpretation imple- 
mented in ECCE will produce: 

search_initial (A, [s(s(s (B) ) ) ,C] ) fail. 

It turns out that Algorithm ^3 when expanding the global tree 7 in a 
breadth-first manner, can actually mimic an improved version of the backwards 
algorithm from Q (see Section^ : provided that we improve the backwards al- 
gorithm to not compute pb{.) of markings which are already covered, we obtain 
that the set of labels in 7 = {search_initial{T, \M~\) \ M G Kj}, where Kj is 
the set obtained by the improved backwards algorithm. 

6 Other Well-Structured Transition Systems 

Let us now turn to another well-known Petri net extension which does not violate 
the WSTS character transfer arcs which enable transitions to transfer 
tokens from one place to another, doubling arcs which double the number of 
tokens in a given place, or any mixture thereof. Take for example the following 
simple fact: 

trans(t3, [Pl,s(P2)] , [P2,P2] ) . 

This transition employs a combination of a reset arc (removing the number 
of tokens PI present in place 1) and a kind of transfer arc (transferring all but 
one token from place 2 to place 1). Transitions like these will not pose a problem 
to our partial deduction algorithm: it can be used as is as a decision procedure 
for the covering problem and Theorem | holds for this extended class of Petri 
nets as well. In fact, a similar theorem should hold for any post self-modifying 
net and even Reset Post G-nets Q. (However, the theorem is not true 

for Petri nets with inhibitor arcs.) 

Another class of WSTS are basic process algebras (BPP’s) a subset of 
CCS without synchronisation. Below, we try to analyse them using our partial 
deduction approach. Plugging the following definitions into the code of Fig.^we 
encode a process algebra with action prefix ., choice -P, and parallel composition 
II, as well as a process starting from {a. stop -P b.stop)\\c.stop): 

trans(A,pre(A,P) ,P) . 

trans(A,or(X,_Y) ,XA) trans (A,X,XA) . 

trans(A,or(_X,Y) ,YA) trans (A, Y,YA) . 

trans(A,par(X,Y) ,par(XA,Y)) trans (A,X,XA) . 

trans(A,par(X,Y) ,par(X,YA)) trans (A,Y, YA) . 

initial_marking(par (or (pre(a, stop) ,pre (b, stop) ) ,pre (c , stop) ) ) . 

Compared to the WSTS’s we have studied so far, the term representation of 
states gets much more complex (we no longer have lists of fixed length of natural 
numbers but unbounded process expressions). Our < relation is of course still 
a wqo on processes in this algebra, and it is also upwards compatible. Unfortu- 
nately we no longer have the nice correspondence between < and the instance-of 
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relation (as in Lemmajfor reset nets). For instance, we have pre(a, stop) <stop, 
but pre{a, stop) is not more general than stop and partial deduction will not re- 
alise that it does not have to analyse stop if has already analysed pre{a, stop) 
(indeed, in general it would be unsound not to examine stop). This means that 
the partial deduction approach will contain some “redundant” nodes. It also 
means that we cannot in general formulate covering problems as queries; al- 
though we can formulate reachability questions (for reset Petri nets we could 
do both). Nonetheless, specialising the above code using Algorithm^Jand 
e.g., for the reachability query search_Lnitial(A,stop), we get: 

search_initial (A, stop) fail. 

This is correct: we can reach stop\\stop but not stop itself. However, despite 
the success on this particular example, we believe that to arrive at a full solution 
we will need to move to an abstract partial deduction algorithm: this will 
enable us to re-instate the correspondence between the wqo of the WSTS and 
the instance-of relation of the program specialisation technique, thus arriving at 
a full-fledged decision procedure. 



7 Future Work and Conclusion 

One big advantage of the partial deduction approach to model checking is it 
scales up to any formalism expressible as a logic program. More precisely, proper 
instantiations of Algorithm^3''^iH terminate for any system and will provide safe 
approximations of properties under consideration. However, as is to be expected, 
we might no longer have a decision procedure. 

Q discusses how to extend the model checking approach to liveness prop- 
erties and full CTL. Some simple examples are solved. E.g., the approach was 
applied to the manufacturing system used in Q and it was able to prove absence 
of deadlocks for parameter values of, e.g., 1,2,3. When leaving the parameter un- 
specifled, the system was unable to prove the absence of deadlocks and produced 
a residual program with facts. And indeed, for parameter value > 9 the system 
can actually deadlock. The timings compare favourably with HyTech 

Reachability can be decided in some but not all cases using the present 
partial deduction algorithm. In future we want to examine the relationship to 
Mayr’s algorithm Q for ordinary Petri nets and whether it can be mimicked 
by abstract partial deduction 

Finally, an important aspect of model checking of finite state systems is the 
complexity of the underlying algorithms. We have not touched upon this issue 
in the present paper, but plan to do so in future work. 

Conclusion. We have examined the power of partial deduction (and abstract in- 
terpretation) for a particular class of infinite state model checking tasks, namely 
covering problems for reset Petri nets. The latter are particularly interesting as 
they lie on the “border between decidability and undecidabilty” Q. We have 
proven that a well-established partial deduction algorithm based upon ^ can be 
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used as a decision procedure for these problems and we have unveiled a surprising 
correspondence with an existing algorithm from the Petri net area. 

We have also shown that this property of partial deduction holds for other 
Petri net extensions which can be viewed as WSTS’s. We have also studied other 
WSTS’s from the process algebra arena. For these we have shown that, to arrive 
at a full-fledged decision procedure, we will need to move to the more powerful 
abstract partial deduction Q. 
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Abstract. Binary logic programs can be obtained from ordinary logic 
programs by a binarizing transformation. In most cases, binary programs 
obtained by this way are less efficient than the original programs. De- 
moen | showed an interesting example of a logic program whose compu- 
tational behavior was improved if it was transformed to a binary program 
and then specialized by partial deduction. 

The class of so called B-stratifiable logic programs is defined. It is shown 
that for every B-stratifiable logic program, binarization and subsequent 
partial deduction produce a binary program which usually has a better 
computational behavior than the original one. Both binarization and 
partial deduction can be automated. 



1 Introduction 

Binary clauses appear quite naturally when simulating computations of Turing 
machines by logic programs. Tarnlund (1977)^^] introduced the concept of bi- 
nary clauses. Sebeh'k and Stepanek (1982) constructed logic programs for 
recursive functions. It turned out that these programs were stratifiable. More- 
over, it was possible to transform every such program to a binary logic program 
computing the same function, the length of computations of the resulting binary 
program being the same on every input. 

Since then various binarizing transformations have been defined by Maher 
Stepankova and Stepanek Sato and Tamaki and by Tarau and Boyer 
It is not difficult to show that the last three transformations produce pro- 
grams with identical computational behavior. 

While in the beginning, binarization was a rather theoretical issue, later, 
with the advent of Prolog compilers for programs consisting of binary clauses, it 
found important applications. Paul Tarau built a PROLOG system called 
BinProlog that makes use of binarization. In a preprocessing phase, the Pro- 
log program is binarized (see ^3) and the binary program is compiled using 
BinWAM, a specialized version of the Warren Abstract Machine for binary pro- 
grams. BinWAM is simpler than WAM and the size of the code of the binary 
program is reduced. 

Hence, it is of practical use to investigate transformations changing a logic 
program to an equivalent binary logic program. 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 116^^ 2000. 
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The paper is organized as follows. Section 2 presents the above mentioned 
transformation of logic programs to binary logic programs. Section 3 deals with 
the problem of computational efficiency of binarized programs. In section 4, B- 
stratifiable programs are introduced and it is proved that the transformation 
consisting of binarization and partial evaluation succeeds on these programs. 
This transformation usually leads to a computationally more efficient program. 

We shall adopt the terminology and notation of Let H be an atom, 

A = Ai, A2, . . . , Am and IB = B\, B2, ■ ■ ■ Bn, n, m > 0 

be (possibly empty) sequences of atoms. We restrict our attention to definite 
logic programs, hence programs consisting of clauses H ^ IB with the atom H 
in the head and a sequence IB of atoms in the body. If IB is empty, we write 
simply H A clause is called binary if it has at most one atom in the body. A 
program consisting of binary clauses is called binary. 

A query is a sequence of atoms. Queries are denoted by Q with possible sub- 
scripts. Computation of a logic program starts by a non-empty query and gen- 
erate a possibly infinite sequence of queries by iSTD-resolution steps. Maximal 
sequences of queries generated by this way are called S'LD-derivations. Finite 
iSTD-derivations are successful if they end with the empty query, otherwise they 
are failed. 

In what follows, by an LD-resolvent we mean an SLD-resolvent with re- 
spect to the leftmost selection rule and by an LD-derivation we mean an SLD- 
derivation w.r.t. the leftmost selection rule. Similarly, an LD-tree is an SLD-tree 
w.r.t. the leftmost selection rule. A continuation is a data structure representing 
the rest of the computation to be performed . 



2 A Transformation to Binary Logic Programs 

We shall describe the transformation of definite logic programs to programs 
consisting of binary clauses. We define the functor Bs transforming the queries 
and the clauses of the input program. The resulting binary program is completed 
by an additional clause cs- 

Let q he a, new unary predicate symbol. Given a logic program P, 

(i) for a query 

Q = Ai, A2, . . . , An 

to P, let 

Bs{Q) = q{[Ai,A2,...,An]) 

in particular, for the empty query, we put i?s(n) = (?([]). 

(ii) for a clause 

B\, B2, ■ ■ ■ , Bn 



C = H 
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let 



Bs{C) = q{[H\Cont]) ^ q{[Bi, B2, ■ ■ ■ , Bn\Cont]) 



where Cont is a continuation variable. In particular, if C is a unit clause, 
then Bs{C) = q{[H\Cont\) <— q{Cont). 

(iii) the clause eg is (?([]), 

(iv) for a program P, we put 



Note that cs, is the only unit clause of the binarized program, that provides 
the step Ps(n) ^ □ in successful SLD-derivations. 

2.1 Example. Transformation of a program by clauses 



3 Transformations and Binarization 

3.1 Binarization Can Lead to More Efficient Programs 

Contrary to what could be expected, that binarization can only slow down the 
computations of a program because extra arguments and extra computation 
steps are involved in the transformed program, binarization followed by partial 
deduction can in some cases speed up the computations of a program signifi- 
cantly. Demoen Q was the first to present a case study of such behavior. 

We will discuss why this transformation gives more efficient programs when 
applied to programs with certain syntactical features and why it leads to identical 
or worse programs if applied to other programs. Then, we will describe a class 
of programs on which this transformation succeeds . 

It was shown in Q that binarization transforms logic programs to stratified 
logic programs. It turns out that a sufficient condition for a logic program to be 
transformed into a computationally more efficient binary program can be stated 
in terms of the concept of stratifiability due to Sebelik, Stepanek Q. 

3.1 Transformation Steps. Demoen Q introduced the following steps of trans- 
formation of the SAMELEAVES program: 



Bs{P) = {Bs{C)\C&P)iJ{cs} 



a <- b,c. 
b <- d. 
c <- . 
d <-. 



q( [a I Cont]) <- q( [b, c I Cont] ) . 
q([b|Cont]) <- q([d|Cont]). 
q( [cl Cont]) <- q([Cont]). 
q([d|Cont]) <- q([Cont]). 



q([]). 
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• binarization 

• specialization w.r.t. continuation true 

• unfolding with some final optimization steps such as removing 
duplicate variables 

In our work, the second and the third steps were performed by the Mixtus 
partial evaluator This procedure gave the same result as that of Demoen, 
and, in some other cases it produced programs which were both binary and more 
efficient than the original program. 

We are going to investigate programs with the binary speed up behavior. 
First, we shall recall the SAMELEAVES program. 

3.2 Example. Program SAMELEAVES tests whether two binary trees have the 
same sequence of leaves disregarding the structure of the compared trees. The 
trees with the same sequence of leaves need not be isomorphic. 

Program. SAMELEAVES 

sameleaves (leaf (L) , leaf (L) ) . 
sameleaves(tree(Tl,T2) ,tree(Sl,S2)) 
getleaf (T1,T2,L,T) , 
getleaf (S1,S2,L,S) , 
sameleaves (S ,T) . 
getleaf (leaf (A) ,C, A,C) . 

getleaf (tree (A,B) ,C,L,0) : -getleaf (A, tree (B,C) ,L, 0) . 



As the first step of transformation, we apply the binarizing functor B$ from 
Section H The resulting program reads as follows 

q( [sameleaves (leaf (L) ,leaf (L) ) I V] ) : -q(V) . 
q( [sameleaves (tree (T1 ,T2) ,tree (SI , S2) )|V]):- 
q( [getleaf (T1,T2,L,T) , 
getleaf (SI, S2,L,S) , 
sameleaves (S,T) I V] ) . 

q( [getleaf (leaf (A) ,C, A,C) I V] ) : -q(V) . 
q( [getleaf (tree (A,B) ,C,L,D) |V]) 

q( [getleaf (A,tree(B,C) ,L,D) I V] ) . 



q([]). 



3.3. Now we perform the steps 2 and 3. Using Mixtus, the automated partial 
evaluator (Sahlin ^3), we partially evaluate the binarized program with the 
goal 
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q( [sameleaves (Treel ,Tree2)] ) 

where the continuation is the empty query [] , hence true. 

Alternatively, we could perform the partial deduction step by step as Demoen 
did. 

3.4. By these steps, we obtain the following program 

sameleaves 1 (leaf (A) , leaf (A)). 
sameleavesl(tree(A,B) , tree(C,D)) 
getleaf 1(A,B,C,D) . 

getleaf 1 (leaf (C) ,D, A,B) 

getleaf2(A,B,C,D) . 
getleaf l(tree(A,D) ,E,B,C) 

getleaf 1 (A, tree (D,E) ,B,C) . 

getleaf2(leaf (C) ,A,C,B) 

sameleavesl (A,B) . 
getleaf2(tree(A,D) ,E,B,C) 

getleaf2(A,tree(D,E) ,B,C) . 



It was shown by Demoen that the resulting program is faster by approx. 40%. 

3.5. The transformation is interesting for yet another reason. If we skip binariza- 
tion and perform only partial deduction on the original non-binary program, we 
get only an identical copy of the logic program. On the other hand, by binariza- 
tion and specialization w.r.t. continuation true, hence by adding no information, 
we get a computationally more efficient binary program by partial deduction . 

The program FRONTIER below computes the frontier, i.e. list of leaves of a 
binary tree. It gives an example that the above described steps of binarization, 
specialization and partial deduction need not give any reasonable improvement. 
In this case, the automated partial deduction after binarization leads to a clearly 
worse program. 

3.6 Example. FRONTIER 



frontier (leaf (X) , [X] ) . 
frontier(nil, [] ) . 

frontier(tree(Left, Right, Label) ,Res) 
frontier (Left , LI) , 
frontier (Right ,R1) , 
append (LI ,R1 , Res) . 
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append ( [] ,X,X) . 
append([H|T] ,X, [H|Y]) 

append (T,X,Y) . 



If we perform the above steps on this program, we do not get a computation- 
ally more efficient program. We present below part of the output of the Mixtus 
partial evaluator: 

3.6’ Example. FRONTIER 



q( [frontier (A, B)] ) 

’ q. f rontierl ’ (A, B) . 

’ q. f rontierl ’ (tree(A,E, _) , D) 

’ q. f rontierl ’ (A, B ,f rentier (E, C) , [append (B, C ,D)] ) . 

’ q. f rontierl ’ (leaf (C) , [C] , A, B) 

’q.l’ (A, B) . 

’ q. f rontierl ’ (nil , [] , A, B) 

’q.l’(A, B). 

’ q. f rontierl ’ (tree(A,G,_) , F, C, D) 

’ q. f rontierl ’ ( A, B, f rentier (G,E) , [append (B,E,F) , C |D] ) . 

’ q. 1 ’ (frontier (leaf (B) , [B] ) , A) 
ql(A) . 

q.l’ (append([] ,B,B) , A) 
ql(A) . 

ql ( [frontier (leaf (B) , [B] ) I A] ) 
ql(A) . 

ql ( [frontier (nil, []) I A] ) 
ql(A) . 

ql ( [frontier (tree (F,E,_),D)|A]) 

ql ( [f rentier (F,B) ,f rentier (E,C) , append (B ,C ,D) I A] ) . 

ql ( [append( [] ,B,B) I A] ) 
ql(A) . 

ql ( [append( [E|B] ,C, [E|D] ) I A] ) 

ql ( [append (B ,C,D) I A] ) . 



The length of the output program is growing significantly during the partial 
deduction. It turns out that as the partial deduction system tries to special- 
ize w.r.t. the continuations, it can never remove calls with a free continuation 
variable such as 

ql ( [append! [] ,B,B) I A] ) 
ql(A) . 

This is due to the fact that the size and structure of continuation in this program 
depends on inputs of the program . 
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Efficiency of Programs. 

Pettorossi and Proietti ^3 pointed out that inefficient computations of 
programs may be caused by presence of so called unnecessary variables. They 
define several types of such variables and describe a method of eliminating them 
by means of unfold/fold transformations. We shall refine the definition of unnec- 
essary variables and describe methods to eliminate some of them. 



3.7 Definition. Given a program P, H an atom, A a sequence of atoms such 
that H A be a clause of P. Let 

q{H\Cont) ^ q{[A\Cont]) 

be the binarized version in Bs{P) of the above clause. We call 

(i) an existential variable a variable that occurs in the body and not in the 
head of the clause, 

(ii) a body-multiple variable a variable occuring in several terms in the body 
of the clause, 

(iii) an argument-multiple variable a variable that occurs more then once in 
a term in the body, 

(iv) a continuation variable a variable that is introduced by binarization to 
hold a continuation, occuring e.g. in the contexts of call{X), q{X) or g([. . . | X]) 
at the last argument position. 



We call unnecessary all existential, body-multiple, argument-multiple and 
continuation variables. 



Now we can analyze what happens during transformation and can see these 
stages: 

1. the original program possibly contains some existential, body-multiple, 
argument-multiple variables causing inefficiency 

2. the program is binarized. Hence body-multiple variables are converted 
into argument-multiple variables and continuation variables are introduced. The 
program may become even less efficient. 

3. the program is specialized and continuation variables are removed 

4. it may be possible to remove other unnecessary variables, often up to the 
point where no unnecessary variables are left. 



We say that the binarization -|- partial deduction transformation was suc- 
cessful if it eliminated continuation variables. In fact, it has been observed that 
when the continuation variables of the binarized program are eliminated, the 
resulting program was as fast as the original one, or faster. 
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4 B-Stratifiable Programs 

In this Section, we will define a class of B-stratifiable programs, prove that for 
this class of programs the transformation succeeds (i.e. it eliminates continua- 
tion variables) and claim that by further specialization some more unnecessary 
variables can be removed that cannot be eliminated by partial deduction alone. 

The notion of a i?-stratifiable program is stated in terms of the concept of 
stratifiable logic programs from 

4.1 Definition. We say that a program P is B-stratifiable if there is a partition 
of the set of all predicates of P into disjunctive sets 

So,Si,...,Sr^ (2) 

called strata, such that 

(i) if a predicate p, p G Si calls a predicate q, q G Sj in the same clause, 
then i > j, and 

(ii) in any clause H ^ IB of P, the predicate symbol p from the head H 
calls at most one predicate q from the same stratum in the body E. In this case, 
q is the predicate symbol of the rightmost atom in E. 

Then the partition (2) is called the stratification of P. □ 

4.2 Example. Program 

p q.p- 

q r,r. (3) 

r . 

r q. (4) 

is not B-stratifiable because g, r are mutually dependent and hence in the 
same stratum, but in the body of (3) there are two calls to r. If we remove the 
clause (4), the program becomes B-stratifiable. It suffices to take the stratifica- 
tion Si = {r}, S 2 = {g}, S 3 , = {p). 

It is easy to check that the program SAMELEAVES is B-stratifiable while the 
program FRONTIER is not. 

4.3. On B-stratifiable programs, the transformation consisting of binarization 
and partial deduction succeeds. B-stratifiable programs can be transformed with 
binarization and partial deduction into programs that are usually more efficient. 
This is due to the fact that the number of atoms in continuations is bounded. 
To prove this we shall need some definitions. 

4.4 Definition. Let B be a logic program, A an atom and let 



A = Ai,...,An 
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be a sequence of atom. Let 

A, A, Be 

be an LU-resolution step of PU {A}. We say that each atom Ai G A, 1 < i < n 
is an immediate successor of A and write A Ai. Let ^ be the reflexive and 
transitive closure of the immediate successor relation If A ^ B, we say that 
P is a successor of □ 

4.5 Lemma. Let P be a P-stratiflable logic program, let 

So, Si,..., Sr, (5) 

be a stratification of P and let A be an atom with a predicate symbol from the 
highest stratum Sn. Let m be the maximum number of atoms in the body of a 
clause from P and let ^ be an arbitrary PP-derivation of PU 

Then A has at most n*m successors in every PP-resolvent of In general, if A 
is an atom with a predicate symbol from a stratum Sk, 1 < k < n then A has 
at most k * m successors in every PP-resolvent in Hence n * m is a bound on 
the number of successors of an arbitrary atom in every PP-resolvent in □ 



4.6 Corollary. Let P be a P-stratiflable program with a P-stratiflcation (5). 

Let Q be a query to P and ^ an arbitrary PP-derivation of P U {Q}. Let A be 
an atom in Q with a predicate symbol from the fc-th stratum Sk, 0 < k < n. 
The A has at most k * m successors in every PP-resolvent in □ 

4.7 Claim. The length of a continuation in any LD-resolvent of the binarized 

program Ps(P) U {Ps(Q)} is equal to the length of the corresponding LD- 
resolvent of P U {Q} minus 1. □ 

Proof. It is easy to see that for any PP-resolvent Ai, A 2 , . . .An of PU {Q}, the 
corresponding continuation in the binarized program is [A 2 , . . . , H„]. □ 

4.8 Theorem. Let P be a program A an atom. Assume that there is a bound on 

the number of atoms in all continuations in computations of Ps(P) U {Ps(A)}, 
then there is a bound on the number of sequences of predicate symbols in con- 
tinuations that occur in any computation of Ps(P) U {Ps(A)}, too. □ 

4.9 Lemma. Let P be a program A an atom. Assume that there is a bound on 
the number of sequences of predicate symbols in continuations that occur in any 
computation of Ps(P)U{Ps(A)}. Then it is possible to partially evaluate Ps(P) 
w.r.t. Bs{A) so that the resulting program will not contain any continuation 
variables. 

Proof. In order to prove this lemma, we will compute a partial evaluation of 
Bs{P) w.r.t. a set A to eliminate continuation variables. Later on, another 
specialization will be performed. (This splitting of specialization to 2 stages 
is needed only for the proof of the lemma.) 
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Elimination of Continuation Variables 

We can eliminate the continuation variables by specializing the program Bs{P) 
to the value [] (true) of the variable Cont. As the program Bs{P) is binary, we 
can use an instance of the Lloyd and Shepherdson Q general partial deduction 
to remove the continuation variables. To this purpose, it is sufficient to compute 
(incomplete) SLD~-trees to the depth one. 

To make sure that the condition of so called A— closedness which makes sure 
that the specialized program computes the same set of answers is guaranteed, 
we use a generalization operator in the construction of the set A. 

4.10 Definition. Let 

Q = Pl{ti,t2, ■ ■ . . .) (7) 

be a general (non-binary) query. We define a generalization operator Gen which 
replaces each term ti by a new variable Xi . We put 

Gen{Q) = pi(Ai, A 2 , . . .),p 2 (Xj 2 , ...),.. .pn{Xj ^, . . .) 

We say that Gen{Q) is a sequence of pure atoms. For a binarized query 

Ql = Bs{Q) = q{[Pl{t\A 2 , ■ ■ .),P 2 {tj 2 ,tj 2 + li ■■■),■■ . . .)]) 

we put 

G(Qi) = G{Bs{Q)) := Bs{Gen{Q)) 

= q{[Pl{Xi,X2, ■ ■ .),P2(,Xj^,Xj^ + i, ...),.. .pn{Xj^, . . .)]) 

in particular, G(g([])) = g([]). 

4.11 Algorithm 1. 

Input: Binarized program Bs{P) and the top-level query q{[p{Xi, . . A„)]) 
Output: A program New_Prog with no continuation variables 

I. A:={}, 

ToJbe_evaluated := {q{[p{Xi, X 2 , . . . , A„)])}, 

Prog := { } 

II. While. ToJ)e_evaluated yf { } do 

a) take an atom a € ToJje_evaluated; 

A := AU {a}; 

b) compute partial deduction of Bs{P) U {a} obtaining an incomplete 
SLD~ -tree of depth 1 (i. e. perform one unfolding step) 

R := the set of resultants. 

B := the set of bodies of resultants from R. 

It follows from the fact that the program Bs{P) is binary, that all elements 
of B are atoms. 

c) Prog := Prog U i?; 
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ToJbe_evaluated := {ToJ>e_evaluated U G{B)) — A] 

III. Renaming. We shall define a functor Ren which renames each atom 



q{[pi{ti,t 2 , ■ ■ .),P 2 {tj 2 ,tj 2 +i, ■■■),■■ 
in Prog to 


■ 5 Pn{ijn 


,■■■)]) 


(8) 


q4>l4>2-. ■ ■ -Pn(P, ^2, ■ ■ ■ , tj^,tj2+l^ 
obtaining the program New_Prog. 


• • • • 




(8’) 



As (8) is obtained from (7) by the binarizing functor Bs, we can define a 
functor R that transforms the sequences of atoms in the language of P (the 
queries to P) to the atoms in the language of New_Prog as follows. For a query 
Q to P, we put 

R{Q) -.= Ren{Bs{Q)) 

Hence 

— Q-PI-P2- • ■ ■ -Pni^l 7 ^ 2 ? ■ ■ ■ 7 5 ^j2 + l 5 ■ ■ ■ 7 ^jn 5 ■ ■ ■) 



4.12 Theorem. If P is a P-stratifiable program, Q a pure atom, then Al- 
gorithm 1 terminates on the input Bs{P) U {i?s(Q)}- The LD-derivations of 
New_ProgU {R{Q)} give the same set of computed answer substitutions as the 
LD-derivations of P U {Q}- 

Proof. Termination. Algorithm 1 terminates if the set ToJbe_evaluated of goals 
for partial deduction is empty. The elements of this set are pure atoms ob- 
tained by application of the generalization functor G. To guarantee the so called 
A— closedness condition of partial deduction (see ^), each goal evaluated by 
partial deduction is removed from ToJbe_evaluated and is put to A. The goals 
from the set G{B) — A are added to ToJbe_evaluated, where B is the set of goals 
from the bodies of resultants obtained by partial deduction. It follows from the 
definition of G that it maps any two goals with the same sequence of predicate 
symbols to the same atom. We assumed that P is a P— stratifiable program, 
hence it follows from Lemma 4.5 and Theorem 4.8 that there is a bound on the 
number of sequences of predicate symbols in continuations that occur in any 
resultant obtained by partial deduction of Ps(P) U {Q}, where Q is a goal from 
ToJbe_evaluated. It turns out that after a finite number of steps, ToJbe_evaluated 
is empty and the computation of the algorithm terminates. 

Equivalence of computed answer substitutions holds due to Lloyd, Shepherdson 
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4.13. Some redundant occurrences of unnecessary variables of a B-stratifiable 
program P program can be eliminated during partial evaluation after binariza- 
tion. □ 



This is done by a renaming operation. The body-multiple variables of a pro- 
gram become argument-multiple variables during binarization and then, their 
redundant occurrences can be eliminated by renaming. This operation is per- 
formed by standard partial deduction systems. Then further elimination can be 
performed by the FAR procedure Q Q. 

Example: Consider a clause of the FRONTIERl program 

f rontl (tree (Left , Right) , [L I Ls] ) : - 
getleaf (Left .Right .NewTree ,L) , 
frontl(NewTree,Ls) . 

In this clause, variable NewTree is both hody-multiple and existential. After bi- 
narization and partial deduction, the clause becomes 

f rontl (tree (Left , Right) , [L I Ls] ) : - 
gf (Left .Right .NewTree .L.Ls) . 



Here, NewTree has become an argument multiple variable and one of its occur- 
rences has been eliminated by renaming. Then, using the FAR procedure, even 
the last occurrence of NewTree can be eliminated: 

f rontl (tree (Left .Right) . [L I Ls] ) : - 
gf (Left .Right .L.Ls) . 



5 Results and Comparison 

We have shown that binarization -|- partial deduction succeeds when applied to B- 
stratifiable programs, and produces programs that are usually more efficient than 
the original programs. It might seem that the class of B-stratifiable programs 
is relatively small. However, it turns out that it is possible to transform some 
programs to a B-stratifiable form. The program FRONTIER served us as an 
example of a program that is not B-stratifiable. It is possible, though, to write 
another program, FRONTIERl with equivalent semantics, which is B-stratifiable 



f rontl (leaf (X) . [X] ) . 
f rontl (tree (Left .Right) . [L I Ls] ) : - 
getleaf (Left .Right .NewTree .L) . 
frontl(NewTree.Ls) . 
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getleaf (leaf (A) , Tree, Tree, A) . 

get leaf (tree (Lef t , Right) ,Rest_tree , Out_tree ,L) : - 

getleaf (Left , tree (Right ,Rest_tree) , Dut_tree ,L) . 



We have experimented with a set of programs taken from Q, Q, Q and Q. 
Some of them were B-stratifiable, some of them had a B-stratifiable companion. 
Listings of the programs can be found at 
ittD : //hti .ms .mtt . cuni . cz/ hruza/ Dinar izatio: 

The results are presented in the table below. 





run time 


speed up 


program 


orig 


B-strat 


bin-pd 


Bstrat/orig 


bin-pd/ orig 


bin-pd/ B-strat 


sameleaves 


990 


- 


756 


- 


1.31 


- 


frontier 


1575 


690 


477 


2.28 


3.32 


1.45 


permutation 


2800 


- 


2304 


- 


1.22 


- 


double-append 


1453 


- 


1407 


- 


1.03 


- 


rotate-leftdepth 


408 


518 


526 


0.79 


0.78 


0.99 


rotate-prune 


232 


266 


320 


0.87 


0.73 


0.83 



The first columne gives the name of the program, the next three columns 
give the run times (in miliseconds) for the original program, for its B-stratifiable 
companion, if the original itself is not B-stratifiable, and for the binarized and 
partially deduced version of the program. The run times are computed as an ave- 
rage from 5 runs on different data. The last three columns present the speed ups 
of the B-stratifiable companion w.r.t. to the original program, of the binarized 
and partially deduced program w.r.t to the original one and of the binarized 
and partial deduced program w.r.t. the B-stratifiable companion of the original 
program. 

The transformation of the FRONTIER program gives the best results of the 
presented programs. The transformation to the B-stratifiable companion pro- 
gram FRDNTIERI removed the calls to the APPEND program and this resulted 
in a reasonable speed up. Then, further speed up is achieved by binarization, 
partial deduction and unnecessary variable elimination. The SAMELEAVES pro- 
gram contained an unnecessary variable that was eliminated by binarization and 
partial deduction, which improved the computational behavior of the program. 
There have also been not B-stratifiable programs the computational behaviour of 
which deteriorated after a transformation to a B-stratifiable program and bina- 
rization with partial deduction (e.g. ROTATE_PRUNE and ROTATE_LEFTDEPTH ). 
It seems that it was so due to the fact that during transformation to a B- 
stratifiable program, new data structures such as a stack were introduced which 
could not be later eliminated from these programs. Neither did we succeed to 
eliminate unnecessary variables. The methods of transformation of logic pro- 
grams to the B-stratifiable form and the corresponding methods of elimination 
of variables are a matter of further research. 



Binary Speed Up for Logic Programs 129 



Binarization and Partial Deduction and Other Approaches 

It turns out that the reason why binarized and partially evaluated programs are 
more efficient is elimination of unnecessary variables. It is useful to compare this 
approach with other two approaches eliminating unnecessary variables. 

1) unfold/fold transformations to remove unnecessary variables from a program 
were introduced by Pettorossi and Proietti in They consist in repeated ap- 
plications of unfolding, definition and folding on clauses that contain unnecessary 
variables. This approach is general and applicable to all programs, however, it 
is difficult to control. Binarization -|- partial evaluation is applicable only to B- 
stratifiable programs, but is more straightforward and can be easily automated. 
Both binarization and partial deduction can be expressed in terms of unfold/fold 
transformations . 

2) Another, more recent approach to elimination of unnecessary variables is 
conjunctive partial deduction Q. Unlike traditional partial deduction which con- 
siders only atoms for partial deduction, conjunctive partial deduction attempts 
to specialize entire conjunctions of atoms. This approach is closely related to 
binarization -|- partial deduction. There is a difference, however. In the present 
approach, a program is first binarized and hence does not contain any conjunc- 
tions. Then standard partial deduction can be used. Unlike that, in conjunctive 
partial deduction the conjunctions are left and the system decides on splitting 
conjunctions into appropriate subconjunctions. This approach may be somewhat 
more difficult to control but it gives greater flexibility and applicability. 

It seems that binarization -|- partial deduction and conjunctive partial de- 
duction yield similar results when applied to some B-stratifiable programs. 
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A New Module System for Prolog* 
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Abstract. It is now widely accepted that separating programs into mod- 
ules is useful in program development and maintenance. While many 
Prolog implementations include useful module systems, we argue that 
these systems can be improved in a number of ways, such as, for exam- 
ple, being more amenable to effective global analysis and transformation 
and allowing separate compilation or sensible creation of standalone ex- 
ecutables. We discuss a number of issues related to the design of such an 
improved module system for Prolog and propose some novel solutions. 
Based on this, we present the choices made in the Ciao module system, 
which has been designed to meet a number of objectives: allowing sepa- 
rate compilation, extensibility in features and in syntax, amenability to 
modular global analysis and transformation, enhanced error detection, 
support for meta-programming and higher-order, compatibility to the 
extent possible with official and de-facto standards, etc. 

Keywords: Modules, Modular Program Processing, Global Analysis 
and Transformation, Separate Compilation, Prolog, Ciao-Prolog. 



1 Introduction 

Modularity is a basic notion in modern computer languages. Modules allow di- 
viding programs into several parts, which have their own independent name 
spaces and a clear interface with the rest of the program. Experience has shown 
that there are at least two important advantages to such program modulariza- 
tion. The first one is that being able to look at parts of a program in a more or 
less isolated way allows a divide-and-conquer approach to program development 
and maintenance. For example, it allows a programmer to develop or update a 
module at a time or several programmers to work on different modules in par- 
allel. The second advantage is in efficiency: tools which process programs can 
be more efficient if they can work on a single module at a time. For example, 
after a change to a program module the compiler needs to recompile only that 
module (and perhaps a few related modules). Another example is a program 

* This work was supported in part by the “EDIPIA” (CICYT TIC99-1151) and “EC- 
COSIC” (Fulbright 98059) projects. The authors would like to thank Francisco 
Bueno and the anonymous referees for their useful comments on previous versions of 
this document. The Ciao system is a collaborative international effort and includes 
contributions from members of several institutions, which are too many to mention 
here: a complete list can be found in the Ciao system documentation. 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 131^^ 2000. 

@ Springer-Verlag Berlin Heidelberg 2000 
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verifier which is applied to one module at a time and does its job assuming some 
properties of other modules. Also, modularity is also one of the fundamental 
principles behind object-oriented programming. 

The topic of modules and logic programming has received considerable at- 
tention (see, for example, . Currently, many popular Prolog 

systems such as Quintus ^JandSICStus ^ include module systems which 
have proved very useful in practicej However, these practical module systems 
also have a series of shortcomings, specially with respect to effectively supporting 
separate program compilation, debugging, and optimization. 

Our objective is to discuss from a practical point of view a number of issues 
related to the design of an improved module system for Prolog and, b^d on 
this, to present the choices made in the module system of Ciao Prolog | - BCiao 
Prolog is a next-generation logic programming system which, among other fea- 
tures, has been designed with modular incremental compilation, global analysis, 
debugging, and specialization in mind. The module system has been designed 
to stay as similar as possible to the module systems of the most popular Prolog 
implementations and the ISO-Prolog module standard currently being finished 
but with a number of crucial changes that achieve the previously mentioned 
design objectives. We believe that it would not be difficult to incorporate these 
changes in the ISO-Prolog module standard or in other module systems. The 
rest of the paper proceeds as follows: Section ^ discusses the objectives of the 
desired module system and Section | discusses some of the issues involved in 
meeting these objectives. Section^then describes the Ciao Prolog module sys- 
tem. Within this section. Subsection ^3 discusses some enhancements to stan- 
dard Prolog syntax extension facilities. Finally, Section^describes the notion of 
packages, a flexible mechanism for implementing modular language extensions 
and restrictions, which emerges naturally from the module system design. An 
example of a package is provided which illustrates some of the advantages of this 
design. Because of space restrictions and because the focus is on the motivations 
behind the choices made, the presentation is informal. 

2 Objectives in the Design of the Ciao Module System 

We start by stating the main objectives that we have had in mind during the 
design of the Ciao module system: 

— Allowing modular (separate) and efficient compilation. This means that it 
should be possible to compile (or, in general, process) a module without 
having to compile the code of the related modules. This allows for exam- 
ple having pre-compiled (pre-processed, in general) system or user-defined 
libraries. It also allows the incremental and parallel development of large 
software projects. 

^ Surprisingly, though, it is also true that a number of Prolog systems do not have 
any module system at all. 

^ The Ciao system can be downloaded from 
ifCD : / /WWW. c±iD. aia.ii .unm. es/soirware 
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Local extensibility /restriction, in features and in syntax. This means that it 
should be possible to define syntactic and semantic extensions and restric- 
tions of the language in a local way, i.e., so that they affect only selected 
modules. This is very important in the context of Ciao, since one of its ob- 
jectives is to serve as an experimental workbench for new extensions to logic 
programming (provided that they can be translated to the core language). 
Amenability to modular global analysis. We foresee a much larger role for 
global analysis of logic programs, not only in the more traditional applica- 



tion of optimization | 



but also in new applications related to pro- 



gram development, such as automated debugging, validation, and program 



transformation 



This is specially important in Ciao because 



the program development environment already includes a global analysis 
and transformation tool (ciaopp, the Ciao preprocessor ^^^3) which per- 
forms these tasks and which in our experience to date has shown to be an 
invaluable help in program development and maintenance. 

Amenability to error detection. This means that it should be possible to 
check statically the interfaces between the modules and detect errors such 
as undefined predicates, incompatible arities and types, etc. 

Support for meta-programming and higher-order. This means that it should 
be possible to do meta- and higher-order programming across modules with- 
out too much burden on the programmer. Also, in combination with the 
previous point, it should be possible to detect errors (such as calls to unde- 
fined predicates) on sufficiently determined higher-order calls. 

Compatibility with official and de-facto standards. To the extent possible 
(i.e., without giving up other major objectives to fulfill this one) the mod- 
ule system should be compatible with those of popular Prolog systems (e.g., 
Quintus/SICStus) and official standards, such as the core ISO-Prolog stan- 
dard and the current drafts of the ISO-Prolog module standards ^9 . 

This is because it is also a design objective of Ciao that it be (thanks to 
a particular set of libraries which is loaded by default) a standard Prolog 
system. This is in contrast to systems like Mercury or Goedel which 
are more radical departures from Prolog. This means that the module sys- 
tem will be (at least by default) predicate-based rather than atom-based (as 
in XSB and BIM ^]), i.e., it will provide separation of predicate sym- 
bols, but not of atom names. Also, the module system should not require the 
language to become strongly typed, since traditional Prologs are untyped^ 



3 Discussion of the Main Issues Involved 



None of the module systems used by current Prolog implementations fulfill all of 
the above stated objectives, and some include characteristics which are in clear 



3 



Note however, that this does not prevent having voluntary type declarations or more 
general assertions, as is indeed done in Ciao 
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opposition to such objectives|Thus, we set out to develop an improved design. 
We start by discussing a number of desirable characteristics of the module system 
in order to fulfill our objectives. Amenability to global analysis and being able to 
deal with the core ISO-Prolog standard features were discussed at length in Q, 
where many novel solutions to the problems involved were proposed. However, 
the emphasis of that paper was not on modular analysis. Herein, we will choose 
from some of the solutions proposed in | and provide further solutions for the 
issues that are more specific to modular analysis and to separate compilation! 

— Syntax, flags, etc. should be local to modules. The syntax or mode of com- 
pilation of a module should not be modified by unrelated modules, since 
otherwise separate compilation and modular analysis would be impossible. 
Also, it should be possible to use different syntactic extensions (such as op- 
erator declarations or term expansions) in different modules without them 
interacting. I.e., it should be possible to use the same operator in different 
modules with different precedences and meanings. In most current module 
systems for Prolog this does not hold because syntactic extensions and com- 
pilation parameters (e.g., Prolog flags) are global. As a result, a module can 
be compiled in radically different ways depending on the operators, expan- 
sions, Prolog flags, etc. set by previously loaded modules or simply typed 
into the top level. Also, using a syntactic extension in a module prevents 
the use of, e.g., the involved operators in other modules in a different way, 
making the development of optional language extensions very complicated. 
In conclusion, we feel that directives such as op/3 and set_prologjElag/2 
must be local to a module. 

— The entry points of a module should be statically defined. Thus, the only 
external calls allowed from other modules should be to exported predicates. 
Note that modules contain code which is usually related in some way to that 
of other modules. A good design for a modular program should produce a 
set of modules such that each module can be understood independently of 
the rest of the program and such that the communication (dependencies) 
among the different modules is as reduced as possible. By a strict module 
system we refer to one in which a module can only communicate with other 
modules via its interface (this interface usually contains data such as the 
names of the exported predicates). Other modules can only use predicates 
which are among the ones exported by the considered module. Predicates 
which are not exported are not visible outside the module. Many current 
module systems for Prolog are not strict and allow calling a procedure of 
a module even if it is not exported by the module. This clearly defeats the 
purpose of the module system and, in addition, has a catastrophic impact 

^ Unfortunately, lack of space prevents us from making detailed comparisons with 
other individual module systems. Instead, we discuss throughout the paper advan- 
tages and disadvantages of particular solutions present in different current designs. 

® We concentrate here on the design on the module system. The issue of how this 
module system is applied to modular analysis is addressed in more detail in 
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on the precision of global analysis, precluding many program optimizations. 
Thus, we feel that the module system should be strict. 

— Module qualification is for disambiguating predicate names, not for changing 
naming context. This a requirement of separate compilation (processing) 
since otherwise to compile (process) a module it may be necessary to know 
the imports/exports of all other modules. As an example, given a call m:p 
( “call p in module m” ) , with the proposed semantics the compiler only needs 
to know the exports of module m. If qualification meant changing naming 
context, since module m can import predicate p from another module, and 
that module from another, the interfaces of all those modules would have 
to be read. Furthermore, in some situations changing naming context could 
invalidate the strictness of the module system. 

— Module text should not be in unavailable or unrelated parts. This means 
that all parts of a module should be within the module itself or directly 
accessible at the time of compilation, i.e., the compiler must be able to 
automatically and independently access the complete source of the module 
being processed^ 

— Dynamic parts should be isolated as much as possible. Dynamic code modi- 
fication, such as arbitrary runtime clause addition (by the use of assert-like 
predicates), while very useful in some applications, has the disadvantage that 
it adds new entry points to predicates which are not “visible” at compile- 
time and are thus very detrimental to global analysis Q. One first idea is to 
relerate such predicates to a library module, which has to be loaded explic- 
itlyj In that way, only the modules using those functionalities have to be 
specially handled, and the fact that such predicates are used can be deter- 
mined statically. Also, in our experience, dynamic predicates are very often 
used only to implement “global variables” , and for this purpose a facility for 
adding facts to the program suffices. This simpler feature, provided that this 
kind of dynamic predicates are declared as such explicitly in the source, pose 
no big problems to modular global analysis. To this end, Ciao provides a set 
of builtins for adding and deleting facts to a special class of dynamic pred- 
icates, called “data predicates” (asserta_f act/1, retract_f act/1, etc), 
which are declared as data ...” (similar kinds of dynamic predicates 
are mentioned in (J) . Furthermore, the implementation of such data pred- 
icates can be made much more efficient than that of the normal dynamic 
predicates, due to their restricted nature. 

— Most “built-ins” should be in libraries which can be loaded and/or unloaded 
from the context of a given module. This is a requirement related to ex- 
tensibility and also to more specific needs, such as those of the previous 
point, where it was argued that program modification “built-ins” should be 

® Note that this is not the case with the classical user files used in non- modular Prolog 
systems: code used by a user file may be in a different user file with no explicit relation 
with the first one (there is no usage declaration that allows relating them) . 

^ Note, however, that in Ciao, to preserve compatibility for older programs, a special 
case is implemented: if no library modules are explicitly loaded, then all the modules 
containing the ISO predicates are loaded by default. 
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relegated to a library. The idea is to have a core language with very few pre- 
defined predicates (if any) and which should be a (hopefully pure) subset of 
ISO-Prolog. This makes it possible to develop alternative languages defining, 
for example, alternative I/O predicates, and to use them in a given module 
while others perhaps use full ISO-Prolog. It also makes it easier to produce 
small executables. 

— Directives should not be queries. Traditionally, directives (clauses starting 
with “:-”) were executed by the Prolog interpreter as queries. While this 
makes some sense in an interpretative environment, where program com- 
pilation, load (linking), and startup are simultaneous, is does not in other 
environments (and, specially, in the context of separate compilation) in which 
program compilation, linking, and startup occur at separate times. For ex- 
ample, some of the directives used traditionally are meant as instructions for 
the compiler while, e.g., others are used as initialization goals. Fortunately, 
this is well clarified in the current ISO standard ^9^3, where declarations 
are clearly separated from initialization goals. 

— Meta-predicates should be declared, at least if they are exported, and the dec- 
laration must reflect the type of meta-information handled in each argument. 
This is needed in order to be able to perform a reasonable amount of error 
checking for meta-predicates and also to be able to statically resolve meta- 
calls across modules in most cases. 

4 The Ciao Module System 

Given the premises of previous sections, we now proceed to present their 
concretization in the Ciao module system. 

4.1 General Issues 

Defining Modules: The source of a Ciao module is typically contained in a single 
file, whose name must be the same as the name of the module, except that it 
may have an optional .pi extension. Nevertheless, the system allows inclusion 
of source from another file at a precise point in the module, by using the ISO- 
Prolog ^3^3 : “ include declaration. In any case, such included files must 
be present at the time of processing the module and can for all purposes be 
considered as an integral part of the module text. The fact that the file contains 
a module (as opposed to, e.g., being a user file -see below) is fiagged by the 
presence of a module!. . declaration at the beginning of the file. 

For the reasons mentioned in Section Q the Ciao module system is, as in 
most logic programming system implementations, predicate-based (but only by 
default, see below). This means that non-exported predicate names are local 
to a module, but all functor and atom names in data are shared. We have 
found that this choice does provide the needed capabilities most of the time, 
without imposing too much burden on the user or on the implementation. The 
advantage of this, other than compatibility, and probably the reason why this 
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option has been chosen traditionally, is that it is more concise for typical Prolog 
programs in which many atoms and functors are shared (and would thus have 
to be exported in an atom-based system) . On the other hand, it forces having to 
deal specially with meta-programming, since in that case functors can become 
predicate names and vice-versa. It can also complicate having truly abstract data 
types in modules. The meta-predicate problem is solved in Ciao through suitable 
declarations (see Section^J. Also, in order to allow defining truly abstract data 
types in Ciao, it is possible to hide atom/functor names, i.e., make them local to 
a module, by means of “ : - hide ...” declarations, which provide an automatic 
renaming of such symbols. This does not prevent a program from creating data 
of that type if meta-predicates such as “= . . ” are loaded and used, but it does 
prevent creating and matching such data using unification. Thus, in contrast to 
predicate names, which are local unless explicitly exported, functor and atom 
names are exported by default unless a : - hide declaration is used| 

Imports, Exports, and Reexports: A number of predicates in the module can 
be exported, i.e., made available outside the module, via explicit export 
declarations or in an export list in the : - module ( . . . declaration. It is also 
possible to state that all predicates in the module are exported (by using 

It is possible to import a number of individual predicates or also all predi- 
cates from another module, by using : - usejnodule declarations. In any case it 
is only possible to import from a module predicates that it exports. It is possible 
to import a predicate which has the same name/arity as a local predicate. It 
is also possible to import several predicates with the same name from different 
modules. This applies also to predicates belonging to implicitly-imported mod- 
ules, which play the role of the built-ins in other logic programming systems. 
In Ciao there are really no “built-ins”: all system predicates are (at least con- 
ceptually) defined in libraries which have to be loaded for these predicates to 
be accessible to the module. However, for compatibility with ISO, a set of these 
libraries implementing the standard set of ISO builtins is loaded by default. 

A module ml can reexport another module, m2, via a : - reexport declara- 
tion. The effect of this is that ml exports all predicates of m2 as if they had been 
defined in ml in the same way as they are defined in m2. This allows implementing 
modules which extend other modules (or, in object-oriented terms, classes which 
inherit from other classes ^3)- is also possible to reexport only some of the 
predicates of another module, by providing an explicit list in the : - reexport 
declaration, restricting that module. 

In Ciao it is possible to mark certain predicates as being properties. Examples 
of properties are regular types, pure properties (such as sorted), instantiation 
properties (such as var, indep, or ground), computational properties (such as 
det or fails), etc. Such properties, since they are actually predicates, can be 
exported or imported using the same rules as any other predicate. Imported 
properties can be used in assertions (declarations stating certain characteristics 



This feature of being able to hide functor and atom names is not implemented in 
the distribution version of Ciao as of the time of writing of this paper (Vers. 1.4). 
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of the program, such as, e.g., preconditions and postconditions) in the same 
way as locally defined ones. This allows defining, e.g., the abstract data types 
mentioned above. This is discussed in more detail in the descriptions of the Ciao 
assertion language and the Ciao preprocessor 

Visibility Rules: The predicates which are visible in a module are the pred- 
icates defined in that module plus the predicates imported from other mod- 
ules. It is possible to refer to predicates with or without a module qualifica- 
tion. A module-qualified predicate name has the form module:predicate as in the 
call lists : append (A, B,C). We call default module for a given predicate name 
the module which contains the definition of the predicate which will be called 
when using the predicate name without module qualification, i.e., when calling 
append (A, B,C) instead of lists : append (A, B ,C) . Module qualification makes 
it possible to refer to a predicate from a module which is not the default for that 
predicate name. 

We now state the rules used to determine the default module of a given 
predicate name. If the predicate is defined in the module in which the call occurs, 
then this module is the default module. I.e., local definitions have priority over 
imported definitions. Otherwise, the default module is the last module from 
which the predicate is imported in the module text. Also, predicates which are 
explicitly imported (i.e. listed in the importation list of a usejnodule) have 
priority over those which are imported implicitly (i.e. imported when importing 
all predicates of a module). As implicitly-imported modules are considered to 
be imported first, the system allows the redefinition of “builtins”. By combining 
implicit and explicit calls it is also possible not only to redefine builtins, but 
also to extend them, a feature often used in the implementation of many Ciao 
libraries. Overall, the rules are designed so that it is possible to have a similar 
form of inheritance to that found in object-oriented programming languages 
(in Ciao this also allows supporting a class/object system naturally as a simple 
extension of the module system ^^ ) . It is not possible to access predicates which 
are not imported from a module, even if module qualification is used and even 
if the module exports them. It is also not possible to define clauses of predicates 
belonging to other modules, except if the predicate is defined as dynamic and 
exported by the module in which it is defined. 

Additional rules govern the case when a module redefines predicates that it 
also reexports, which allows making specialized modules which are the same as 
a reexported module but with some of the predicates redefined as determined by 
local predicate definitions (i.e., instances of a module/class, in object-oriented 
terms -see the Ciao manual B for details) . 

4.2 User Files and Multifile Predicates 

For reasons mainly of backwards compatibility with non-modular Prolog sys- 
tems, there are some deviations from the visibility rules above which are com- 
mon to other modular logic programming systems the “user” module and 

multifile predicates. 
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User Files: To provide backwards compatibility with non-modular code, all code 
belonging to files which have no module declaration is assumed to belong to a 
single special module called “user”. These files are called “user files”, as op- 
posed to calling them modules (or packages -see later). All predicates in the 
user module are “exported”. It is possible to make unrestricted calls from any 
predicate defined in a user file to any other predicate defined in another user 
file. However, and differently to other Prolog systems, predicates imported from 
a normal module into a user file are not visible in the other user files unless they 
are explicitly imported there as well. This at least allows performing separate 
static compilation of each user file, as all static predicate calls in a file are defined 
by reading only that file. Predicates defined in user files can be visible in regular 
modules, but such modules must explicitly import the “user” module, stating 
explicitly which predicates are imported from it. 

The use of user files is discouraged because, apart from losing the separation 
of predicate names, their structure makes it impossible to detect many errors 
that the compiler detects in modules by looking at the module itself (and perhaps 
the interfaces of related modules) . As an example, consider detecting undefined 
predicates: this is not possible in user files because a missing predicate in a user 
file may be defined in another user file and used without explicitly importing it. 
Thus, it is only possible to detect a missing predicate by examining all user files 
of a project, which is itself typically an unknown (and, in fact, not even in this 
way, since that predicate could even be meant to be typed in at the top level 
after loading the user files!). Also, global analysis of user files typically involves 
considerable loss of precision because all predicates are possible entry points Q. 
Note that it is often just as easy and flexible to use modules which export all 
predicates in place of user files (by simply adding a module . header to 
the file), while being able to retain many of the advantages of modules. 

Multifile Predicates: Multifile predicates are a useful feature (also defined in ISO- 
Prolog) which allows a predicate to be defined by clauses belonging to different 
files (modules in the case of Ciao). To fit this in with the module system, in Ciao 
these predicates are implemented as if belonging to a special module multifile. 
However, calls present in a clause of a multifile predicate are always to visible 
predicates of the module where that clause resides. As a result, multifile predi- 
cates do not pose special problems to the global analyzer (which considers them 
exported predicates) nor to code processing in general. 

4.3 Dynamic Modules 

The module system described so far is quite flexible but it is static, i.e., except in 
user files, it is possible to determine statically the set of imports and exports of a 
given module and the set of related modules, and it is possible to statically resolve 
to which module each call in the program refers to. This has many advantages: 
modular programs can be implemented with no run-time overhead with respect 
to a non-modular system and it is also possible to perform extensive static 
analysis for optimization and error detection. However, in practice it is sometimes 
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very useful to be able to load code dynamically and call it. In Ciao this is fully 
supported, but only if the special library dynmods which defines the appropriate 
builtins (e.g., usejnodule) is explicitly loaded (dynmods actually reexports a 
number of predicates from the compiler, itself another library). This can then 
be seen by compile-time tools which can act more conservatively if needed. Also, 
the adverse effects are limited to the module which imports the compiler. 



4.4 Dealing with Meta-calls 

As mentioned before, the fact that the Ciao module system is predicate-based 
forces having to deal specially with meta-programming, since in that case func- 
tors can become predicate names and vice-versa. This problem is solved in Ciao, 
as in similar systems through meta_predicate declarations which specify 

which arguments of predicates contain meta-data. However, because of the richer 
set of higher-order facilities and predicate types provided by Ciao there is 
a correspondingly richer set of types of meta-data (this also allows more error 
detection) : 

goal: denotes a goal (either a simple or a complex one) which will be called, 
clause: denotes a clause, of a dynamic predicate, which will be asserted/ 
retracted. 

fact: denotes a fact (a head-only clause), of a data predicate, 
spec: denotes a predicate name, given as Functor / Arity term (this kind of 
meta-term is used somewhat frequently in builtin predicates, but seldom in 
user-defined predicates). 

pred(iV): denotes a predicate construct to be called by means of a ca.ll/N 
predicate call. That is, it should be an atom equal to the name of a predicate 
of arity N, a structure with functor the name of a predicate of arity M 
(greater than N) and with M-N arguments, or a predicate abstraction with 
N argumentsi 
addmodule: 

this in fact is not a real meta-data specification. Rather, it is used to pass, 
along with the predicate arguments, the calling module, to allow handline 
more involved meta-data (e.g., lists of goals) by using conversion builtinsH 

The compiler, by knowing which predicates have meta-arguments, can verify 
if there are undetermined meta-calls (which for example affect the processing 
when performing global analysis), or else can determine (or approximate) the 
calls that these meta-arguments will produce. 

® A full explanation of this type of meta-term is outside the scope of this paper. See | 
for details. 

This a “low-level” solution, which can be a reasonable overall solution for systems 
without a type system. The higher-level solution in Ciao involves the combination 
of the type and meta-data declarations (currently in progress). 
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4.5 Modular Syntax Enhancements 

Traditionally (and also now in the ISO standard Prolog systems have 

included the possibility of changing the syntax of the source code by the use 
of the op/3 builtin/directive. Furthermore, in many Prolog systems it is also 
possible to define expansions of the source code (essentially, a very rich form of 
“macros” ) by allowing the user to define (or extend) a predicate typically called 
term_expansion/2 This is usually how, e.g., definite clause grammars 

(DCG’s) are implemented. 

However, these features, in their original form, pose many problems for mod- 
ular compilation or even for creating sensible standalone executables. First, the 
definitions of the operators and expansions are global, affecting a number of files. 
Furthermore, which files are affected cannot be determined statically, because 
these features are implemented as a side-effect, rather than a declaration, and 
they are meant to be active after they are read by the code processor (top-level, 
compiler, etc.) and remain active from then on. As a result, it is impossible 
by looking at a source code file to know if it will be affected by expansions or 
definitions of operators, which may completely change what the compiler really 
sees. Furthermore, these definitions also affect how a compiled program will read 
terms (when using the term I/O predicates), which will also be affected by op- 
erators and expansions. However, in practice it is often desirable to use a set of 
operators and expansions in the compilation process (which are typically related 
to source language enhancements) and a completely different set for reading or 
writing data (which can be related to data formatting or the definition of some 
application-specific language that the compiled program is processing). Finally, 
when creating executables, if the compile-time and run-time roles of expansions 
are not separated, then the code that defines the expansions must be included 
in the executable, even if it was only meant for use during compilation. 

To solve these problems, in Ciao we have redesigned these features so that it 
is still possible to define source translations and operators but they are local to 
the module or user file defining them. Also, we have implemented these features 
in a way that has a well defined behavior in the context of a stand-alone compiler 
(the Ciao compiler, ciaoc ^). In particular, the directive load_compilation_ 
module/ 1 allows separating code that will be used at compilation time from code 
which will be used at run-time. It loads the module defined by its argument into 
the eompiler (if it has not been already loaded) . It differs from the use jnodule/ 1 
declaration in that the latter defines a use by the module being compiled, but 
does not load the code into the compiler itself. This distinction also holds in the 
Ciao interactive top-level, in which the compiler (which is the same library used 
by ciaoc) is also a separate module. 

In addition, in order to make the task of writing expansions easier^] the 
effects usually achieved through term_expansioii/2 can be obtained in Ciao by 
means of four different, more specialized directives, which, again, affect only the 
current module. Each one defines a different target for the translations, the first 

Note that, nevertheless, writing interesting and powerful translations is not neces- 
sarily a trivial task. 
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being equivalent to the term_expansion/2 predicate which is most commonly 
included in Prolog implementations. The argument for all of them is a predicate 
indicator of arity 2 or 3. When reading a file, the compiler (actually, the general 
purpose module processing library -see |) invokes these translation predicates 
at the appropriate times, instantiating their first argument with the item to be 
translated (whose type varies from one kind of predicate to the other). If the 
predicate is of arity 3, the optional third argument is also instantiated with the 
name of the module where the translation is being done, which is sometimes 
needed during certain expansions. If the call to the expansion predicate is suc- 
cessful, the term returned by the predicate in the second argument is used to 
replace the original. Else, the original item is kept. The directives are: 

add_sentence_trans/l : Declares a translation of the terms read by the com- 
piler which affects the rest of the current text (module or user file) . For each 
subsequent term (directive, fact, clause, ...) read by the compiler, the trans- 
lation predicate is called to obtain a new term which will be used by the 
compiler in place of the term present in the file. An example of this kind of 
translation is that of DCG’s. 

add_term_trans/l : Declares a translation of the terms and sub-terms read by 
the compiler which affects the rest of the current text. This translation is 
performed after all translations defined by add_sentence_trans/l are done. 
For each subsequent term read by the compiler, and recursively any subterm 
included in such a term, the translation predicate is called to possibly obtain 
a new term to replace the old one. Note that this is computationally intensive, 
but otherwise very useful to define translations which should affect any term 
read. For example, it is used to define records (feature terms []]), in the Ciao 
standard library argnames (see^3- 

add_goal_trans/l : Declares a translation of the goals present in the clauses 
of the current text. This translation is performed after all translations de- 
fined by add_sentence_trans/l and add_term_trans/l are done. For each 
clause read by the compiler, the translation predicate is called with each goal 
present in the clause to possibly obtain another goal to replace the original 
one, and the translation is subsequently applied to the resulting goal. Note 
that this process is aware of meta_predicate definitions. In the Ciao system, 
this feature is used for example in the functions library which provides 
functional syntax, as functions inside a goal add new goals before that one. 
add_clause_trans/l : Declares a translation of the clauses of the current text. 
The translation is performed before add_goal_trans/l translations but af- 
ter add_sentence_trans/l and add_term_trans/l translations. This kind 
of translation is defined for more involved translations and is related to the 
compiling procedure of Ciao. The usefulness of this translation is that infor- 
mation on the interface of related modules is available when it is performed, 
but on the other hand it must maintain the predicate defined by each clause, 
since the compiler has already made assumptions regarding which predicates 
are defined in the code. For example, the object-oriented extension of Ciao 
(O’Ciao) uses this feature 
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c(D,B) findall(l(S,D) , cf(B,D,S), Ls) , cl(0, Ls) . 
sentence_trans 

— — — term_trans 

clause_trans 

goaLtrans 

Fig. 1. Subterms to which each translation type is applied in a clause 

FigureHshows, for an example clause of a program, to which subterms each 
type of translation would be applied, and also the order of translations. The 
principal functor of the head in the clause translation is dashed because the 
translation cannot change it. 

Finally, there is another directive in Ciao related to syntax extension, whose 
raison d’etre is the parametric and extensible nature of the compiler framework: 
new_declaration/l (there is also a /2 variant). Note that in ISO-Standard Pro- 
log declarations cannot be arbitrary Prolog goals. Thus, the Ciao compiler flags 
an error if a declaration is found which is not in a predefined set. A declaration 
new_declaration(Decl) can be used to declare that Decl is a valid declaration 
in the rest of the current text (module or user file) . Such declarations are simply 
ignored by the compiler or top level, but can be used by other code processing 
programs. For example, in the Ciao system, program assertions and machine- 
readable comments are defined as new declarations and are processed by the 
ciaopp preprocessor and the Ipdoc Q automatic documentor. 

5 Packages 

Experience using the Ciao module system shows that the local nature of syntax 
extensions and the distinction between compile-time and run-time work results 
in the libraries defining extensions to the language having a well defined and 
repetitive structure. These libraries typically consist of a main source file which 
defines only some declarations (operator declarations, declarations loading other 
modules into the compiler or the module using the extension, etc.). This file is 
meant to be included as part of the file using the library, since, because of their 
local effect, such directives must be part of the code of the module which uses 
the library. Thus, we will call it the “include file” . Any auxiliary code needed 
at compile-time (e.g., translations) is included in a separate module which is 
to be loaded into the compiler via a load_compilationjnodule directive which 
is placed in the include file. Also, any auxiliary code to be used at run-time 
is placed in another module, and the corresponding usejnodule declaration is 
also placed in the include file. Note that while this run-time code could also 
be inserted in the include file itself, it would then be replicated in each module 
that uses the library. Putting it in a module allows the code to be shared by all 
modules using the library. 

Libraries constructed in this manner are called “packages” in Ciao. The main 
file of such a library is a file which is to be included in the importing module. 
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Many libraries in Ciao are packages: deg (definite clause grammars), functions 
(functional syntax), class (object oriented extension), persdb (persistent 
database), assertions (to include assertions -see ^^^|), etc. Such libraries 
can be loaded using a declaration such as include (library (functions) ) . 

For convenience (and other reasons related to ISO compatibility), this can also 
be written as use_package (functions)Q 

There is another feature which allows defining modules which do not start 
with a : - module declaration, and which is useful when defining language ex- 
tensions: when the first declaration of a file is unknown, the declared library 
paths are browsed to find a package with the same name as the declaration, and 
if it is found the declaration is treated as a module declaration plus a declara- 
tion to use that package. For example, the package which implements the object 
oriented capabilities in Ciao is called “class”: this way, one can start a class 
(a special module in Ciao) with the declaration “ : - class (myclass)”, which is 
then equivalent to defining a module which loads the class package. The class 
package then defines translations which transform the module code so that it 
can be used as a class, rather than as a simple module. 

5.1 An Example Package: argnames 

To clarify some of the concepts introduced in the paper, we will describe as an 
example the implementation of the Ciao library package “argnames” Q This li- 
brary implements a syntax to access term arguments by name (also known as 
records). For example. Fig. ^ shows a fragment of the famous “zebra” puzzle 
written using the package. The declaration : - argnames (where argnames is 
defined as an operator with suitable priority) assigns a name to each of the ar- 
guments of the functor house/5. From then on, it is possible to write a term 
with this functor by writing its name (house), then the infix operator 
and then, between brackets (which are as in ISO-Prolog), the arguments one 
wants to specify, using the infix operator ’=>’ between the name and the value. 
For example, house${} is equivalent in that code to house and 

house${nation=>Owns_zebra,pet=>zebra} to house (_ , Owns_zebra, zebra, 

The library which implements this feature is composed of two files, one which 
is the package itself, called argnames, and an auxiliary module which implements 
the code translations required, called argnames_trans (in this case no run-time 
code is necessary). They are shown in AppendixH(the transformation has been 
simplified for brevity by omitting error checking code) . 

The contents of package argnames are self-explanatory: first, it directs the 
compiler to load the module argnames_trans (if not already done before), which 

We are also considering adding a feature to allow loading packages using normal 
: - usejnodule declarations, which saves the user from having to determine whether 
what is being loaded is a package or an ordinary module. 

This package uses only a small part of the functionality described. Space restric- 
tions do not allow adding a longer example or more examples. However, many such 
examples can be found in the Ciao system libraries. 
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: - use_package ( [argnames] ) . 

argnames house (color , nation, pet, drink, car). 
zebra(Owns_zebra, Drinks_water , Street) 

Street = [house${},house${}-,house$-Q,house$-n-,house${}-] , 
member (house${nation=>Dwns_zebra,pet=>zebra}, Street) , 
member (house${nation=>Drinks_water,drink=>water)-, Street) , 
member (house${drink=>coffee,color=>green}-. Street) , 
left_right (house${color=>ivory} , house${color=>green3- , Street), 
member (house${car=>porsche,pet=>snails}. Street) , 

Fig. 2. “zebra” program using argnames 

contains the code to make the required translations. Then, it declares a sentence 
translation, which will handle the argnames declarations, and a term translation, 
which will translate any terms written using the argnames syntax. Finally, it 
declares the operators used in the syntax. Recall that a module using this package 
is in fact including these declarations into its code, so the declarations are local 
to the module and will not affect the compilation of other modules. 

The auxiliary module argnames_trans is also quite straightforward: it ex- 
ports the two predicates which the compiler will use to do the translations. 
Then, it declares a data predicate (recall that this is a simplified dynamic 
predicate) which will store the declarations made in each module. Predicate 
argnames_def /3 is simple: if the clause term is an argnames declaration, it 
translates it to nothing but stores its data in the above mentioned data predi- 
cate. Note that the third argument is instantiated by the compiler to the module 
where the translation is being made, and thus is used so that the declarations 
of a module are not mixed with the declarations in other modules. The second 
clause is executed when the end of the module is reached. It takes care of deleting 
the data pertaining to the current module. Then, predicate argnames _use/3 is 
in charge of making the translation of argname’d-terms, using the data collected 
by the other predicate. Although more involved, it is a simple Prolog exercise. 

Note that the argnames library only affects the modules that load it. Thus, 
the operators involved (argnames, $, =>) can be used in other modules or libraries 
for different purposes. This would be very difficult to do with the traditional 
model. 



6 Conclusions 



We have presented a new module system for Prolog which achieves a number of 
fundamental design objectives such as being more amenable to effective global 
analysis and translation, allowing separate compilation and sensible creation of 
standalone executables, extensibility/restriction in features and in syntax, etc. 
We have also shown in other work that this module system can be implemented 
easily Q and can be applied successfully in several modular program processing 
tasks, from compilation to debugging to automatic documentation generation 
The proposed module system has been designed to stay as similar 
as possible to the module systems of the most popular Prolog implementations 
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and the ISO-Prolog module standard currently being finished, but with a number 
of crucial changes that achieve the previously mentioned design objectives. We 
believe that it would not be difficult to incorporate these changes in the ISO- 
Prolog module standard or in other module systems. In the latter case, the 
cost would be some minor backward-incompatibility with some of the existing 
modular code, but which could generally be fixed easily with a little rewriting. 
We argue that the advantages that we have pointed out clearly outweigh this 
inconvenience. 
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A Code for the Package argnames 

The package argnames: 

load_compilation_module (library (argnames_trans)) . 

add_sentence_trans(argnames_def /3) . 

add_term_trans (argnames_use/3) . 

op(150, xfx, [$] ) . 

op(950, xfx, (=>)). 

op (1150, fx, [argnames]). 

The translation module argnames_trans: 

module (argnames_trans , [argnames_def /3 , argnames_use/3] ) . 
data argnames/4. 

argnames_def ( ( : - argnames (R) ) , [] , M) : - 
functor(R, F, N) , 
assertz_fact(argnames(F,N,R,M)) . 

argnames_def (end_of _f ile , end_of_file, M) 

retractall_f act (argnames (_,_,_ ,M) ) . 

argnames_use($(F,TheArgs) , T, M) 
atom(F) , 

argnames_args (TheArgs , Args) , 
argnames_trans(F, Args, M, T) . 

argnames_args({}, []). 

argnames_args ({Args} , Args). 

argnames_trans (F, Args, M, T) 
argnames (F, A, R, M) , 
functor (T, F, A), 
insert_args (Args , R, A, T) . 

insert_args( [] , _, _, _) . 

insert_args(’=>’ (F,A) , R, N, T) 

insert_arg(N, F, A, R, T) . 

insert_args((’=>’ (F,A) , As), R, N, T) 
insert_arg(N, F, A, R, T) , 
insert_args (As , R, N, T) . 

insert_arg(N, F, A, R, T) 

N > 0, 

( arg(N, R, F) 

-> arg(N, T, A) 

; N1 is N-1, 

insert_arg(Nl , F, A, R, T) ). 
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Abstract. In recent years there has been an increasing interest in ex- 
tensions of the logic programming paradigm beyond the class of normal 
logic programs motivated by the need for a satisfactory respresentation 
and processing of knowledge. An important problem in this area is to find 
an adequate declarative semantics for logic programs. In the present pa- 
per a general preference criterion is proposed that selects the ‘intended’ 
partial models of extended generalized logic programs which is a conser- 
vative extension of the stationary semantics for normal logic programs 
of and generalizes the WFSX-semantics of The presented 

preference criterion defines a partial model of an extended generalized 
logic program as intended if it is generated by a stationary chain. The 
GWFSX-semantics is defined by the set-theoretical intersection of all 
stationary generated models, and thus generalizes the results from ^ 
and 

1 Introduction 

Declarative semantics provides a mathematical precise definition of the meaning 
of a program in a way, which is independent of procedural considerations. Finding 
a suitable declarative or intended semantics is an important problem in logic 
programming and deductive databases. Logic programs and deductive databases 
should be as easy to write and comprehend and as close to natural discourse as 
possible. 

Standard logic programs are not sufficiently expressive for comprehensible 
representation of large classes of knowledge bases and of informal descriptions. 
Formalisms admitting more complex formulas, as extended generalized logic pro- 
grams, are more expressive and natural to use since they permit in many cases 
easier translation from natural language expressions and from informal spec- 
ifications. The expressive power of generalized logic programs also simplifies 
the problem of translation of non-monotonic formalisms into logic programs, 
as shown in Q, Q, and consequently facilitates using logic programming as 
an inference engine for non-monotonic reasoning. We assume that a reasonable 
extension of logic programs should satisfy the following conditions: 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 149^^ 2000. 
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1. The proposed syntax of rules in such programs resembles the syntax of logic 
programs but it applies to a significantly broader class of programs. 

2. The proposed semantics of such programs constitute a natural extension of 
the semantics of normal logic programs; 

3. There is a natural relationship between the proposed class of programs and 
their semantics and broader classes of non-monotonic formalisms. 

We believe that the class of extended generalized logic programs and the 
stationary generated semantics, introduced in this paper, presents an extension 
of logic programming for which the above mentioned principles 1. and 2. can be 
realized. There are also results in []] and Q] partially realizing principle 3, where 
relations to temporal logic and default logic are studied. 

A set of facts can be viewed as a database whose semantics is determined by 
its minimal models. In the case of logic programs, where there are rules, minimal 
models are not adequate because they are not able to capture the directedness 
of rules. Therefore, partial stable models in the form of certain fixpoints have 
been proposed by ^3 > ^3- We generalize this notion by presenting 

a definition which is neither fixpoint-based nor dependent on any specific rule 
syntax. We call our preferred models stationary generated because they are gen- 
erated by a stationary chain, i.e. a stratified sequence of rule applications where 
all applied rules satisfy certain persistence properties. We show the partial stable 
models of an extended normal programs coincide with its stationary generated 
models. Hence, our semantics generalizes the WFSX-semantics. 

The paper has the following structure. After introducing some basic notation 
in section 2, we recall some facts about Herbrand model theory and sequents in 
section 3. In section 4, we define the general concept of a stationary generated 
model and introduce the GWFSX-semantics. In section 5 we investigate the 
relationship of the stationary generated models to the original fixpoint-based 
definitions for normal programs. In particular, we relate the stationary semantics 
to the WFSX-semantics for extended normal logic programs. It turns out that, 
for extended normal logic programs, the stationary generated models and the 
partial stable models coincide. 

2 Preliminaries 

A signature a = {Rel, ExRel, Const, Fun) consists of a set Rel of relation symbols, 
a set of it exact relations symbols ExRel C Rel, a set Const of constant symbols, 
and a set Fun of function symbols. Ua denotes the set of all ground terms of 
a. The logical functors are not , A, V, — V, 3, and the functors t, f , u of arity 
zero. L{a) is the smallest set containing the constants t, f , u and the atomic first 
order formulas of a, and being closed with respect to the following conditions: if 
F,GGL{a), then {not F,^F, FAG, FVG, G, 3xF, Va;F} C F(cr). F°(ct) 
denotes the corresponding set of sentences (closed formulas), where the constants 



^ The term “stationary” is borrowed from ^3i but the concept of a stationary gener- 
ated model differs essentially from the stationary model as introduced in ^3- 
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t (true) , f (false) , u (undefined) are considered as sentences. For sublanguages 
of L{a) formed by means of a subset T of the logical functors, we write L(cr; T'). 
Let Li{a) = L{a; { not ,->,A,V,t,f,u}), L 2 {(t) = L{a; { not , A, V}), Lp{a) = 
Li{a) U {F — > G : F e Fi(<t), G G L 2 {a)}; Lp{a) is the set of program formulas 
over a. Program formulas are equivalently denoted by expressions of the form 
G ^ F using the left-directed arrow. With respect to a signature ct we define the 
following sublanguages: At((j) = F((j; {t, f , u}), the set of all atomic formulas 
(also called atoms). The set GAt((j) of all ground atoms over a is defined as 
GAt((j) = At((j) n L°((t). Lit((j) = F(cr; {->, t, f, u}), the set of all objective 
literals; we identify the literal ~^^l with 1. The set OL((t) of all objective ground 
literals over a is defined as OL((t) = Lit(cr) n L^{oj. For a set X of formulas 
let notX = { notF\F G X}. The set XLit(<T) of all extended literals over a is 
defined by XLit(<T) = Lit((r) U no<Lit((r). Finally, XG(<t) = OL(<t) U no<OL(cr) 
is the set of all extended grounds literals. 

We introduce the following conventions. When L C L{a) is some sublan- 
guage, F° denotes the corresponding set of sentences. If the signature a does 
not matter, we omit it and write, e.g., L instead of L{a). If F is a set and < a 
partial ordering on Y then Min<(F) denotes the set of all minimal elements of 
{Y, <). Pow{X) = {Y \ Y C X} denotes the power set of X. 

Definition! (Partial Interpretation). Let a = {Rel, Const, Fun) be a 
signature. A partial interpretation I of signature a is defined by a function 
I : OL((t) — > {0,^,1} satisfying the conditions /(t) = l,/(^f) = 1, /(n) = 
/(^u) = i. 7 is said to be coherent if the following coherence principles are 
satisfied: I{~^a) = 1 implies I (a) = 0, and /(a) = 1 implies I{~^a) = 0 for every 
ground atom a. 

A partial a -interpretation I can equivalently be represented by a set of ex- 
tended ground literals I* C OL((t) U not01j{a) by the following stipulation: 
/* = {^ I /(I) = 1} U { not I I I{1) =0}. Then, I* satisfies the following condi- 
tions: 

1. {t,^f}CF, {u,^u}nF =0. 

2. There is no objective ground literal I G OL 

such that {I, notl} C I (consistency) . 

If I is coherent then I* satisfies the additional conditions: 

3. ~^a G I* implies not a G I* for every ground atom a. 

j. a G I* implies not^a G I* for every ground atom a. 

Conversely, every set J of extended ground literals satisfying the conditions 
Land 2. defines a function I : OL(cr) — > {0,^,1} being an interpretation by 
the following conditions: I{1) = 1 iff I G J , I{1) = 0 iff notl G J, I (1) = ^ iff 
{I, notl} n J = 0. If J satisfies conditions 3. and j, then I is coherent. 

Remark: In the sequel we use both descriptions of an interpretation (the func- 
tional or the literal version), and it should be clear from the context which kind 
of representation is meant. 

For a partial interpretation / let Pos{I) = IDOL and Neg{I) = If] notOL. A 
partial interpretation / is two- valued (or total) if for every I G OL the condition 
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notl} n / 0 is satisfied. A generalized partial interpretation is a (arbitrary) 

set / C OL((t) U notOL{a) of extended ground literals. A generalized partial 
interpretation is said to be consistent if conditions 1) and 2) in definition J are 
satisfied, and it is called coherent if the conditions 3) and 4) from definition | 
are fulfilled. The class of all generalized partial cr-interpretations is denoted by 
Igen{o'), and the class of all consistent partial cr-interpretations is denoted by 
/(cr), and the class of all consistent coherent interpretations by Icoh{<^)- In the 
sequel we shall also simply say ‘interpretation’ instead of ‘consistent partial in- 
terpretation’. A valuation over an interpretation / is a function iz from the set 
of all variables Var into the Herbrand universe Ua, which can be naturally ex- 
tended to arbitrary terms by iz{f{ti, . . tn)) = f{v{ti), . . v{tn)). Analogously, 
a valuation v can be canonically extended to arbitrary formulas F, where we 
write Fv instead of v{F). The model relation \= C J(cr) x L^{<j) between an 
interpretation and a sentence from Lp(a) is defined inductively as follows; it 
generalizes the definition 4.1.4 in Q to arbitrary formulas from Lp. 

Definition 2 (Model Relation). Let I he an interpretation of signature a. 
Then I can he naturally expanded to a function I from the set of all sentences 
of Lp{a) into the set {0, i, 1}. 

1. I{1) = I{1) for every I S OL. 

2. llnotF) = 1 -7(F); 

3. /(FAG) =mOT{/(F),/(G)}. 

I iIfvG) =_max{I{F),I{G)} 

5. /(--F) = /(F); 

6. li^notF) = 1(F); 

7. /(-(FAG)) =/(-FV-G); 

8. /(— (F V G)) = /(— F A — G); 

9. I{F ^ G) = 1 ifI{F) < I{G) or I{^G) = 1 and 7(F) = i. 

10. I{F ^ G) = 0 if condition 9. is not satisfied.^ 

11. I{3xF{x)) = sup{I {F {x / f))\t € Ua-j 

12. /(Va;F(a;)) = inf{I{F{x/t))\t G uj\. 

To simplify the notation we don’t distinguish between / and /. A sentence F is 
true in /, denoted by / ^ F, iff /(F) = 1. For arbitrary formulas F we write 
I \= F I ^ Fv for dl\ V ■. Var ^ Ua. For a set X of formulas we write 

/ ^ A iff for all F G A it holds I \= F. I is said to be model of a set A of 
formulas if / ^ A, and we use the notation Mod(A) = {/ | / ^ A}. 

Remark: If the conditions 9. and 10. of definitionHare replaced by 9a. /(F — > 
G) = 1 if /(F) < /(G) and 10a. /(F — > G) = 0 if /(F) ^ /(G), then we get the 
truth-relation considered in which we denote by I \=pr F. 

A coherent consistent interpretation / is called a AP-model of a set A of 
formulas if and only if for all F G A it holds I \= F. An interpretation / is called 
a Pr-model of A iff / \=pr A. 



^ The condition “not 9.” is equivalent to /(F) ^ /(G) and < 1 or 1(F) — 1). 
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Example 1 (AP-Models and Pr- Models). Let P he the following program: 
{^b; not^c; nota, note; ^ note; b^a}. 

P has following AP-models: 

Ml = {^b, noth} 

M 2 = {^6, notb,c, not^c\ 

M3 = {^6, notb,c, not^c, nota} 

M 4 = {^6, noth, notc,^c} 

M5 = {^6, notb,^a, nota} 

Mq = {^6, notb,^a, nota,c, not^c} 

Mr = {^6, noth, not^a} 

Mg = {^6, notb,c, not^c, not^a} 

Mg = {^6, notb^c, not^c, nota, not^a} 

Mio = {^b, noth, notc,^c, not^a} 

Only the models M^, Mq, Mg are Pr-models. 

Remark: The relevance of AP-models wrt. to Pr-models is that the former 
impose coherence on interpretations while the latter not. So, take for instance 
the set P = {a <— ~^a,b; b <— noth}. Now {^a, nota, not^b} is an AP-model 
but not an Pr-model of P. While {^a, not^b} is a Pr-model of P but not an 
AP-model because it is not an coherent interpretation. In this case, coherence 
imposes “nota” true on the basis of the truth of , if “nota” is otherwise 
undefined as in P. That is, explicit negation ^ overrides undefinedness. Pr- 
models do not impose coherence they allow the unnatural result that though “a” 
is explicitly false “nota” remains undefined. In our opinion, the truth relation 
^ of definitionjis better suited to treat coherent interpretations. 

Definitions (Partial Orderings between Interpretations). Let L,Li G 
I gen be two generalized interpretations. 

1. Let I ^ h if and only if Pos{L) C Pos(Li) and Neg(Li) C Neg{L). < 
is ealled the truth- ordering between interpretations, and L\ is said to be a 
truth- extension (briefly t-extension) of L. 

2. Li is informationally greater or equal to L if and only if I ‘A I\. The partial 
ordering C between interpretations is ealled information- ordering. L\ is said 
to be an information- extension (briefly i-extension) of L. 



Proposition 1. The system C = {Icoh,^) of eoherent and consistent general- 
ized partial interpretations is a complete lower semi-lattice. 

Proof: Let 17 C / an arbitrary subset. We show that there exists a greatest lower 
bound for 17 with respect to Let / be defined by Pos{L) = p|{Pos(J) : J G 
17}, and Neg{L) = \J{Neg{J) : J G 17}. Obviously, / ^ J for every J G J G f2, 
and L is the greatest lower bound within {Igen, ^)- I is consistent. Assume there 
are I G OL such that {/, notl} C /. Then I G L. From not I G L there follows the 
existence of a J G 17 such that notl G J, & contradiction. The coherency of / is 
immediate. Hence / G Ieoh- 
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Remark: C is not a lattice, there are elements I, J G I having no least upper 
bound. Take, for example: I = {^a, nota}, J = {^6, noth}. Every upper bound 
K oi I, J has to contain {^a, ^6}, and because of coherence also { nota, noth}. 
But this violates the condition I < K because Neg{K) ^ Neg{I). The set of 
(consistent) interpretations (/, A) is a complete lattice. 

Let /i A /2 A ... A /q, A ... be a t-increasing sequence of interpretations. 
The supremum J = sup{Ia : a < k} of this sequence is defined by Pos{J) = 
< K : Pos{Ia) and Neg{J) = P|q, < k : Neg{Ia- For a t-decreasing sequence 
of interpretations /i ^ /2 ^ . . . ^ /a ^ . . . its infimum J = inf {la '■ a < k} 
is defined by the following conditions Neg{J) = Ua<K Pos{J) = 
C\a<K An interpretation I is called a t-minimal model of if / G 

Min^(Mod(Jf)), it is called i-minimal \i I G Minc(Mod(Jf)). The following 
version of proposition J is true: for any t-increasing sequence {/a | a < «:} of 
coherent interpretations the interpretation supa<Kla is itself coherent. 

3 Sequents and Programs 

Here, we propose to use sequents for the purpose of representing rule knowledge^ 
A sequent, then, is a concrete expression representing some piece of knowledge. 

Definition 4 (Sequent). A sequent s is an expression of the form 

F\, . . , , F,ji G\, . . . ,Gji 

where Fi, Gj G L{a, {A, V, not}) for i = 1, . . . ,m and j = 1, . . . ,n. The body 
of s, denoted by B(s), is given by {Fi, . . F^}, and the head of s, denoted by 
H{s), is given by {Gi, . . .,G„}. Seq(cr) denotes the class of all sequents s such 
that FIs, Bs C L{a; A, V, not), and for a given set S C Seq(cr), [S'] denotes the 
set of all ground instances of sequences from S. Sometimes, we write a sequent 
in the following rule- form: Gi V . . . V G„ ^ Fi, ... , Fm- 

Definition 5 (Model of a Sequent). Let I G I . Then, 

I Fi, . . . , Fm =» Gi , . . . , G„ 

if and only if for all ground substitutions the condition 

Ih /\F^iy^\J G,u 

i<m 3 "^fl 

is satisfied. In this case, I is said to be model of Ai,...,Fm Gi,...,Gn- 

We define the following classes of sequents corresponding to different types 
of logic programs. 

® The motivation for choosing sequents is to get a connection to Gentzen-like proof 
systems. Furthermore, the sequent-arrow ^ and the material implication ^ have 
different properties. 
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— EPLP*((t) = {s S Seq((r) '■ H{s) € Lit((r), B{s) C Lit((r) U {t, u, f}}. 

— EPLP((t) = {s G Seq(cr) : H{s) G Lit((r), B(s) C Lit((r)}. 

— ENLP((t) = {s G Seq((r) : B(s) G Lit((r), B(s) C XLit((r)}. 

— EDLP((t) = {s G Seq((r) : B(s) C Lit(cr), B(s) C XLit((r), 7L(s) ^ 0}. 

— EGLP(cr) = {s G Seq((r) : H{s),B{s) C L{a] nof , A, V)}. 

Subsets of EPLP* are called non-negative extended logic programs, programs 
associated to EPLP are called extended positive programs, ENLP relates to ex- 
tended normal programs, EDLP to extended disjunetive programs, and EGLP to 
extended generalized logic programs. The following lemma is an important tool 
for analyzing the structure of the partial models of a generalized logic program. 

Lemma 1. 1 

1. Let Jq > Ji > . . . Jn ■ he an infinite t-decreasing sequence of partial 
interpretations and J = inf{Jn \ n < uj}. Let F G L^{a). Then there exists 
a number k such that for all s > k the condition J{F) = Js{F) is satisfied. 

2. Let Jo ^ ^ ■ ■ -Jn ^ ■ ■ ■ he an infinite t-increasing sequence of partial 

interpretations and J = sup{Jn \ n < to}. Let F G L^{a). Then there exists 
a number k such that for all s > k the condition J{F) = Js{F) is satisfied. 



Proposition 2. Let P be a set of formulas from Lp and K an interpretation. 
Let L be a model of P such that K ^ L . Then there exists a model J \= P 
satisfying the following conditions: 

1. K <J <L; 

2. for every interpretation J\ the conditions K < J\ < J and J\ \= P imply 
J = Ji. 

Proof: Let be / ^ P and Q{K,I) = {K\K d: M d: I and M ^ P}. Assume 
/ = Jo ^ Ji A ... ^ Jn ■ ■ ; and Jn G fl{K,L). Let be J = infn^uiJn- We 
show that J \= P; then, by Zorn’s lemma, the set Q{K, L) contains a ^-minimal 
element satisfying the conditions 1. and 2. Let r : B{r) => H{r) G [P], and 
F := /\B{r), G := \J H{r). It is sufficient to show J \= F ^ G. Assume this is 
not the case, then J ^ P ^ G, and by definition J(P ^ G) = 0. By lemmaj 
there is a number k < uj such that for all s > fc we have Js{F ^ G) = 0, this is 
a contradiction, because Jg \= P- LI 

Corollary 3. Let P be an extended generalized logic program. Every partial 
model of P is an t- extension of a t-minimal partial model of P and can be t- 
extended to a t-maximal partial model of P. 

Proposition 4. Every non-negative extended logic program P having a partial 
Pr-model has a t-least partial Pr-model. 

Remark: Proposition J is not true for AP-models as the following example 
shows. 



^ Complete proofs will be published in the full paper 
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Example 2. Let P = {c <— f; a ^ b; b ^ u; ^a; d ^ b}. 

Let L = {^a, not a, note, not^b, not^c, not^d}. Obviously, L is a t-minimal 
AP-model of P. Take L\ = {I — {not^d}) U {^d, notd}. Then I\ I and 
I Ii- It is easy to see that Ii is a t-minimal model of P. 



Example 3. The following program P has AP-models but no eoherent Pr-model. 
P = {a ^ 6; ^a; b ^ u}. 

Then {^a, nota, not^b} is an AP-model. 



4 Stationary Generated Models and GWFX-Semantics 

A preferential semantics is given by a preferred model operator : Pow(Seq) —>■ 
Pow{I) satisfying the condition <L{P) Q Mod(P) for P C Seq, and determining 
the associated preferential entailment relation defined by P \=,p F iff <?(P) C 
Mod(P). The definition of a stationary chain uses certain persistence properties 
of formulas which are based on the following notion of truth intervals. 

Definition 6 (Truth Interval of Interpretations). Let /i ,/2 S I. Then, 
= {I G I ■ h ^ I ^ h}- Let P be an extended generalized logic program, 
for r G P let H{r) := head of r, B{r) := body if r, [P] := set of all ground 
instantiations of rules of P. We introduce the following notions and sets: 

- [I, J](P) > i =df for all K G [/, J] : K{F) > i 

- [/, J](P) = 1 =df for all K G [/, J] : K{F) = 1 

- ^i,J] = {r\r G [P] and [I, J]{AB{r)) > 1} 

~ P[I,J] = {r\r G [P] and [I, J]{AB{r)) = 1}. 

The following notion of a stationary generated is an essential refinement of 
the notion of a stable generated (two- valued) model which was introduced in Q. 

Definition 7 (Stationary Generated Model). Let P C EGLP((t) an ex- 
tended generalized logic program. Let I be an AP-model of P . I is a station- 
ary generated model of P, symbolically I G Modstatg(5'), if there is a sequence 
{la : a < k} of coherent interpretations satisfying following conditions: 

1. Iq = notOL (is the t-least interpretation). 

2. la ^ la-ei o,nd la ^ I for all a < k. 

3. SUPa<Ja = I- 

4 . /a +1 G Min^{J\Ia J d: I o,nd 

(a) for all r G P[i„,,i] it holds J{\/H{r)) = 1 and 

(b) for all r G P[/„,/] : J{'dH{r)) > | or /(^ V H{r)) = 1}. 

5. I\ = supa<\Ia, A a limit ordinal. 

The sequence {la : ot < k} is called a stationary AP-chain (or briefly a stationary 
chain) generating I. I is called a stationary generated Pr-model if I is a Pr-model, 
la ore consistent interpretations, and in condition ). the Pr-truth-relation \=pr 
is used and if the condition (b) is replaced byVr G P[/„,/] : G+i(VP(r)) >1. In 
this case {la : a < k} is called a stationary Pr-chain generating I. 
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By using proposition | one may prove that the set Min^jJ \ la di J di 
I & (a) & (5)} in condition 4. of definitionjis non-empty. Hence, for every model 
/ ^ P, we may construct, according to definition ^ chains of interpretations 
satisfying the conditions l.,2.,4. (but not neccessarily 3.). Such chains are called 
stationary chains in I. A stationary chain {la | a < k} in / is said to be maximal 
if for K = sup{Ia} we have Min^{J | A' P J ^ & (a) & (6)} = {K}, i.e. if 

K cannot be further extended. The set of stationary generated models of S is 
denoted by Modstatg(<S). The associated entailment relation is defined as follows: 

5 h«tatg F iff Mod«tatg(5) C Mod(F) 

Notice that our definition of stationary generated models also accommodates 

1. Negation in the head of a rule, such as in 

=> not {nationality (x , German) A nationality {x, US)) 

expressing the integrity constraint that it is not possible to have both the 
German and the US nationality. 

2. Nested negations, such as inp(a;) A not{q{x)f\ notr{x)) ^ s(a;) which would 
be the result of folding p{x) A notab{x) s{x) and q{x) A notr{x) ab{x). 

We continue this section with the investigations of some fundamental prop- 
erties of the introduced concepts. What can be said about the length of the 
stationary chains? 

Proposition 5. Let P C EGLP and let I be a stationary generated model of P 
generated by the sequence {la '■ o < k}, k > oj. Then there is an ordinal (3 < u 
such that Ip = I and Ip = Ip+i ■ say that this sequence stabilizes at /3. 



Definition 8 (Rank of a Stationary Generated Model). Given a program 
P and let I be a stationary generated AP- model of P. Let St(I)={a \ there is a 
stationary chain for I stabilizing at a}. Then Rk (I) = infimum St(I) is called 
the rank of I. 



Corollary 6. If M is a stationary generated AP-model of P Q EGLP, then 
there is either a finite P -stationary chain, or a P -stationary chain of length uj, 
generating M . 



Example 4. Gonsider the following program P = {a noth; b <— nota; ^a}. 
The following interpretation {^a, nota, b, not^b} = K is a stationary gener- 
ated AP-model of P. It is Iq = {nota, noth, not^a, not^b}, and P[ig^K] = 
{6 <— nota; ^a}, and P[ig^K] = P[Io,k]- Then K is a minimal extension of Iq 
such that for all r G P[ig,K] it holds that K{H{r)) = 1. Hence, {Iq,K{ is a 
stationary sequence generating K. Obviously, Rk{K) = 1. 
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Example 5. Consider the program P = {a V 5; ^ a; a <— nota}. The fol- 

lowing interpretation is a stationary generated model of P: K = {a, noth, 
not^a}. Iq = {nota, not^a, noth, not^b}. T/ien = {a V 6} = . 

Then I\ = {a, not^a, noth, not^b} is a t-minimal extension of Iq. It is 
-Ppi.if] = {a V 6, ^b ^ a} = Then K is a minimal t-extension of Ii, 

hence {Iq,Ii,K{ is a stationary sequence generating K. Obviously, Rk{K) = 2. 

The GWFSX-semantics can be introduced as follows. 

Definition 9 (Generalized Wellfounded Semantics). Let P be an extended 
generalized logic program and GWFSX(P) = n^odstatg(P) = {M ^ G 
XG & P \=statg 1}- GWFSX(P) is said to he the generalized well-founded se- 
mantics of P. 

Let QF = L^{not A,\/) be denote the set of quantifier- free sentences (not 
containing — >) and Gstatg{P) = {F \ P \=statg F}. An inference operation 
G : Pow{EGLP) Pow{QF) is said to be cumulative iff for every X C 
G{P),X C QF holds G{PU X) = G{P). Unfortunately, the operation Gstatg is 
not cumulative on the set of all generalized logic programs, thus the important 
task remains to find natural cumulative approximations of Gstatg (cf section 6). 



5 Extended Normal Logic Programs and 
WFSX-Semantics 

In this section we present the result that for extended normal logic programs the 
lUPiS'A-semantics models introduced in coincides with the partial station- 
ary generated semantics. To make the paper self-contained we recall the main 
notions. Let P C ENLP a normal logic program, i.e. the rules r have the form: 
r := oi, . . . , Om, notbi, . . . , notbn => c, where at, bj, c are objective literals. Such 
a rule is denoted in the following also by c <— oi, . . . , Om, notbi , . . . , notbn- Let 
I C OL U notOL be a (consistent) partial interpretation. 

Definition 10. Let I be an interpretation and P a (instantiated) program, r G 
P. The I -transformation of r, denoted by trjfr), is defined as follows: 

— if notl G B{r) and I £ I then notl is replaced by trj{ notl) = f; 

— if I G B{r), I objective and ^l G I, then I is replaced by tri{l) = f; 

— if I G B{r), I objective and ~^l ^ I then trj(l) = 1; 

— if notl G I then trj{ notl) = t; 

— the remaining default literals notl are replaced by trj(notl) = n. 

Let be trj{B(r)) = {trj(l)\l G B{r)}, trj{r) = H{r) ^ trj{B{r)), and trj{P) = 
{tr/(r)|r £ P}. Obviously, trj{P) is a non-negative logic program, also denoted 
by P/I. 

We now investigate a semi-constructive description of a special AP-model of a 
non-negative logic program; note that there are consistent non-negative logic 
programs without a t-least AP-model. 
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Definition 11 . Let P be a instantiated non-negative normal program. The op- 
erator Pp : I ^ I is defined as follows: 

Pp{I) = {I I there is a rule I <— B{r) G [P] sueh that I{AB{r)) = 1} U { not I \ 
for every rule r G [P] satisfying H(r) = I it is I{AB(r)) = 0}. 

The operator Pp is monotonic with respect to the truth-ordering We construct 
a sequence {In}n<ui of interpretations as follows. Let Iq = {not a \ a G OL}, 
i.e. Iq is the t-least interpretation (it is the least element in the semi-lattice 
C = (/, ^)), and In-i-i = Pp{In)- Obviously, In A In+i, for n < to. Let be 
luj = Bp = sup{In : n < uj}. Define Coh{I) = { not^l\l G Pos{I)} U /, Coh{I) 
is called the coherency-closure of I. 

Proposition 7. Let P be a non-negative normal logie program and defined 
as above. If Coh(Ii^) = K is a consistent interpretation then K is a AP-model 
ofP. 

Proof: Obviously, K is coherent. Let I <— B{r) G [P]. We have to show that 
K{1 ^ B{r)) = 1, by definition: K{B{r)) < K{1) or {K{-^1) = 1 and K{B{r)) = 
i). We may assume that K{B{r)) > i (the case K{B{r)) = 0 is trivial.) 

1) K{B{r)) = i. If K{H{r)) > ^ we are ready. Assume that for I = H{r) we 
have K{1) = 0, i.e. notl G K. By the definition of the sequence {In}n<ui follows 
that notl ^ luj. This implies ~^l G luj and this verifies K(r) = 1. 

2) K{B{r)) = 1, B{r) = li, . . .,ln%- We may assume that . . . , Im} Q OL. By 
lemma J there is a k such that for all n > fc we have {li, . . . ,lm} C In, hence 
I G lui and this implies AT(r) = 1. □ 

Remark: If Coh{I^) = K is consistent then AT is a t-minimal AP-model of P. 
In general, K is no Pr-model. 

Example 6. let P ={a ^ b; ^a; 6 <— u}. Then Coh{I^) = {^a, not a, not^bf 
is a AP-model, but P has no coherent Pr-model. 

The interpretations Ii, I 2 , ■ ■ ■ , In, ■ ■ ■ are (in general) not coherent. We de- 
fine a new sequence Jn = In H Ch{I,.j), where Ch{I,^) = { not^l\l G Pos{I)}. 
Obviously, the following conditions are satisfied 

— Ji ^ J2 P . . . P Tn P . . . 

— every Jn is coherent 
luj — S^Pn<ujJn- 

{In}n<ui is said to be the standard sequence with respect to P, and {Jn}n<ui is 
called the coherent standard sequence with respect to P. We show now that the 
stationary generated models coincides with the partial stable models in the sense 
ofP. 

Definition 12 . P Let be P ENLP . A coherent interpretation I is a partial 
stable model of P if I = Coh{Pp^j{Io)). 

We use the following technical lemma to prove the main result in this section. 
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Lemma 2. Let P he a normal extended logic program, I an interpretation. Let 
be {In}n<ui resp. {Jn}n<ui be the standard resp. coherent standard sequence with 
respect to P/L, and I <— B(r) G [Pi. Then the followinq conditions are equivalent: 

(1) /„(AP/(P(r)) > i; 

(2) [J„,/](AP(r)) > i (i.e. rGP[j„,/]). 

Remark: Lemma5remains true if in condition 1) and 2) the relation “> i” is 
replaced by “= 1 ” . 

Proposition 8 . Let P be an extended normal logic program and L a model of 
P. Then L is a stationary generated AP-model if and only if L is a partial stable 
model of P| 

Sketch of the Proof: We sketch only one direction. Let / be a partial stable 
model. By definition we have / = C oh{Pp ^ j{Lq)) , Lq is the t-least interpretation. 
Let lo Ii d: ■■■ In d: be the standard sequence associated to Pp// and 
lui = rp/iih)- Let Jo d Ji d ■ ■ ■ Jn dbe the coherent standard sequence defined 
by Jn = InJCoh{Pos{Iui)). We show that { J„|n < w} is a stationary chain. One 
has to show that for every n < u the interpretation Jn+i is a minimal t-extension 
of Jn satisfying the following two condition of stationary generatedness: 

1. Vr(r G P[j„,/] ^ Jn+i{H(r)) = 1) and 

2. Vr(r G P[j„,/] ^ J„+i(P(r)) > 5 or I{^H{r)) = 1). 

By definition is 

(*) : Jn+i = {l\l ^ B{r) G [P/I] A /„(Atr(P(r)) = 1}U 
{ notl\i{l <— B{r)) G [tr/(P)] : In{/\B{r)) = 0} U Coh{Pos{Iui))- 

1. Let I <— P(r) G P[j„,/], then [J„, /](P(r)) = 1. Let P(r) = /i, . . . , Ig, notirii, 

..., notmt- By 1. it is /(AP(r)) = 1, hence trj{notmj) = 1 which yields 
In{tri{B{r))) = 1, by definition (*) it is ^ G In+i and this implies I G Jn+i, 
hence = 1, I = H{r). 

2. Let I <— B{r) G P[j„,/]- We have to show that the condition 

(**): iJn+i{l) > 5 V 1(^1) = 1 ) 

is satisfied. Since [J„,/](P(r)) > i this implies In{tr{B{r))) > I for all r G 
P[j^j]. Assume there is a rule I ^ B{r) G P[j„,/] such that (**) is not sat- 
isfied. Then = 0 and I{^L) < 1. Then notl G Neg{Pp{In)) (if notl ^ 
Neg{Pp{In)) this would imply notl G Coh{Pos{Iuf)), which is impossible since 
/(^/) < 1). notl G Neg{Pp{In)) implies for all I ■>— B{s) G [P/I] the condition 
In{B{s)) = 0. But, there is one rule I B{r) G P[j„,/]- i-e. [J„,/](P(r)) > i, 
B{r) = li, . . ,,ls, notiTii , . . ., notmt- It is sufficient to show that /„(tr(P(r))) > 
i which gives a contradiction. The condition /„(fr(P(r))) > i follows from 
lemmaH 

We finally show that for all J such that Jn d J d Jn+i satisfying the conditions 

1 . and 2 . it follows J = Jn+i (i-e. Jn+i is a minimal extension satisfying 1 . and 

2. ). Assume that J satisfies 1. and 2. From 1. follows that Pos{Jn+i) d Pos{J), 



5 



A similar proposition may be proved for Pr-models of P. 
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hence Pos{Jn+i) = Pos{J). It remains to show that Neg{Jn+i) = Neg{J) and 
since Neg{Jn+i Q Neg{J) it is sufficient to show that Neg{J) C Neg{Jn+i)- 
From 2. follows for all r G P[J,^,I] the condition (J(iL(r)) > 5 V I{~^H(r)) = 
1). Assume, by contradiction Neg{J) % Neg{Jn+i)- Then there is a default 
literal notl G Neg(J) such that notl ^ Neg{Jn+i)- Obviously, notl ^ Coh{Iui)^ 
otherwise we would have notl G Neg{Jn+i) since Coh{I^^) is contained in any 
Neg{Jn)- The condition notl ^ Coh{I^^) implies I{~^1) 7 ^ 1. By assumption 
J{1) = 0; also notl ^ Neg{In+i), and by definition of In+i there is a rule 
r G trj{P) such that /„(i?(r)) > i and H{r) := 1. Let trj(B{s)) = B{r). Then, 
by lemmajwe have [Jn, I]{B{s)) > i; hence s G P[j^j]]. Since J satisfies the 
condition 1. and I{^1) yf 1 this implies J{1) > i, which yields a contradiction. □ 



Let be P C ENLP and / be a coherent and consistent set of extended 
literals. We may test whether / is partial stable AP-Model or a partial stable 
Pr-model by using proposition ^ Let be k < w and {/„ : n < k} a sequence 
of interpretations satisfying the conditions 1., 2. , and 4. of definition ^ with 
respect to I. Such a sequence is said to be a successful AP-sequence for (P, I) if 
I = supn<Kln and one of the following conditions is satisfied: 

( 1 ) k = oj and {/„ : n < k} does not stabilize at any m < k; 

(2) K < U! and {/„ : n < k} stabilizes at a number m < k. 

From proposition^and corollary ^ follows: 

Proposition 9. Let P be an extended normal logie program and I be a eoherent 
and consistent interpretation. I is a stationary generated AP-model of P if and 
only if there exists a successful AP-sequence for (P,I). 

An analogous proposition holds for stationary generated Pr-models. 

Example 7. Let be P = {c a; a b] b <— noth] ^a} and 
I = {^a, note, note, not^b, not^c}. 

Then there exists a successful AP-sequence for (P,I): 

Take Iq = { not a, not^a, note, not^c, noth, not^b}. 

Then P[io,i] = {^n} P[ioJ] ~ {“"nj ^ ^ noth}. Take I\ := I, then I\ is a 
minimal t-extension of Iq such that /i(^a) = 1 and Ii{b) > i. 

Now consider P[i.^j] = {“'o}, and P[/i,/] = a ^ b, b <— noth}. There is 
a minimal t-extension I 2 of Ii, namely I 2 = Ii, such that 12 (^ 0 ) = ^ , 12 (b) > ^ 
and ( 12 (a) > 5 V I(~^a) = 1). Hence, the sequence {/o,/i,/ 2 } is a successful 
AP-sequence for (P, I) of length 2 which stabilizes at 1; it is h = I 2 = T 
It is easy to see that there is no successful Pr-sequence for (P, I). 

6 Conclusion 

By introducing a new general definition of stationary generated models, we have 
sketched the idea of a stationary model theory for logic programs. The concep- 
tual tools presented may be useful for a systematic study of partial models of 
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extended logic programs. One interesting invariant of a model / of P is the set 
State (I) of its stationary chains constructed according to definition^ Evidently, 
I is stationary generated if there is a chain in StatC (/) reaching I. Furthermore, 
it seems to be possible to analyze further extensions of normal logic programs, 
such as quantifiers in bodies and heads of rules. An interesting task is to find 
natural cumulative approximations of the inference operation Cstatg- An infer- 
ence operation C : Pow{EGLP) Pow{QF) is a cumulative approximation of 
Cstat iff the following conditions are fulfilled: 

1. For all P C EGLP it is G{P) C Gstatg{P)] 

2. for extended normal logic programs P it is G{P) = Cstatg{P)', 

3. C is cumulative for arbitrary extended generalized logic programs P, i.e. for 

for all A C G{P) n QF holds G{P) = G{P U X). 

Recently, several kinds of semantics were studied beyond the class of normal 
logic programs. Gelfond and Lifschitz and Przymusinski Q expand the 
stable model semantics to the class of disjunctive logic programs admitting two 
kinds of negation, classical negation ^ and default negation not . Their semantics 
do not assume coherency, a condition that we consider as very natural. 

Super logic programs were introduced in ^9, they present a proper subclass 
of generalized logic programs. The semantics is based on the notion of minimal 
belief operator which is a part of the Autoepistemic Logic of Beliefs, This 
approach does not include strong negation and the coherency principle. 

Brass and Dix investigate in Q the so-called D-WFS-semantics for normal 
disjunctive logic programs. This semantics is defined by an abstract inference 
operation satisfying certain structural properties of proof-theoretical type. The 
D-WFS semantics does not determine a proper model theory, furthermore it is 
not clear how to expand it to generalized logic programs. 

Lifschitz, Tang and Turner propose in a semantics for logic programs 
allowing nested expressions in the heads and the body of the rules. The syntax 
of these programs is similar to ours, but the semantics differs. 

Pearce presents in an elegant characterization of the non-monotonic in- 
ference relation associated with the stable model semantics by using intuitionistic 
logic. 
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Abstract, van Gelder’s alternating fixpoint theory has proven to be 
a very useful tool for unifying and characterizing various semantics for 
logic programs without priority. In this paper we propose an extension 
of van Gelder’s alternating fixpoint theory and show that it can be used 
as a general semantic framework for logic programs with priority. Specif- 
ically, we define three declarative and model-theoretic semantics in this 
framework for prioritied logic programs: prioritized answer sets, prior- 
itized regular extensions and prioritized well-founded model. We show 
that all of these semantics are natural generalizations of the correspond- 
ing semantics for logic programs without priority. We also show that 
these semantics have some other desirable properties. In particular, they 
can handle conflicts caused indirectly by the priorities. 

Keywords: Logic programs; alternating fixpoints, priority, answer sets, 
well-founded model. 



1 Introduction 

Priorities play an important role in logic programming, and they arise in var- 
ious applications for various purposes. For example, in inheritance hierarchies, 
it is generally assumed that more specific rules has precedence over less specific 
ones, and the exact axiomatization of this intuition has been attempted and 
investigated extensively by researchers in default reasoning. Other application 
domains include reasoning about actions and causality, where causal effect rules 
are considered to be preferred over inertia rules and legal reasoning and 
diagnosis. 

There have been some proposals for axiomatizing prioritized logic programs 
(for example, but as pointed out in B,they are far from 

satisfactory. In particular, they cannot handle indirect conflicts. Consider the 
following program P: 

Rl : qi 

i?2 : <— 52 

R3 : 5i ^ ~ 

Ri : 52 ^ ~ W2 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 164^^ 2000. 

© Springer-Verlag Berlin Heidelberg 2000 
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If a priority between R1 and R2 is specified, the situation is simple enough to 
be dealt with by many existing approaches. However, in many cases, we are 
only informed a priority between R3 and i?4, say i?3 A i?4. Intuitively, R1 has 
precedence over R2, implicitly, and p should be derived from P rather than 
~^p. Unfortunately, most of existing semantics for prioritized logic programs are 
unable to represent such domains. 

In this paper, we shall propose an extension to van Gelder’s alternative fixed 
point theory and use it as a unform semantic framework to give three different 
semantics to logic programs with priorities. These three semantics have their 
correspondences for logic programs without priorities, and capture different in- 
tuitions about logic programs and are tailored for different application needs. 

This paper is organized as follows. Motivated by van Gelder’s alternating 
fixpoint theory and the semi-constructive definition of extensions in default 
logic m, in section Hwe develop a semantic framework for prioritized logic 
programs, in which various semantics can be defined. In particular, we defined 
three semantics prioritized answer sets, prioritized regular extensions and pri- 
oritized well-founded model in section J and some demonstrating examples are 
given. In section J we prove some important semantic properties to justify the 
suitability of our semantics. We prove that these three semantics generalize the 
traditional well-known answer set semantics, regular extension semantics and 
well-founded semantics, respectively. The relation of our approach to some other 
semantics is compared in section ^ Section ^ is our conclusion. 

2 Alternating Fixpoints without Priority 

In this section, we briefly review the alternating fixpoint theory in and 
related definitions. 

An extended logic program P is a finite set of rules of the form 

R • I ^ l\, . . • ilri ^ Ir+l T ••• 1 ^ Ijn 

where Is with or without subscripts are literals, the symbol ~ is default negation 
and the symbol ^ is explicit negation. A literal is either an atom a or its explicit 
negation ~^a. The set of literals of P is denoted Lit. 

A rule R of an extended logic program is also expressed as head{R) <— 
pos(R),'^ neg{R), where head{R) = I, pos{R) = {li, . . . ,lr} and neg{R) = 

\lr-\-l 5 ■ ■ ■ 5 Im} ■ 

We assume all logic programs are propositional and each rule R is automat- 
ically interpreted into its ’’semi-normal” rule head{R) ^ pos{R),^ neg{R),^ 
-^head{R). The reason will be explained later on. 

The alternating fixpoint theory, introduced by van Gelder Q, is proven to be 
a very useful tool to unify and characterize different semantic intuitions for logic 
programs (without priority). This theory is based on an immediate eonsequence 
mapping 

Let P be an extended logic program and S a set of literals. S is logically 
closed if it is consistent or is Lit. 
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The GL-transformation of P with respect to S is the logic program 
(without default negation) P^ = {head{R) ^ pos{R) \ R £ P, neg{R) r\ S = 0}. 
The set Cp{S) of consequences of P^ is the smallest set of literals which is both 
logically closed and closed under the rules of P^ . 

For any set S of literals, GR{P, S') = {i? G P | pos{R) C S, neg{R) n S = 0} 
is said to be the generating set of S in P. 

Notice that, if Cp{S) is consistent, then Cp{S) = Tps 1 where Tps is the 
immediate consequence operator of P^ by considering each negative literal as a 
new atom. Cp{S) is anti-monotonic, i. e. Cp(Si) C Cp{S 2 ) whenever S 2 C Si. 

The alternating operator Ap{S) = Cp{S) is defined through the immediate 
consequences Cp(S). It is known that _4p is a monotonic operator. A fixpoint of 
Ap is said to be an alternating fixpoint of P. An alternating fixpoint S is normal 
if SC Cp(S). 

By the alternating fixpoint theory, many semantics for logic programs can 
be defined including the following three ones 



1. The well-founded model: the least alternating fixpoint. 

2. The regular extensions: the maximal normal alternating fixpoints. 

3. The answer sets: a special kind of the maximal normal alternating fixpoints 
(namely, Cp(S) = S). 



3 Alternating Fixpoints with Priority 

As noted in section^ the existing alternating fixpoint approach considers only 
logic programs without priority. In this section, we will first define an intuitive 
generalization of the immediate consequence mapping for extended logic pro- 
grams with priority, and then establish the corresponding alternating fixpoint 
theory. 

Let P be an extended logic program and ^ an irrefiexive and transitive binary 
relation on rules of P. Then the pair V = (P, ^) is said to be a prioritized logic 
program. By PI P2 we mean that PI has precedence over P2. 

Let Si and S 2 be two sets of literals in a prioritized logic program V. A rule P 
inPis actwe with respect to the pair (Si, iS' 2 ) if pos(P) C Si and neg{R)r]S 2 = 0. 
In particular, if Si = S 2 = S, then P is active with respect to (S', S) if and only 
if the body of P is satisfied by S (in the usual sense). 

For two rules PI and P2 such that PI ^ P2 (i. e. PI has precedence over 
P2), there are often two kinds of existing approaches to represent this prefer- 
ence relation. One is to reflect that P2 will not be applied provided that PI is 
applicable. The other is to reflect that the rule that has higher priority is first 
applied: (1) if both PI and P2 are applicable, PI is first applied. (2) if PI has 
been applied and P2 is applicable, then P2 can still be applied. 

As argued by Belgrade and Schaub in P, the second kind of approaches 
may be more general and thus can be used in wider application domains. The 
following definition is just designed to reflect the second intuition. 
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Definition 1. Let V = {P, -<) be a prioritized logic program and S be a set of 
literals. Set 
5o = 0, 

Si+i = Si U {I I there exists a rule R of P such that (1) head{R) — I and R is 
active with respect to {Si, S) and, (2) no rule R' < R is active with 
respect to {S, Si) and head{R') ^ Si\. 

Then the reduct of V with respect to S is defined as the set of literals C-p{S) = 
^i>oSi ifUi>oSi is consistent. Otherwise, C-p{S) = Lit. 

The rule R is accepted by stage i+1 with respect to S if R satisfies the above 
two conditions in the definition of Si+i. The sequence Sq, Si, . . . , Si, . . . will be 
called the A-sequence of S' in 7^. 

We may note that C-p and Cp are two quite different operators. This abusing 
of notions should cause no confusion in understanding this paper. The main 
difference of our definition from van Gelder’s approach is that we obtain the 
consequences from P and S directly. The traditional approaches (i. e. without 
considering priority) first obtain a positive program from V with respect to S 
and then the consequences are derived from this positive program. 

Another point on the above definition that should be addressed is why we do 
not replace the pair (S, Si) by the pair {Si, S) in the condition (2) of the definition 
of Si+i. The reason for this can be explained by the following example. 

Example 1. Let 7^ be a prioritized logic program as follows: 

7?1 p ^ q 
R2 -np ^ q" 

7?3 q” ^ q' 

R4 q^ 

R5 q' ^ 

Here R2 -< R1 -< 7?3. We should not infer p since R2 -< Rl. Though R2 -< Rl, 
we can not infer p because R2 depends on the rule R3 and 7?1 A R3. 

This means that we should assign both p and ^p the truth value ‘undefined’. 
However, if we replace {S, Si) by {Si, S) in Definition^ then p is inferred. 
As a semantics for general purpose, we do not expect such a conclusion, though 
there also exist some domains that need a more credulous interpretation. Thus, 
we adopt a skeptical approach in our Definition Jto treat the conflicts among 
rules. 

The transformation Cp is not a monotonic operator in general, but we can 
prove its anti-monotonicity. 

Lemma 1. Cp is an anti-monotonic operator. That is, for any two sets S and 
S' of literals such that S C S' , Cp{S') C Cp{S). 

Proof. If S' C S' , it suffices to prove that, for any number i > 0, 

5' C S„ (*) 
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where St and 5' are defined as Definition^ 

The proof of (*) is a direct induction on i and thus, we omit it here. 



Definition 2. Let V = (P, be a prioritized logic program. The alternating 
transformation ofV is defined as, for any set S of literals, 

A-p{S) = CviCviS)). 



Proposition 1. The operator A-p is monotonie and thus possesses the least 
fixpoint. 

Proof. It follows from LemmaHand Tarski’s Theorem. 

— A fixpoint of A-p is called an alternating fixpoint of V. 

By now, we establish the basic semantic framework for prioritized logic pro- 
grams by using alternating fixpoint approach, in which a semantics of prioritized 
logic programs can be defined as a subset of the alternating fixpoints. 



4 Semantics for Prioritized Logic Programs 

In this section we will define three semantics in the framework established in 
section H prioritized answer sets, prioritized regular extensions and prioritized 
well-founded model. Like the traditional answer set semantics and well-founded 
model without priority, our new semantics are also to represent two intuitions 
in AI, i.e. maximalism and minimalism. It should be noted that we will omit 
the adjective ‘prioritized’ or add an adjective ‘unprioritized’ when we mention a 
semantics for logic programs without priority. 

To characterize credulous reasoning, it is natural to choose all the maximal 
alternating fixpoints as the intended models of a prioritized logic program. If S 
is a maximal alternating fixpoint of prioritized program V = (P, ^), it may be 
the case that S ^ Cp{S). This case is not what we want since every literal in S 
should be derived from V with respect to S for an intended model S. 

Definition 3. Let V = {P, -<) be a prioritized logic program. S is a prioritized 
regular extension of V if it is a maximal normal alternating fixpoint ofV: for 
any normal alternating fixpoint S' ofV such that S C S', S' = S. 

The prioritized semantics PRE (i. e. prioritized regular extension semantics) 
for P is defined as the set of its prioritized regular extensions. 

This definition has the same form as the characterization of the regular ex- 
tensions without priority in 
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Example 2. Consider the following prioritized logic program: 

R1 : q ^ p 
R2 : w ^ ^ w 

The rule R1 has precedence over R2: R1 -< R2. This prioritized program has the 
unique prioritized regular extension S = { 9 }. Notice that S is not a fixpoint of 
C-p since Cp{S) = {w,g}. 

Example 3. ^ If we have a knowledge base as follows: 



R'l 


^Fly{x) 


- Peguin{x), ~ Fly{x) 


R'2 


Winged{x) 


- Bird{x),^ ^Winged(x) 


R's 


Flylx) 4 - 


- Winged{x),^ ~^Fly{x) 


R'i 


Bird{x) 4 - 


- Peguin{x) 


R's 


Peguin(Tweety) <- 





By the principle of specificity, R\ A R^- 

The difference of this example from the classical Bird-Ely example is that 
there is no explicit priority between R[ and R 3 but there is an implicitly specified 
priority between R[ and R'^: R[ has precedence over R'^ since Rg depends on R '2 
and R[ A i? 2 - 

Intuitively, a suitable semantics for this knowledge base should infer 
-^Fly(Tweety) and Winged{Tweety). In particular, any semantics suitable 
should not contain the set {Peguin{Tweety), Bird{Tweety), Fly{Tweety), 
{Winged(Tweety)} as a model. 

For simplicity, we rewrite the above rules as the following prioritized logic 
program V = {P, a): 



R1 : ^Fly <— Peguin, ~ Fly 

R2 : Winged <— Bird^ ~ -^Winged 
i?3 : Fly <— Winged, ~ ~^Fly 

i?4 : Bird <— Peguin 

R5 : Peguin <— 

Rl -< R2. 

Let S = {Peguin, Bird, ^Fly, Winged} and S' = {Peguin, Bird, Fly, 
{Winged}. It can be verified that S is the unique prioritized regular exten- 
sion but S' is not. However, the prioritized semantics in Q and admit S' as 
an intended model. 

Another interesting credulous semantics for V is defined by the set of all 
fixpoints of Cp (this set is also a set of alternating fixpoints). 

Definition 4. S is said to be a prioritized answer set ofP if S is a fixpoint of 
Cp: Cp{S) = S. 

The semantics PAS (i. e. prioritized answer set semantics) ofP is defined 
by the set of all prioritized answer sets ofP. 
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In Example^ S = {Peguin, Bird, ^Fly, Winged} is also a prioritized an- 
swer set of P. In general, each prioritized answer set is a prioritized regular 
extension. But a prioritized regular extension may not be a prioritized answer 
set as Example Hhas shown. 

Proposition 2. If S is a prioritized answer set ofV, then S is also a prioritized 
regular extension ofV. 

However, it should be noted that our definition of prioritized answer sets 
can not ‘tolerate’ too unreasonable ordering. For instance, if P has three rules 
R1 \ q ^ w, R2 \ p V and RS : w ■>—. Suppose R1 ^ R2 ^ i?3, then, 
intuitively, R1 should not have precedence over i?3 since R1 depends on R3. It 
is not hard to verify that V = (P,p) has no prioritized answer set though P has 
the unique answer set {w,p,q}. 

The third semantics that will be defined in our semantic framework is named 
the prioritized well-founded model, which is to characterize skeptical reasoning 
in artificial intelligence as the traditional well-founded semantics does. 

Definition 5. The prioritized well-founded model of P = {P,^) is defined as 
the least alternating fixpoint ofP = (P,^). 

The semantics PWF (i. e. prioritized well-founded semantics) ofP is defined 
by the prioritized well-founded model ofP. 



Proposition 3. Every prioritized logic program has the unique prioritized well- 
founded model. 

Proof. It follows directly from Proposition J 

This proposition shows that our prioritized well-founded semantics also pos- 
sesses an important semantic property: completeness. 

One often criticized deficiency of the well-founded model without priority is 
that it is too skeptical that, in many cases, nothing useful can be derived from 
programs under the well-founded semantics. In certain degree, our prioritized 
well-founded semantics may overcome this problem as the following two examples 
demonstrate. This will also be shown theoretically in the next section. 

Example 4 - 



i?l : p ~ 9 
R2 : q ^ ^ p 

R1 -< R2. Then the prioritized well-founded model ofP = {P, is {p}. Notice 
that the well-founded model of P is 0. 

The next example further shows how to resolve conflicts with the prioritized 
well-founded model. 
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Example 5. Imagine such a scenario: when a train is approaching a bridge, the 
robot driver is told that a bomb may be put under the bridge and thus, he stops 
the train. He is also told that he cannot pass the bridge if this reported bomb is 
not found. Afterwards, he is told again that enough evidence proves that there 
is no such a bomb under the bridge. According to our commonsense, at this 
moment, the train can pass the bridge. This knowledge can be represented as an 
extended logic program P as follows: 



PI 


^pass ^ 


- ^ bombPound, ^ pass 


P2 


pass ^ 


- -^bomb, ^ —>pass 


P3 


-^bombF ound ^ 


- -^bomb 


P4 


—^bomb ^ 





R2 -< R1 because the rule R2 is newer than Rl. 

It can be verified that the prioritized well-founded model of 7^ = (P, a) is 
{^bomb,^bomb Found, pass}, which is just our intuition on this program. But 
the ordinary well-founded semantics can not say ‘yes’ or ‘no’ about ‘pass’. Notice 
that -^pass cannot be added to S\ since R2 -< Rl and R2 is active with respect 
to {S, So) (though PI is active with respect to {S, Sq)). 

As mentioned before, if both rules PI and P2 appear in V and their heads are 
complementary literals, then we understand these rules as their corresponding 
semi-normal counterparts. For example, if P consists of two rules PI : p ~ q 
and P2 : ^p q, and let PI A P2. Then P is actually understood as 

{p ~ q, ^ ^q-, ^p ^ g, ~ p}. Under this assumption, the prioritized program 
V has the unique intended model {p}. Otherwise, V will be inconsistent. 



5 Properties of Prioritized Semantics 

Currently there are many different proposals about the semantics of logic pro- 
grams with priorities . It is too early to say which one will 

eventually prevail. In the meantime, it may be useful to look at reasonable “pos- 
tulates” that a sound semantics should satisfy. Recently, Brewka and Eiter ^ 
proposed two such postulates: 

PI. Let Bi and P 2 be two belief sets of a prioritized theory {T, <) generated 
by the (ground) rules PU {di} and PU {^ 2 }, where di,c ?2 ^ P, respectively. If 
di is preferred over c? 2 , then B 2 is not an intended belief set of T. 

P2. Let B be an intended belief set of a prioritized theory (T, <) and r a 
(ground) rule such that at least one prerequisite of r is not in B. Then B is 
an intended belief set of (T U {r}, <') whenever <’ agrees with < on priorities 
among rules in T. 

Unfortunately, many of the existing prioritized semantics do not satisfy their 
postulates as pointed out by Brewka and Eiter Q, and it is not clear whether 
the fault is with most of the current semantics or that their postulates are too 
strict. However, at least the following example shows that PI is not so intuitive. 
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Let {P, <) be the following logic programs with ri < di < d^' 

ri bird ^ 

^fly ^ peguin 
d 2 fly <— not peguin, bird 

We observe that: (1) ^peguin and bird should be included in the intended 
belief set; and (2) the rule di is defeated by ri; and thus (3) c ?2 could be used 
to derive further beliefs. Accordingly, the intended belief set should be i? = 
{bird, —‘peguin, fly}. But, if we take R = {ri}, PI does not allow c ?2 is used in 
the case that d\ is defeated. 

In this paper, we are going to play on the safe side and consider some rela- 
tionships between semantics for logic programs with priorities and those without. 
In this direction, we notice that for logic programs without priorities, there are 
some well understood semantics such as the well-founded model and answer 
set semantics. It seems to us reasonable then that proposed new semantics for 
logic programs with priorities should be an extension of one of the semantics for 
logic programs without priorities. Since, as is well-known, all major semantics 
for logic programs without priorities agree on logic programs that are stratified, 
this means that for any stratified logic program, if the priorities associated with 
the rules are consistent with the stratification, then any semantics for this pri- 
oritied logic program should agree as well. In particular, they should agree with 
the perfect model semantics, which is indeed the case for our three semantics, 
as we shall show in this section. It should be noted that many semantics for 
prioritized logic programs are only defined for total orderings and thus, these 
semantics do not possess the above mentioned properties. 

We start with the following lemma which will be very crucial in proving the 
results of this section. In the following, we assume that all programs are finite 
propositional programs. 

Lemma 2. Let S be a set of literals in V = {P, ^). Then 

1. Cv{S) C Cp{S). 

2. if SC Cv{S), then Cv{S) = Cp{S). 

3. if < is empty, then Cp{S) = Cp{S). 

Proposition 4. For any prioritized logic program V = {P, ^), each prioritized 
regular extension of V is contained in a regular extension of P. In particular, 
if the relation -< is empty, then S is a prioritized regular extension of V if and 
only if S is a regular extension of P. 

This proposition reveals two connections between prioritized regular exten- 
sion and unprioritized regular extension: (1) the adding of some priority makes 
the information represented by the logic program without priority more con- 
crete (the number of ‘models’ and the number of elements in each ‘model’ are 
all reduced in general). (2) when the priority relation is empty (i. e. there is no 
preferences among rules), the prioritized regular extension semantics is the same 
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as the unprioritized regular extension semantics. These two properties seem to 
be natural. 

The next proposition convinces that our prioritized answer sets generalize 
Gelfond and Lifschitz’s answer sets ^9. 

Proposition 5. A prioritized answer set ofV= (P, -<) is also an answer set of 
P. In particular, if < is empty, S is a prioritized answer set ofV = {P, a) iff S 
is an answer set of P. 

Like the well-founded model without priority, the prioritized well-founded 
model also possesses the property of completeness. 

Proposition 6. Every prioritized logic program has a prioritized well-founded 
model. 

Proof. It follows directly from Proposition J 

The relationship between the well-founded model and the prioritized well- 
founded model can be stated as follows. 

Proposition 7. Let Mp be the prioritized well-founded model ofP = (P, -<) and 
M the well-founded model of P. Then M C Mp. In particular, if 0 , then 
M = Mp. 

Proof. If Mp = Lit, then M = Lit, the conclusion is obvious. We need only 
consider the case when Mp is consistent. Since Mp is a normal alternating fixpoint 
of P, it follows that Mp is a normal alternating fixpoint of P by Lemma 
Since the well-founded model M is the least alternating fixpoint of P, we have 
M C Mp. 

The last part is obvious from Lemma^ 

PropositionHand ExampleOshow that the prioritized well-founded seman- 
tics is less skeptical than the traditional well-founded semantics in general. This 
proposition also makes it possible to overcome the drawback (i. e. too skepti- 
cal) of the traditional well-founded model by adding preferences to rules of logic 
programs. 

In the rest of this section, we study the relation of our three prioritized 
semantics to the perfect model The perfect model semantics of stratified 

logic programs has already been well-accepted. Moreover, a stratification of a 
stratified program P actually determines a priority on rules of the program and 
thus a prioritized logic program V is obtained. Intuitively, a suitable semantics 
for priority should be consistent with the perfect model. Namely, V should has 
the unique ‘model’ M and M is exactly the perfect model of P for any stratified 
logic program. 

The following proposition will convince that the prioritized regular exten- 
sions, prioritized answer sets and prioritized well-founded model exactly reflect 
the semantic intuition above. 
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Definition 6. A logic program P (without explicit negation) is said to he strat- 
ified if P has a partition (i. e. stratification) P = P\ U • ■ • U Pt such that the 
following conditions are satisfied: 

1. Pi n Pj = 0 for i ^ j. 

2. If a rule R is in Pi, then the atoms in pos{R) can appear only in Ut^^Pj 

and the atoms in neg{R) can appear only in Li)z}iPj. 

We recall that pos{R) is the set of atoms that appear positively in the body 
of R; neg{R) is the set of atoms that appear negatively in the body of R. 

The perfect model of the stratified logic program P is recursively defined as 
follows. 

— P[ •= Pi and Ml := Tp^ | oj. 

— P/+1 := {p <— \p G Mi}\j{head{R) ^ pos{R) \ R G Pi+i,neg{R)r\Mi = i)}, 

and Mi+i := Tp>^^ ) uj. 

Let P be a stratified logic program and P = Pi U • • • U P* a stratification of 
P. A natural priority relation -<s on P can be defined as: 

for any PI and P2 in P, PI P2 if and only if PI G Pi and P2 G Pj such 
that i < j. 

Thus, we obtain a prioritized logic program V = (P, -<s) for any given strat- 
ified logic program P and a stratification. 

Proposition 8. Let the prioritized logic program P = (P,^s) be defined as 
above and the perfect model of P is Mt . Then 

1. P has the unique prioritized answer set Mt- 

2. P has the unique prioritized regular extension Mt- 

3. P has the unique prioritized well-founded model Mt- 

Proposition H states that each prioritized answer set of a prioritized logic 
program P = (P, is also an answer set of P. In turn, we will show that, for 
each answer set S' of a logic program P, there is an ordering ^ on rules of P 
such that S is the unique prioritized answer set of P = (P, ^). 

Proposition 9. Let P be a logic program and S an answer set of P. Then 
there is a well-order -< such that S is the unique prioritized answer set of the 
prioritized program P = (P, ^). 

As noted previously, a totally ordered P may have no prioritized answer set. 
But we will prove that, when the rules in P are totally ordered, P = (P, has 
at most one prioritized answer set. 

Proposition 10. Let ^ is a total ordering on the rules of logic program P. If 
P = (P, has prioritized answer set, then it has the unique one. 

The two results above illustrate that, for any prioritized program P = {P, p) 
such that ^ is a total ordering, its prioritized answer set semantics PAS{P) 
always outputs either nothing or the unique prioritized answer set (i. e. an answer 
set of P). 
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6 Comparison to Related Approaches 

Several approaches treating priorities in the setting of logic programming have 
been described in the literature. In this section, we summarize their relationships 
to our approach. 

Both preferred answer sets in | and prioritized answer sets in extend 
Gelfond and Lifschitz’s answer sets to handle rules with priority. Like our ap- 
proach, they assume a priority among rules of logic program. The basic idea 
behind their approaches (though very different) is to transform a prioritized 
logic program V into a unprioritized program and the answer sets of V are 
defined through the GL-answer sets of the obtained program. As shown in Ex- 
amplefl these semantics cannot correctly resolve conflicts caused by indirectly 
or implicitly specified priorities. 

Another interesting definition of preferred answer sets was defined in 
This approach assumes a preference among the set of atoms of program and 
bears a similar idea as the perfect model of stratified programs B9- 

Brewka’s preferred well-founded model in Q extends the well-founded model 
to treat logic programs with priority. His approach is different from our prior- 
itized well-founded model in at least two aspects: (1) he represents priority in 
object level; (2) given a set of literals S, he first gradually extends the empty set 
to a set of rules and then obtains a set of literals as the transformation of S. But 
we directly extend the empty set and obtain the transformation of S. Though 
the precise relationship between Brewka’s and ours is not clear, we still believe 
these two semantics have some close connection. 

Two argumentation-based semantics for prioritized logic programs are de- 
fined in These approaches are also semantic frameworks for logic pro- 

grams with priority. Glearly, their intuition is quite different from ours and they 
also obtain different semantics from ours. The approach in is to characterize 
the first kind of semantic intuition mentioned in section J For example, let P 
consists two rules: R1 : bird <— peguin and R2 : peguin . If R1 has precedence 
over R2, our semantics allows to derive peguin and bird. But theirs allows to de- 
rive only peguin. The difference between the semantics in and our approach 
can be illustrated by Example H According to our and Brewka’s approaches, 
P has the unique model {p}, but under Prakken and Sartor’s semantics, the 
priority between R1 : p ~ q and R2 : q ~ p has not effect on the reasoning 
in V. Namely, this prioritized program has two models {p} and {g} under their 
semantics. 

Both our approach and BH-prioritized default logic Q employ the semi- 
constructive definition of default extensions and our prioritized answer sets 
correspond to the BH-extensions. But they are different semantics as shown in 
the following example. 

Example 6. Let P consist of the following rules: 

p^w,-^q, 1 

-np< 

w <— 



R1 

R2 

i?3 



9,-p 



ip 
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Here, R1 ^ R2. 

It can be verified that V = (P, has the unique prioritized answer set 
S = {w,p\. This set should be the intended semantics. But if we regard P as 
a set of defaults and take W = %, then the prioritized default theory (P, W, -<) 
has the unique BH-extension S' and S' contains ~^p rather than p. 

Marek, Nerode and Remmel Q propose a bottom-up procedure for comput- 
ing the answer sets of a logic program P when the rules of P are totally ordered. 
For each stable model S of P, there is a total ordering on P such that their pro- 
cedure outputs S. This procedure is not sound with respect to our prioritized 
answer sets. 



Example 1. Let P consist of the following rules: 

PI : ^ p 

P2 : w ~ u 

P3 : p ^ w 



Here, PI ^ P2 ^ P3. Then the procedure proposed in outputs the set 
{g} which is not a stable model of P. Under our semantics, P has the unique 
prioritized answer set {w.p}. 



There are also some other approaches about treating priority in default logic 



and logic programming, such as 



we will not discuss them here. 



7 Conclusion 

We have proposed a framework for studying logic programs with priorities based 
on van Gelder’s alternating fixpoint theory for logic programs without priorities. 
To illustrate the usefulness of this framework, we have proposed three different 
semantics: PAS (the prioritized answer sets), PWF (the prioritized well-founded 
model) and PRE (prioritized regular extensions), all of which have counterparts 
for logic programs without priorities, and have some additional properties. We 
believe that this framework is simple and intuitive. In the full version of this 
paper (see ^3)? shall show that the semantics defined by our prioritized 
answer sets can also be used to represent defeasible causal theories. Hopefully, 
this theory might provide a unifying framework for different semantics with 
priority. Currently, we are also working on extending the augmentation-theoretic 
framework in to disjunctive logic programs with priority. 

Recently, Marek, Truszczynski and Niemela discussed the stable 
model semantics (answer set semantics) as the foundation of a computational 
logic programming system (i.e. SLP). This system differs from standard logic 
programming systems in several aspects including the following two important 
points: 

— In the SLP, each program is assigned a collection of intended models rather 
than a single model. 
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— In the SLP, the rules of a program are interpreted as constraints on objects 
to be computed. 

Similar to the methods of solving constraint satisfaction problems, there are 
two steps to develop an SLP program for a given application domain: (1) to 
specify an SLP program whose set of answer sets encodes the general domain of 
candidate objects. (2) to add to this program more rules representing constraints 
that must be enforced. 

As shown in many constraint satisfaction problems can be solved in 

SLP. However, if the preferences among rules are also enforced as constraints to 
the program obtained in the first step, the task of representing and solving ap- 
plication domains will most probably become simpler and more powerful. Thus, 
the semantics with priority may provide a suitable framework for SLP. 
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Abstract. How to extract negative information from programs is an 
important issue in logic programming. Here we address the problem for 
functional logic programs, from a proof-theoretic perspective. The start- 
ing point of our work is CRWL (Constructor based Rewriting Logic), 
a well established theoretical framework for functional logic program- 
ming, whose fundamental notion is that of non-strict non-deterministic 
function. We present a proof calculus, CRWLF, which is able to deduce 
negative information from CRUX- programs. In particular, CRWLF is 
able to prove ‘finite’ failure of reduction within CRWL. 



1 Introduction 

We address in this paper the problem of extracting negative information from 
functional logic programs. The question of negation is a main topic of research in 
the logic programming field, and the most common approach is negation as fail- 
ure, as an easy effective approximation to the CWA {elosed world assumption), 
which is a simple, but uncomputable, way of deducing negative information from 
positive programs (see e.g. | for a survey on negation in logic programming). 

On the other hand, functional logic programming {FLP for short) is a power- 
ful programming paradigm trying to combine the nicest properties of functional 
and logic programming (see Q for a now ‘classical’ survey on FLP). FLP sub- 
sumes pure logic programming: predicates can be defined as functions returning 
the value ‘true’, for which definite clauses can be written as conditional rewrite 
rules. In some simple cases it is enough, to handle negation, just to define pred- 
icates as two- valued boolean functions returning the values ‘true’ or ‘false’. But 
negation as failure is far more expressive, and it is then of clear interest to inves- 
tigate a similar notion for the case of FLP. Failure in logic programs, when seen 
as functional logic programs, corresponds to failure of reduction to ‘true’. This 
generalizes to a natural notion of failure in FLP, which is ‘failure of reduction’. 

As technical setting for our work we have chosen CRWL Q, a well established 
theoretical framework for FLP. The fundamental notion in CRWL is that of non- 
strict non-deterministic function, for which CRWL provides a firm logical basis, 
as mentioned for instance in Q. Instead of equational logic, CRWL considers 
a Constructor based Re Writing Logic, presented by means of a proof calculus, 

* The authors have been partially supported by the Spanish CICYT (project TIC 
98-0445-C03-02 ‘TREND’). 
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which determines what statements can be deduced from a given program. In 
addition to the proof-theoretic semantics, Q develop a model theoretic semantics 
for CRWL, with existence of distinguished free term models for programs, and 
a sound and complete lazy narrowing calculus as operational semantics. The 
CRWL framework (with many extensions related to types, HO and constraints) 
has been implemented in the system TOy 

Here we are interested in extending the proof-theoretic side of CRWL to cope 
with failure. More concretely, we look for a proof calculus, which will be called 
CRWLF CRWL with failure’), which is able to prove failure of reduction in 
CRWL. Since reduction in CRWL is expressed by proving certain statements, 
our calculus will provide proofs of unprovability within CRWL. As for the case of 
CWA, unprovability is not computable, which means that our calculus can only 
give an approximation, corresponding to cases which can be intuitively described 
as ‘finite failures’. 

There are very few works about negation in FLP. In Q the work of Stuckey 
about constructive negation Q is adapted to the case of FLP with strict func- 
tions and innermost narrowing as operational mechanism. In Q a similar work 
is done for the case of non-strict functions and lazy narrowing. The approach 
is very different of the proof-theoretic view of our work. The fact that we also 
consider non-deterministic functions makes a significant difference. 

The proof-theoretic approach, although not very common, has been followed 
sometimes in the logic programming field, as in which develops for logic 
programs (with negation) a framework which resembles, in a very general sense, 
CRWL: a program determine a deductive system for which deducibility, validity 
in a class of models, validity in a distinguished model and derivability by an 
operational calculus are all equivalent. Our work attempts to be the first step of 
what could be a similar program for FLP extended with the use of failure as a 
programming construct. 

The rest of the paper is organized as follows. In Section 2 we give the essen- 
tials of CRWL which are needed for our work. Section 3 presents the CRWLF - 
calculus, preceded by some illustrative examples. Section 4 contains the results 
about CRWLF. Most of the results are technically involved, and their proofs 
have been skipped because of the lack of space (full details can be found in Q). 
Section 5 contains some conclusions. 

2 The CRWL Framework 

We give here a short summary of CRWL, in its proof-theoretic face. Model 
theoretic semantics and lazy narrowing operational semantics are not considered 
here. Full details can be found in Q. 

2.1 Technical Preliminaries 

We assume a signature E = DCs U FSs where DCs = UneiN is a set 
of constructor symbols and FSs = UneiN ^ function symbols, all 
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of them with associated arity and such that DCs H FSs = 0- We also assume 
a countable set V of variable symbols. We write Terms for the set of (total) 
terms (we say also expressions) built up with S and V in the usual way, and we 
distinguish the subset CTerms of (total) constructor terms or (total) c-terms, 
which only make use of DCs and V. The subindex S will usually be omitted. 
Terms intend to represent possibly reducible expressions, while c-terms represent 
data values, not further reducible. 

We will need sometimes to use the signature E± which is the result of ex- 
tending S with the new constant (0-arity constructor) T, that plays the role of 
the undefined value. Over S±, we can build up the sets Terms and CTerms of 
(partial) terms and (partial) c-terms respectively. Partial c-terms represent the 
result of partially evaluated expressions; thus, they can be seen as approxima- 
tions to the value of expressions. 

As usual notations we will write X,Y, Z, ... for variables, c,d, ... for construc- 
tor symbols, /, g, ... for functions, e, e' , ... for terms and s, t, ... for c-terms. 

We will use the sets of substitutions CSubst = {6 : V ^ CTerm} and 
CSubsts = {0 :V ^ CTerms}- We write eO for the result of applying 6 to e. 

Given a set of constructor symbols S we say that the terms t and t' have an 
S'-clash if they have different constructor symbols of S at the same position. 



2.2 The Proof Calculus for CRWL 

A Ci^WAprogram P is a set of conditional rewrite rules of the form: 

./*(G 5 ■ ■ ■ , tri) ^ 5 ■ ■ ■ 5 Cji 

head body condition 

where / G F5"; (ti, ..., t„) is a linear tuple (each variable in it occurs only once) 
with G CTerm] e G Term and each Ci is a constraint of the form 

e' [XI e" (joinability) or e' ^ e" {divergence) where e',e" G Term. The reading 
of the rule is: /(G, ...,tn) reduces to e if the conditions Ci, ...,C„ are satisfied. 
We write Vf for the set of defining rules of / in P. 

From a given program V, the proof calculus for CRWLF can derive three 
kinds of statements: 

• Reduction or approximation statements: e ^ t, with e G Terms and t G 
CTerms - The intended meaning of such statement is that e can be reduced 
to t, where reduction may be done by applying rewriting rules of V or by 
replacing subterms of e by T. If e ^ f can be derived, t represents one of 
the possible values of the denotation of e. 

• Joinability statements: e cxi e', with e, e' G Terms- The intended meaning 
in this case is that e and e' can be both reduced to some common totally 
defined value, that is, we can prove e ^ t and e' — > t for some t G CTerm- 

• Divergence statements: e O e', with e, e' G Terms- The intended meaning 
now is that e and e' can be reduced to some (possibly partial) c-terms t and 
t' such that they have a DC-clash. 
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Table 1. Rules for CRMT^provability 



( 1 ) 

(2) 

(3) 

(4) 

(5) 

(6) 



e ^ -L 



X ^ 



X gV 



6l ^ i 1 , . . . , 6n ^ tn 
c(6l , . . . , Gn ) ^ c(^ 1 , 

Cl ^ Si , . . . , Cn ^ Sn C G 
/(ei, ...,en) ^ 1 



c G DC", U G CTerm± 

t if t ^ ±, R G Vf 

(/(si, ^ e C) G [i?]± 



e — > t e' ^ t 
e ixi e' 

e — > 1 e' ^ t' 
e O e' 



if t G CTerm 

if G CTerm± and have a DC— clash 



It must be mentioned that the CRWL framework as presented in Q] does not 
consider divergence conditions. They have been incorporated to CRWL in as 
a useful and expressive resource for programming. 

When using function rules to derive statements, we will need to use what 
are called c-instances of such rules: the set of c-instances of a program rule R 
is defined as = {R6\6 G CSubst±}. This allows, in particular, to express 
parameter passing. 

Tablejshows the proof calculus for CRWL. We write V \~crwl ^ for express- 
ing that the statement ip is provable from the program V . 

The rule 4 allows to use c-instances of program rules to prove approximations. 
These c-instances may contain _L and rule (1) allows to reduce any expression 
to _L. This reflects a non-strict semantics. 

A distinguished feature of CRWL is that functions can be non- deterministic. 
For example, assuming the constructors z (zero) and s (successor) for natural 
numbers, a non-deterministic function coin can defined by the rules coin — > z 
and coin s(z). The use of c-instances in rule (4) instead of general instances 
corresponds to call time choice semantics for non-determinism (see Q). As an 
example, if in addition to coin we consider the function definition mkpair(X) 
— > pair(X,X) {pair is a constructor), it is possible to build a CRWL^proof for 
mkpair(coin) pair(z,z) and also for mkpair(coin) — > pair(s(z),s(z)), but not 
for mkpair(coin) pair(z,s(z)). 

Observe that ^ is not the logical negation of [xi. They are not even incom- 
patible: due to non-determinism, two expressions e, e' can satisfy both e [xi e' and 
e ^ e' (although this cannot happen if e, e' are c-terms). In the ‘coin’ example, 
we can derive both coin co z and coin O z. 

We can define the denotation of an expression e as the set of c-terms to which 
e can be reduced according to this calculus: |e] = {t G CTermj_\V \~crwl e ^ t} 
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3 The CRWLF Framework 

We now address the problem of failure in CRWL. Our primary interest is to 
obtain a calculus able to prove that a given expression fails to be reduced. Since 
reduction corresponds in CRWL to approximation statements e t, we can 
reformulate our aim more precisely: we look for a calculus able to prove that a 
given expression e has no possible reduction (other than the trivial e ^ _L) in 
CRWL, i.e., |el = {_L}. 

Of course, we cannot expect to achieve that with full generality since, in 
particular, the reason for having |e] = {_L} can be non-termination of the pro- 
gram as rewrite system, which is uncomputable. Instead, we look for a suitable 
computable approximation to the property |e] = {-L}, corresponding to cases 
where failure of reduction is due to ‘finite’ reasons, which can be constructively 
detected and managed. 

Previous to the formal presentation of the calculus, which will be called 
CRWLF (for ‘ CRWL with failure’) we give several simple examples for a prelim- 
inary understanding of some key aspects of it, and the reasons underlying some 
of its technicalities. 



3.1 Some Illustrative Examples 

Consider the following functions, in addition to coin , defined in Sect. 2: 

f{z) f{z) g{s{s{X)) ^ z ^ ^ k{X) ^ z ^ X [X s(z) 

The expressions f{z) and /(s(z)) fail to be reduced, but for quite different 
reasons. In the first case f{z) does not terminate. The only possible proof ac- 
cordingly to CRWL is f{z) T (by rule 1); any attempt to prove f{z) — > t with 
t 1- would produce an ‘infinite derivation’. In the second case, the only possi- 
ble proof is again f{s{z)) T, but if we try to prove /(s(z)) — > t with t ^ ± 
we have a kind of ‘/inzte failure'-, rule 4 needs to solve the parameter passing 
s(z) —> z, that could be finitely checked as failed, since no rule of the CRWL- 
calculus is applicable. The CRWLF-calculus does not prove non-termination of 
f{z), but will be able to detect and manage the failure for /(s(z)). In fact it will 
be able to perform a constructive proof of this failure. 

Consider now the expression g(coin). Again, the only possible reduction is 
g(coin) — > T and it is intuitively clear that this is another case of finite failure. 
But this failure is not as simple as in the previous example for /(s(z)): in this 
case the two possible reductions for coin to defined values are coin — > z and 
coin s(-2)- Both of z and s(z) fail to match the pattern s(s(A)) in the rule 
for g, but none of them can be used separately to detect the failure of g{coin). 
A suitable idea is to collect the set of defined values to which a given expression 
can be reduced. In the case of coin that set is {z, s(z)}. The fact that C is the 
collected set of values of e is expressed in CRWLF by means of the statement 
e <1 C. In our example, CRWLF will prove coin < {z, s(z)}. Statements e <1 C 
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generalize the approximation statements e — > t of CRWL, and in fact can replace 
them. Thus, CRWLF will not need to use explicit e ^ t statements. 

How far should we go when collecting values? The idea of collecting all values 
(and to have them completely evaluated) works fine in the previous example, but 
there are problems when the collection is infinite. For example, according to its 
definition above, the expression h can be reduced to any positive natural number, 
so the corresponding set would be {s(z), s(s(z)), s(s(s(2))), ...}. Then, what if 
we try to reduce the expression f(h)l. From an intuitive point of view it is clear 
that the value 2 will not appear in this set, because all the values in it have 
the form s(...). We can represent all this values by the set {s(T)}. Here we can 
understand T as an incomplete information: we know that all the possible values 
for h are successor of ‘something’; we do not know what is this ‘something’, but 
in fact, we do not need to know it. Anyway the set does not contain the value 
z, so f{h) fails. Notice that all the possible values for h are represented (not 
present) in the set {s(T)}, and this information is sufficient to prove the failure 
of f{h). The CRWLF-c&\cvl\vls will be able to prove the statement h <\ {s(T)}, 
and we say that {s(T)} is a Sufficient Approximation Set {SAS) for h. 

In general, an expression will have multiple SARs. Any expression has {T} 
as its simplest SAS. And, for example, the expression h has an infinite number 
of SAS’s: {T}, {s(T)}, {s(z), s(s(T))},... The SARs obtained by the calculus for 
coin are {T}, {T, s(T)},{T, s(z)}, {z, T}, {z, s(T)} and {z, s(z)}. The CRWLF- 
calculus provides appropriate rules for working with SARs. The derivation steps 
will be guided by these b'A^’s in the same sense that CRWL is guided by ap- 
proximation statements. 

Failure of reduction is due in many cases to failure in proving the conditions 
in the program rules. The calculus must be able to prove those failures. Consider 
for instance the expression fc(z). In this case we would try to use the c-instance 
k{z) ^ z 4 = z ex s(z) that allows to perform parameter passing. But the condi- 
tion z ex s(z) is clearly not provable, so fc(z) must fail. For achieving it we must 
be able to give a proof for ‘z ex s(z) cannot he proved with respect to CRWL’. 
For this purpose we introduce a new constraint e tjk e' that will be true if we 
can build a proof of non-provability for e ex e'. In our case, z t/h s(z) is clear 
simply because of the clash of constructors. In general the proof for a constraint 
etjke' will be guided by the corresponding SAS’s for e and e' as we will see in 
the next section. As our initial CRWL framework also allows constraints of the 
form e ^ e' , we need still another constraint </> for expressing ‘failure of ^’. 

There is another important question to justify: we use an explicit represen- 
tation for failure by means of the new constant symbol f. Let us examine some 
examples involving failures. First, consider the expression g(s(/(s(z)))); for re- 
ducing it we would need to do parameter passing, i.e., matching s(/(s(z))) with 
some c-instance of the pattern s(s(A)) of the definition of g. As /(s(z)) fails to 
be reduced the parameter passing must also fail. If we take {T} as an SAS for 
/(s(z)) we have not enough information for detecting the failure (nothing can 
be said about the matching of s(s(A)) and s(T)). But if we take {f} as an b'Ab' 
for /(s(z)), this provides enough information to ensure that s(f) cannot match 
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any c-instance of the pattern s(s(X)). Notice that we allow the value f to appear 
inside the term s(f). It could appear that the information s(f) is essentially the 
same of f (for instance, f also fails to match any c-instance of s(s(J*f))), but this 
is not true in general. For instance, the expression g(s(s(/(s(z))))) is reducible 
to z. But if we take the SAS {f} for /(s(z)) and we identify the expression 
s(s(/(s(z)))) with F, matching with the rule for g would not succeed, and the 
reduction of g{s{s{f{s{z))))) would fail. 

We can now proceed with the formal presentation of the CRWLF-calculus. 



3.2 Technical Preliminaries 

We introduce the new constant symbol f into the signature S to obtain = 
ifU {_L, f}. The sets Term±,f, CTerm±,f are defined in the natural way and we 
will use the set CSubst±,f = {0 : V — > CTerm_L.F}. 

A natural approximation ordering C over Term±,f can be defined as the least 
partial ordering over Term±,f satisfying the following properties: 

• _L C e for all e G Term± f, 

• h{ei, ..., Cn) E h{e'i, ..., e(,), if E e' for all i e {1, ..., n}, h G DC U FS 

The intended meaning of e E e' is that e is less defined or has less information 
than e' . Two expressions e, e' € Term±,F are consistent if they can be refined to 
obtain the same information, i.e., if there exists e" € Term±,F such that e E e" 
and e' E e". 

Notice that the only relations satisfied by f are E E f and f E f. In particular, 
F is maximal. This is reasonable, since f represents ‘failure of reduction’ and this 
gives a no further refinable information about the result of the evaluation of 
an expression. This contrasts with the status given to failure in where f is 
chosen to verify f E t for any t different from E. 

The class of programs that we consider in the following is less general than in 
the CRWL framework. Rules of functions have the same form, but they must not 
contain extra variables, i.e., for any rule (/(t) —^e<=C)€Vall the variables 
appearing in e and C must also appear in the head f(t), i.e., var{e) U V{C) C 
var(t). In FLP with non-deterministic functions this is not as restrictive as it 
could appear: function nesting can replace the use (typical in logic programming) 
of variables as repositories of intermediate values, and in many other cases where 
extra variables represent unknown values to be computed by search, they can 
be successfully replaced by non-deterministic ‘lazy generating’ functions (see Q 
for some examples). 

We will frequently use the following notation: given e G Term±,F, e stands for 
the result of replacing by E all the occurrences of f in e (notice that e G T erm ± , 
and e = e iff e G Term±). 
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3.3 The Proof Calculus for CRWLF 
In CRWLF five kinds of statements can be deduced: 

• e <1 C, intended to mean ‘C is an SAS for e\ 

• e [XI e', e ^ e', with the same intended meaning as in CRWL. 

• etjk e' , e <f> e' , intended to mean failure of e [xi e' and e ^ e' respectively. 

We will sometimes speak of [xi, ^, [^, </> as ‘constraints’, and use the symbol 
<0 to refer to any of them. The constraints tfi and [xi are called the complemen- 
tary of each other; the same holds for <f> and and we write for the 
complementary of <0. 

When proving a constraint ef}e' the calculus CRWLF will evaluate an SAS for 
the expressions e and e' . These SARs will consist of c-terms from CTerm±,f, and 
provability of the constraint e<0e' depends on certain syntactic (hence decidable) 
relations between those c-terms. Actually, the constraints [xi, tfi and <J> can 
be seen as the result of generalizing to expressions the relations i, tj J/ and Y on 
c-terms, which we define now. 

Definition 1 (Relations over CTerm±,f). 

• tit' ^def t = t'C & CTerm 

• tit' <^def t and t' have a DC-clash 

• t yt' -^def t or t' contain f as subterm or they have a DC-clash 

• y is defined as the least symmetric relation over CTerm± p satisfying: 

i) X yx, for allX €V 

ii) pyt, for all t S CTerm±^F 

Hi) ifti yfi, ...,tn yt'n then c{t\, ...,t„) Y c{fi, ...,t'„) for all c G DC 

The relations [ and ( do not take into account the presence of f, which 
behaves in this case as _L. The relation J, is strict equality, i.e., equality re- 
stricted to total c-terms. It is the notion of equality used in lazy functional or 
functional-logic languages as the suitable approximation to ‘true’ equality (=) 
over CTerm±. The relation ( is a suitable approximation to ‘-i =’, and hence 
to J,’ (where ^ stands for logical negation). The relation J/ is also an approx- 
imation to J,’, but in this case using failure information (J/ can be read as ‘J, 
fails’). Notice that J/does not imply =’ anymore (we have, for instance, f J/f). 
Similarly, Y is also an approximation to which can be read as ‘| fails’. 

The following proposition refiects these and more good properties of |, t, Jf, K 

Proposition 1. The relations |, Y, Y verify 

(a) For all t, t' , s, s' G CTerm±^F 

(i) t [t' [i' and 1 1 1' 1 1 i' 

(ii) tlt'^tyt'^ ^{t J, t') 

(Hi) t [t' ^ t yt' ^ ^{t f t') 

(t>) IAjYjY monotonic, i.e., if t C s and t' C s' then: FRt' softs', where 
G {IjY Y^y}- Furthermore Yb and Yb are the greatest monotonic approx- 
imations to ^ Ib and ^ Tb respectively, where the restriction of Ik to 

the set of basic (i.e., without variables) c-terms from CTerm±^F- 
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(c) J, and y are closed under substitutions from CSubst; Y and | are closed under 

substitutions from CSubst±,F 

By (b), we can say that [tYY, ^ behave well with respect to the information 
ordering: if they are true for some terms, they remain true if we refine the 
information contained in the terms. Furthermore, (b) states that y, f are defined 
in the best way, at least for basic c-terms. For c-terms with variables, we must 
take care: for instance, given the constructor z, we have J, z), but not X y z. 
Actually, to have X y z would violate a basic intuition about free variables in 
logical statements: if the statement is true, it should be true for any value (taken 
from an appropriate range) substituted for its free variables. The part (c) shows 
that the definitions of | , t , J/, y respect such principle. Propositions B and H of 
the next section show that monotonicity and closedness by substitutions are 
preserved when generalizing [,yy^y to 

Table Beontains the Ci? fTLF-calculus. Some of the rules use a generalized 
notion of c-instances of a rule R-. = {RO \ 0 € CSubst_L^f}. We will use 

the notation V \~crwlf '•P {R Vcrwlf resp.) for expressing that the statement (p 
is provable (is not provable resp.) with respect to the calculus CRWLF and the 
program V. 

The first three rules are analogous to those of the CRWRcdlcnlws, now deal- 
ing with sab’s instead of simple approximations (notice the cross product of 
sab’s in rule 3). In rule 4, for evaluating an expression /(e) we produce SAB’S 
for the arguments ei and then, for each combination of values in these BAB’S 
and each program rule for /, a part of the whole BAS is produced; all of them 
are unioned to obtain the final BAS for /(e). This is quite different from rule 
4 in CRWL: there we could use any c-instance of any rule for /; here we need 
to consider simultaneously the contribution of each rule to achieve ‘complete’ 
information about the values to which the expression can be evaluated. We use 
the notation /(/) <Jn C to indicate that only the rule R is used to produce C. 

Rules 5 to 8 consider all the possible ways in which a concrete rule R can 
contribute to the SAS of a call /(t), where the arguments t are all in CTerm± F 
(come from the evaluation of the arguments of a previous call /(e)). Rules 5 and 
6 can be viewed as positive contributions. The first one obtains the trivial SAS 
and 6 works if there is a c-instance of the rule R with a head identical to the head 
of the call (parameter passing); in this case, if the constraints of this c-instance 
are provable, then the resulting SAS is generated by the body of the c-instance. 
Rules 7 and 8 consider the negative or failed contributions. Rule 7 applies when 
parameter passing can be done, but it is possible to prove the complementary 
ei<0e( of one of the constraints ei<0e( in the condition of the used c-instance. In 
this case the constraint ei<0e' (hence the whole condition in the c-instance) fails. 
Finally, rule 8 considers the case in which parameter passing fails because of a 
DC U {pj-clash between one of the arguments in the call and the corresponding 
pattern in R. 

We remark that for given /(/) and R, the rule 5 and exactly one of rules 
6 to 8 are applicable. This fact, although intuitive, is far from being trivial to 
prove and constitutes in fact an important technical detail in the proofs of the 
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Table 2. Rules for CRlLXf-provability 



( 1 ) 

(2) 

(3) 

(4) 

(5) 

(6) 
(7) 



e <1 {_L} 



X < {X} 



X gV 



ei ^ C\ ... Cn ^ Cn 

c(ei, <1 {c(ti, ...,tn) I f G Cl X ... X C„} 

ei <1 Cl ... e„ <1 Cn ... /(7) Cfl.t ■■■ 

/(ei, ...,e„) <1 Un6Pj,t6Cix...xC„ ^R,t 



c € DC" U {f} 
/ e FS" 



fit) U} 
e <1 C C 
/( 7 ) <R C 

ei^e'i 

fit) <R {7"} 



if{t) ^ e<= C) G [R]x,f 

if{t) ^ e ...,6i<}e'i, ...) G [R]±,f, where i G {1, ...,n} 



(8) 

(9) 



R = (/(si, ...,Sn) —> e C),ti and Si have a 
f(ti, ...,tn) <Ih jJ’} DC U {F}-clash for some i G {1, n} 



e <1 C e' <1 C' 
e CXI e' 



3tGC,t' gC t it' 



(10) 

( 11 ) 

(12) 



e <1 C e' <1 C' 
e O e' 

e <1 C e' <1 C' 
e 1^ e' 

e <1 C e' <1 C' 
e <f> e' 



3tGC,t' gC ti t' 
ytGC,t' gC t'ft' 
VI GC,t' gC t yt! 



results in the next section. We also remark that, for the sake of a better reading 
of rule 4, we have written ordinary set union for collecting SAS's. This could 
be modified in such a way that f is excluded from the union if it contains some 
other c-term different from f. For example, if we obtain the SAffs {z} and {f} 
from two function rules, we could take {z} as the final SAS for the call instead 
of {f, z}. All the results of the next section are valid with this modification. 

Rules 9 to 12 deal with constraints. With the use of the relations 
introduced in Sect. 3.3 the rules are easy to formulate. For e cxi e' it is sufficient to 
find two c-terms in the SAB’S verifying the relation |, what in fact is equivalent to 
find a common totally defined c-term such that both expressions e and e' can be 
reduced to it (observe the analogy with rule 5 of CRWL). For the complementary 
constraint we need to use all the information of BAR'S in order to check the 
relation J/ over all the possible pairs. The explanation of rules 11 and 12 is quite 
similar. 
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The next example shows a derivation of failure using the CRWLF-calcuhis. 

Example 1 . Let us consider a program V with the constructors z, s for natural 
numbers, [] and for lists (although we use Prolog-like notation for them, that 
is, [z,s{z)\L\ represents the list (z : (s(z) : L))) and also the constructors t, f 
that represent the boolean values true and false. Assume the functions coin and 
h defined in Sect.^^and also the function mb (member) defined as: 

mb{X, [Y\ Ts]) ^ t ^ A CXI r 
mb{X, [yj Ts]) — > t mb{X, Ts) cxi t 

If we try to evaluate the expression mb{coin, [s(/i)]) it will fail. Intuitively, 
from definition of h the list in the second argument can be reduced to lists of 
the form [s(s(...))] and the possible values of coin, z and s(z), will never belong 
to those lists. The CRWLF-cdlcnlns allows to build a proof for this fact, that is, 
mb{coin, [s(h)]) <1 {f}, in the following way: by application of rule 4 the proof 
could proceed by generating SAS's for the arguments 

coin<] {z,s{z)} (v?i) [s(h)] <1 {[s(s(T))]} ((^2) 

and then collecting the contributions of rules of mb for each possible combination 
of values for the arguments; for the pair (z, [s(s(T))]) the contribution of rules 
for mb (here we write <li to refer to the first rule of mb and <2 for the second) 
will be 



mb{z, [s(s(T))]) <1 {f} (ips) mb{z, [s(s(T))]) <2 {f} {<pa) 

and for the pair (s(z), [s(s(T)]) we will have 

m 5 (s(z), [s(s(T))]) <1 {f} (vjg) m 5 (s(z), [s(s(T))]) <2 {f} (v^e) 

The following derivation shows the form of the full derivation, but we only 
give details of the proofs for and pi. At each step, we indicate by a number 
on the left the rule of the calculus applied in each case: 



^s(T)<l|s(T)} ^z<||z|^y<||y}*m&( 2 , U)<Ii2|f} 

. /i^%(.U))<|.(.(T))) mb(z IIhTf 

7 z s(s(-L)) ^ mb(z, [J) 15^ |t| 

Pi y)/ v ?3 = mb(z, [s(s(T))j)<ld^^ ^ <P 4 , = mb{z, [s( 5 (T))j)<l,,|F| 

mb{coin, [s(/i)J)<||f| 

In both if3 and p>4 the failure is due to a failure in the constraints of rules, 
what requires to prove the complementary constraint by rule 11 . In the first 
case, z s(s(T)), there is a clear clash of constructors. But in the second case 
it involves the failure for the expression mb{z, []) that is proved again by rule 
4 of the calculus. The SARs for the arguments only produce the combination 
(z, []) and both rules of mb fails over it by rule 8 of the calculus. The notation 
mb{z, [])<Ii,2{f} which appears on the top of the proof of ip4 is an abbreviation 
for both statements mb{z, [])<Ii{f} and mb{z, [])<I2{f}. 

All the contributions of p3,(p4, and pe are {f}, and putting them together 
we obtain {f} as an SAS for the original expression mb{coin, [s(h)]) as expected. 
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4 Properties of CRWLF 

In this section we explore some properties of the CRWLF-calculus and its relation 
with CRWL. In the following we assume a fixed program V. 

The non-determinism of the CRWLF-cdlcnlvs, allows to obtain different SARs 
for the same expression. As the SAS for an expression is a finite approximation to 
the denotation of the expression it is expected some kind of consistency between 
SASA for the same expression. Given two of them, we cannot ensure that one 
SAS must be more defined than the other in the sense that all the elements of 
the first are more defined than all of the second. For instance, two SAS’s for coin 
are {_L, 5(2)} and {z, _L}. The kind of consistency for SAS’s that we can expect 
is the following: 

Definition 2 (Consistent Sets of c- Terms). Two sets C,C C CTerm±^F 
are consistent ijf for alltGC there exists t' G C' (and vice versa, for all t' G C' 
there exists t G C) such that t and t' are consistent. 

Our first result states that two different SAS’s for the same expression must 
be consistent. 

Theorem 1 (Consistency of SAS). Given e G Term±^F, if R ^crwlf e < C 
and V \- CRWLF e <\C , then C and C are consistent. 

This result is a trivial corollary of part a) of the following lemma. 

Lemma 1 (Consistency). For any e, e', ei, 62, e(, 62 G Term±^F 

a) If e, e' are consistent, V \~crwlf e <\ C and V \-crwlf o' <\ C , then C and C 
are consistent. 

b) Ifei, e( are consistent and 62, 62 are also consistent, then: V \-crwlf Ci<)>e2 
R l/cRWiF o'i^e'2 

As a trivial consequence of part b) we have: 

Corollary 1. R \~crwlf e<>e' R 'i/crwlf o^e' , for all e, e' G Term±^F 

This supports our original idea about tjh and </> as computable approxima- 
tions to the negations of ixi and 

Another desirable property of our calculus is monotonicity, that we can in- 
formally understand in this way: the information that can be extracted from an 
expression can not decrease when we add information to the expression itself. 
This also reflects in the fact that if we can prove a constraint and we consider 
more defined terms in both sides of it, the resulting constraint must be also 
provable. Formally: 

Proposition 2 (Monotonicity of CRWLF). For e, e', ei, 62, e(, 62 G Term±^F 

a) If e G e and R F crwlf e ^ C, then R F crwlf 0 

b) If Cl C e(, 62 E e'2 and R \~crwlf ei<}e2 then R \~crwlf e(<)>e2, where 

0 G {cxi,[^, 
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Monotonicity, as stated here, refers to the degree of evaluation of expression, 
and does not contradict the well known fact that negation as failure is a non- 
monotonic reasoning rule. In our setting it is also clearly true that, if we ‘define 
more’ the functions (i.e, we refine the program, not the evaluation of a given 
expression), an expression can become reducible when it was previously failed. 

The next property says that what is true for free variables is also true for 
any possible (totally defined) value, i.e., provability in CRWLF is closed under 
total substitutions. 

Proposition 3. For any 9 G CSubst, e, e' G Term±^F 

a) F \~ CRWLF e <1 C ^ F P crwlf ^9 <] C9 
h) F \~ CRWLF e<0e^ ^ F crwlf e9^e' 9 

4.1 CRWLF Related to CRWL 

The CRWLF-calculus has been built as an extension of CRWL for dealing with 
failure. Here we show that our aims have been achieved. 

We recall that a CiJUXT-program is a Ci^HT^program not containing extra 
variables in rules. The following results are all referred to Ci? HXT-programs. 

The next result shows that the Ci? FFLT-calculus indeed extends CRWL. Parts 
a) and b) show that statements e <1 C generalize approximation statements e — *■ t 
of CRWL. Parts c) and d) show that CRWLF and CRWL are able to prove 
exactly the same joinabilities and divergences (if f is ignored for the comparison). 

Proposition 4. For any e,e' G Term±^F 

a) F CRWLF G <1 C Vt G C , F h CRWL G > i 

b) F \~cRWL e — *■ t 3C such that t G C and F crwlf g <\C 

C) F CRWLF G tXi G F h CRWL C [XI C 
d) F \~ CRWLF G <L> G -v^ F P CRWL G <L> G 

We can revise within CRWLF the notion of denotation of an expression, and 
define |e]^ = {t G CTerm±^f | e <1 C,t G C}, for any e G Term±^p. As a 
consequence of the previous proposition we have |e] C |e] ^ for any e G T erm± 
and |e]^ = |e] for any e G TGrm±,f, where, given a set S, S is defined in the 
natural way S = {t \ t G S'}. 

All the previous results make easy the task of proving that we have done 
things right with respect to failure. We will need a result stronger than Prop. 
B which does not provide enough information about the relation between the 
denotation of an expression and each of its calculable SAS’s. 

Proposition 5. Civcn e G Term±^F, ifF \~crwlf g <\ C and t G |e], then there 
exists s G C such that s and t are consistent. 

Proof. Assume F crwlf e <1 C. If we take t G CTerm± such that F '^crwl e ^ t, 
then by part b) of Prop.Ot^ere exists C' such that F crwlf e <1 C' with t G C . 

By Theorem Jit follows that C and C are consistent. By definition of consis- 
tent SAS’s, as t G C , then there exist s G C such that t and s are consistent. □ 
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We easily arrive now at our final result. 

Theorem 2. Given e S Term±^F, if'P ^crwlf e <1 {f} then |e] = {_L} 

Proof. If t G |e], we know from Prop-H^hat f and t must be consistent. As f is 
consistent only with _L and itself, and t G CTerm±, we conclude that t = _L. □ 

5 Conclusions and Future Work 

We have proposed the proof calculus CRWLF (Constructor based Re Writing 
Logic with Failure), which allows to deduce negative information from a wide 
class of functional logic programs. In particular, the calculus provides proofs of 
failure of reduction, a notion that can be seen as the natural FLP counterpart 
of negation as failure in logic programming. 

The starting point for CRWLF has been the proof calculus of CRWL a 
well established theoretical framework for FLP. The most remarkable insight has 
been to replace the statements e — > t of CRWL (representing a single reduction 
of e to an approximated value t) by e <3 C (representing a whole, somehow 
complete, set C of approximations to e) . With the aid of <1 we have been able to 
cover all the derivations in CRWL, as well as to prove failure of reduction and, 
as auxiliary notions, failure of joinability and divergence, the two other kinds of 
statements that CRWL was able to prove. 

It is interesting to remark that <l provide, at the level of logical descriptions, 
a finer control over reduction than — Two examples: e <1 {t},t G CTerm 
expresses the property that e is reducible to the unique totally defined value 
t; e <J C,e' <J C, with C consisting only of total c-terms, expresses that e and 
e' reduce to exactly the same (totally defined) values. The same properties, if 
expressed by means of would require the use of universal quantification, 
which is out of the scope of CRWL. Observe that, although the side conditions 
‘t G CTerm' and ‘C consisting only of total e-terms' of the examples are not 
statements of CRWLF, they are purely syntactical conditions. 

The idea of collecting into an SAS values coming from different reductions 
for a given expression e presents some similarities with abstract interpretation 
which, within the FLP field, has been used in Q for detecting unsatisfiability 
of equations e = e' (something similar to failure of our e cc e'). We can mention 
some differences between our work and Q: 

• Programs in Q are much more restrictive: they must be confluent, terminat- 
ing, satisfy a property of stratification on conditions, and define strict and 
total functions. 

• In our setting, each SAS for an expression e consists of (down) approxima- 
tions to the denotation of e, and the set of SAS’s for e determines in a precise 
sense (Props. ^andQ the exact denotation of e. In the abstract interpre- 
tation approach one typically obtains, for an expression e, an abstract term 
representing a superset of the denotation of all the instances of e. But some 
of the rules of the CRWLF-calculus (like (9) or (10)) are not valid if we re- 
place SAS’s by such supersets. To be more concrete, if we adopt an abstract 
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interpretation view of our SAS’s, it would be natural to see _L as standing 
for the set of all constructor terms (since _L is refinable to any value), and 
therefore to identify an SAS like C = {_L, z} with C = {-L}. But from e <\C 
we can deduce e cc z, while it is not correct to do the same from e <\ C . 
Therefore, the good properties of CRWLF with respect to CRWL are lost. 

We see our work as the first step in the research of a whole framework for 
dealing with failure in FLP. Some natural (but not small!) future steps are: to 
enlarge the class of considered programs by allowing extra variables; to consider 
‘general’ programs which make use of failure information, and to develop model 
theoretic and operational semantics for them. 



Acknowledgments: We thank the anonymous referees for their useful com- 
ments. 
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Abstract. Input-consuming programs are logic programs with an ad- 
ditional restriction on the selectability (actually, on the resolvability) 
of atoms. This class of programs arguably allows to model logic pro- 
grams employing a dynamic selection rule and constructs such as delay 
declarations: as shown also in a large number of them are actually 
input-consuming. 

In this paper we show that - under some syntactic restrictions - the 
5-semantics of a program is correct and fully abstract also for input- 
consuming programs. This allows us to conclude that for a large class 
of programs employing delay declarations there exists a model-theoretic 
semantics which is equivalent to the operational one. 

Keywords: Logic programming, dynamic scheduling, semantics. 



1 Introduction 

Most implementations of logic programming languages allow the possibility of 
employing a dynamic selection rule: a selection rule which is not bound to the 
fixed left-to-right order of PROLOG. While this allows for more flexibility, it can 
easily yield to nontermination or to an inefficient computation. For instance, if 
we consider the standard program APPEND 

app( [ ] ,Ys ,Ys) . 

app( [H|Xs] ,Ys, [H|Zs] ) <— app(Xs,Ys,Zs) . 

we have that the query ql : app ([1,2] , [3,4] , Xs) , app (Xs , [5 , 6] , Ys) . might 
easily loop infinitely (one just has to keep resolving the rightmost atom together 
with the second clause). To avoid this, most implementations use constructs such 
as delay declarations. In the case of APPEND when used for concatenating two 
lists the natural delay declaration is 

dl : delay app(Xs,_,_) until nonvar(Xs) . 

This statement forbids the selection of an atom of the form app (s , t , u) unless s 
is a non- variable term, which is precisely what we need in order to run the query 
ql without overhead. Delay declarations, advocated by van Emden and de Lu- 
cena and introduced explicitly in logic programming by Naish provide 
the programmer with a better control over the computation and allow one to 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 194^^ 2000. 
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improve the efficiency of programs (wrt unrestricted selection rule), to prevent 
run-time errors, to enforce termination and to express some degree of synchro- 
nization among different processes (i.e., atoms) in a program, which allows to 
model parallelism (coroutining). 

This extra control comes at a price: Many crucial results of logic programming 
do not hold in this extended setting. In particular, the equivalence between the 
declarative and operational semantics does not apply any longer. For instance, 
while the Herbrand semantics of APPEND is non-empty, the query app^,Y,Z) 
has no successful derivation, as the computation starting in it deadlock^ 

In this paper we address the problem of providing a model-theoretic seman- 
tics to programs using dynamic scheduling. In order to do so, we need a declar- 
ative way of modeling construct such as delay declarations: for this we restrict 
our attention to input- consuming programs. The definition of input-consuming 
program employs the concept of mode: We assume that programs are moded, 
that is, that the positions of each atom are partitioned into input and output 
ones. Then, input- consuming derivation steps are precisely those in which the 
input arguments of the selected atom will not be instantiated by the unifica- 
tion with the clause’s head. For example, the standard mode for the program 
APPEND when used for concatenating two lists is app(In,In,Out). Notice that 
in this case, for queries of the form app(ts,us,X) (X is variable disjoint from 
ts and us, which can be any possibly non-ground terms) the delay declaration 
dl guarantees precisely that if an atom is selectable and resolvable, then it is 
so via an input-consuming derivation step; conversely, in every input-consuming 
derivation the resolved atom satisfies the dl, thus it would have been selectable 
also in presence of the delay declaration. This reasoning applies for a large class 
of queries (among which ql), and is actually not a coincidence: In the sequel 
we argue that in most situations delay declarations are employed precisely for 
ensuring that the derivation is input-consuming (modulo renaming, i.e. modulo 

as explained later). Because of this, we are interested in providing a model- 
theoretic semantics for input-consuming programs. Clearly, most difficulties one 
has in doing this for programs with delay declarations apply to input-consuming 
programs as well. Intuitively speaking, the crucial problem here lies in the fact 
that computations may deadlock: i.e., reach a state in which no atom is resolv- 
able (e.g., the query app(X,Y,Z)). Because of this the operational semantics is 
correct but not complete wrt the declarative one. 

We prove that, if a program is well- and nicely-moded, then, for nicely-moded 
queries the operational semantics provided by the input-consuming resolution 
rule is correct and complete wrt the 5-semantics for logic programs. The 
5-semantics is a denotational semantics which - for programs without delay dec- 
larations - intuitively corresponds to the set of answer substitutions to the most 
general atomic queries, i.e., queries of the form p{xi , . . . , Xn) where Xi, . . . ,Xn 
are distinct variables. Moreover, the 5-semantics is compositional, it enjoys a 



^ A deadlock occurs when the current query contains no atom which can be selected 
for resolution. 
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model-theoretic reading, and it corresponds to the least fixpoint of a continuous 
operator. 

Summarizing, we show that the 5-semantics of a program is compositional, 
correct and fully abstract also for input-consuming programs, provided that the 
programs considered are well- and nicely-moded, and that the queries are nicely- 
moded. It is important to notice that the queries we are considering don’t have 
to be well-moded. Because of this, they might also deadlock. For instance, the 
query app(X,Y,Z) is nicely-moded, thus our results are applicable to it. One of 
the interesting aspects of the results we will present is that in some situations 
one can determine, purely from the declarative semantics of a program, that a 
query does (or does not) yield to deadlock. 

This paper is organized as follows. The next section contains the preliminary 
notations and definitions. In the one which follows we introduce the 5-semantics 
together with the key concepts of moded and of input-consuming program. Sec- 
tiorflcontains the main results, and some examples of their applications. Section 
^concludes the paper. Some proofs are omitted for space reasons, and can be 
found in Q. 

2 Preliminaries 

The reader is assumed to be familiar with the terminology and the basic results 
of the semantics of logic programs Here we adopt the notation of ^ in 

the fact that we use boldface characters to denote sequences of objects; therefore 
t denotes a sequence of terms while B is a query (notice that - following Q - 
queries are simply conjunctions of atoms, possibly empty). We denote atoms by 
A, B, H, . . . , queries by Q, A, B,C, . . . , clauses by c, d, , and programs by P. 

For any syntactic object o, we denote by Far(o) the set of variables occurring 
in o. We also say that o is linear if every variable occurs in it at most once. 
Given a substitution a = {x\/ti, ..., Xnltn] we say that {si, . . . , Xn} is its domain 
(denoted by Dom{a)) and that Var{{ti, ..., t„}) is its range (denoted by Ran{a)). 
Further, we denote by Var{a) = Dom{a) U Ran{a) . If {ti,...,tn} consists of 
variables then a is called a pure variable substitution. If, in addition, ti, ...,tn is 
a permutation of a;i, ..., a;„ then we say that ct is a renaming. The composition 
of substitutions is denoted by juxtaposition {6a{X) = a{6{X))). We say that a 
term t is an instance of t' iff for some a, t = t'a, further t is called a variant of 
f, written t iff t and t' are instances of each other. A substitution 0 is a 
unifier of terms t and t' iff tO = t'6. We denote by mgu(t, t') any most general 
unifier (mgu, in short) of t and t' . An mgu 6 of terms t and t' is called relevant iff 
Var{0) C Varft) U Varft'). The definitions above are extended to other syntactic 
objects in the obvious way. 

Computations are sequences of derivation steps. The non-empty query q : 
A, B, C and a clause c : H ^ B (renamed apart wrt q) yield the resolvent 
{A, B,C)9^ provided that 9 = mgu{B,H). A derivation step is denoted by 
A,B,C =^p^c (A, B,C)9. c is called its input clause, and B is called the 
selected atom of q. A derivation is obtained by iterating derivation steps. A 
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maximal sequence <5 := Qo =^p,ci Qi =^p,c2 ■■■Qn ^p,c„+i Qn+i--- of 
derivation steps is called an SLD derivation of PU {Qo} provided that for every 
step the standardization apart condition holds, i.e., the input clause employed at 
each step is variable disjoint from the initial query Qo and from the substitutions 
and the input clauses used at earlier steps. If the program P is clear from the 
context and the clauses ci, . . . , c„+i, . . . are irrelevant, then we drop the reference 
to them. An SLD derivation in which at each step the leftmost atom is resolved 

is called a LD derivation. Derivations can be finite or infinite. If 5 := Qo ^=>p,ci 

0 0 
■ ■ ■ p^cn Qn is a finite prefix of a derivation, also denoted S := Qo — > Q„ with 

9 = 9i ■ ■ ■ 9n, we say that (5 is a partial derivation of P U {Qo}- If <5 is maximal 

and ends with the empty query then the restriction of 9 to the variables of Q 

is called its computed answer substitution (c.a.s., for short). The length of a 

(partial) derivation S, denoted by len(S), is the number of derivation steps in 5. 

We recall the notion of similar SLD derivations and some related properties. 



Definition 1 (Similar Derivations). We say that two SLD derivations 6 and 
S' are similar (5 ^ S' ) if (i) their initial queries are variants of each other; (ii) 
they have the same length; (Hi) for every derivation step, atoms in the same 
positions are selected and the input clauses employed are variants of each other. 

Lemma 2. Let S := Qi — > Q 2 be a partial SLD derivation of PU {Qi} and Q[ 

0f 

be a variant of Q\. Then, there exists a partial SLD derivation S' := Q{ — > Q 2 
of PU {Q'l} such that S and S' are similar. 



0 0f 

Lemma 3. Consider two similar partial SLD derivations Q — >Q' and Q — >Q" . 
Then Q9 and Q9' are variants of each other. 

3 Basic Definitions 

In this section we introduce the basic definitions we need: The ones of input- 
consuming derivations and of the 5-semantics. Then we introduce the concepts 
of well- and nicely-moded programs. 

Input- Consuming Derivations. We start by recalling the notion of mode, 
which is a function that labels as input or output the positions of each predicate 
in order to indicate how the arguments of a predicate should be used. 

Definition 4 (Mode). Consider an n-ary predicate symbol p. By a mode for 
p we mean a function nip from {1, . . . , n} to {Ln, Out}. 

If rupfi) = Ln (resp. Out), we say that i is an input (resp. output) position 
of p (with respect to nip). We assume that each predicate symbol has a unique 
mode associated to it; multiple modes may be obtained by simply renaming the 
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predicates. We denote by In{Q) (resp. Out{Q)) the sequence of terms filling 
in the input (resp. output) positions of Q. Moreover, when writing an atom as 
p(s,t), we are indicating with s the sequence of terms filling in its input positions 
and with t the sequence of terms filling in its output positions. The notion of 
input-consuming derivation was introduced in and is defined as follows. 

Definition 5 (Inpnt- Consuming). 

— A derivation step A, B, C =>c {A, B, C)6 is called input-consuming iff 
In{B)6 = In{B). 

— A derivation is called input-consuming iff all its derivation steps are input- 
consuming. 

Thus, a derivation step is input consuming if the corresponding mgu does 
not affect the input positions of the selected atom. Clearly, because of this ad- 
ditional restriction, there exist queries in which no atom is resolvable via an 
input-consuming derivation step. In this case we say that the query suspends. 

Example 6. Consider the following program REVERSE using an accumulator. 

reverse (Xs ,Ys) reverse_acc (Xs , Ys , [ ]). 
reverse_acc ( [ ],Ys,Ys). 

reverse_acc ( [X I Xs] , Ys , Zs) v- reverse_acc (Xs , Ys , [X I Zs] ) . 

When used for reversing a list, the natural mode for this program i Jthe follow- 
ing one: reverse (In, Out) , reverse_acc (In, Out , In) . Consider now the query 
reverse ( [XI, X2] ,Zs). The following derivation is input-consuming. 

reverse ( [XI, X2] ,Zs) reverse_acc( [X1,X2] ,Zs, [ ] ) => 

=> reverse_acc ( [X2] , Zs , [XI] ) reverse_acc ( [ ] ,Zs, [X2,X1] ) => □ 
As usual, □ denotes the empty query. Notice also that a natural delay declaration 
for this program would be 

delay reverse(X,J until nonvar(X) . 
delay reverse_acc(X,_, _) until nonvar(X) . 

Now, it is easy to see that for queries of the form reverse (t,X), where t is 
any term and X any variable disjoint from t, the above delay declarations guar- 
antee precisely that the resulting derivations are input-consuming (modulo ~). 
Furthermore, for the same class of queries it holds that in any input-consuming 
derivation the selected atom satisfies the above delay declarations. □ 

Delay Declarations vs. Input- Consuming Derivations. As suggested in 
the above example, and stated in the introduction, we believe that the concept 
of input-consuming program allows one to model programs employing delay 
declarations in a nice way: we claim that in most programs delay declarations 

^ The other possible modes are reverse (Out , In) (which is symmetric and equivalent 
to the above one) and reverse (In, In) which might be used for checking if a list is 
a palindrome. 
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are used to enforce that the derivations are input-consuming (modulo ~). We 
have addressed this topic already in Q. We now borrow a couple of arguments 
from it, and extend them. 

Generally, delay declarations are employed to guarantee that the interpreter 
will not use an “inappropriate” clause for resolving an atom (the other, perhaps 
less prominent use of delay declarations is to ensure absence of runtime errors, we 
don’t address this issue in this paper). In fact, if the interpreter always selected 
the appropriate clause, by the independence from the selection rule one would 
not have to worry about the order of the selection of the atoms in the query. 
In practice, delay declarations prevent the selection of an atom until a certain 
degree of instantiation is reached. This degree of instantiation ensures that the 
atom is unifiable only with the heads of the “appropriate” clauses. In presence of 
modes, we can reasonably assume that this degree of instantiation is the one of 
the input positions. Now, take an atom p{s, t), that it is resolvable with a clause 
c by means of an input-consuming derivation step. Then, for every instance s' 
of s, we have that the atom p{s',t) is as well resolvable with c by means of 
an input-consuming derivation step. Thus, no further instantiation of the input 
positions of p(s, t) can rule out c as a possible clause for resolving it, and c must 
then be one of the “appropriate” clauses for resolving p(s, t) and we can say that 
p{s, t) is “sufficiently instantiated” in its input positions to be resolved with c. 
On the other hand, following the same reasoning, if p(s, t) is resolvable with c 
but not via an input-consuming derivation step, then there exists an instance 
s' of s, such that p{s',t) is not resolvable with c. In this case we can say that 
p{s,t) is not instantiated enough to know whether c is one of the “appropriate” 
clauses for resolving it. 

We conclude this section with a result stating that also when considering 
input-consuming derivations, it is not restrictive to assume that all mgu’s used 
in a derivation are relevant. The proof can be found in f"] - 

Lemma 7. Let p{s,t) and p{u,v) be two atoms. If there exists an mgu 9 of 
p{s,t) and p(u,v) such that s6 = s then there exists a relevant mgu 9 ofp(s,t) 
and p{u, v) such that s9 = s. 

From now on, we assume that all mgu’s used in the input-consuming deriva- 
tion steps are relevant. 

The 5-Semantics. The aim of the 5-semantics approach (see [[]) is modeling 
the observable behaviors for a variety of logic languages. The observable we 
consider here is the computed answer substitutions. The semantics is defined as 
follows: 

5(P) = { p{xi, . . . , Xn)9 I Xi , . . . ,Xn are distinct variables and 

p(xi, . . . , Xn) — >p □ is an SLD derivation}. 

This semantics enjoys all the valuable properties of the least Herbrand model. 
Technically, the crucial difference is that in this setting an interpretation might 
contain non-ground atoms. To present the main results on the 5-semantics we 
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need to introduce two further concepts: Let P be a program, and / be a set of 
atoms. The immediate consequence operator for the 5-semantics is defined as: 

T^{I) = {H9\3H^BgP 

3 C G I, renamed apart^ wrt H, B 
9 = mgu{B, C) }. 

Moreover, a set of atoms I is called an S-model of P if Tp{I) C I. Falaschi et 
al. Q showed that Tp is continuous on the lattice of term interpretations, that 
is sets of possibly non-ground atoms, with the subset-ordering. They proved the 
following: 

— S{P) = least 5-model of P = Tp | w. 

Therefore, the 5-semantics enjoys a declarative interpretation and a bottom- 
up construction, just like the Herbrand one. In addition, we have that the 5- 
semantics reflects the observable behavior in terms of computed answer substi- 
tutions, as shown by the following well-known result. 

Theorem 8. Let P be a program, A be a query, and 9 be a substitution. 
The following statements are equivalent. 

— There exists an SLD derivation A — >pD, where Ad « A9. 

— There exists A' G S{P) (renamed apart wrt A), such that a = mgu{A, A') 
and A(t « A9. 

Let us see this semantics applied to the programs so far encountered. 

5(APPEND) = { app([] ,X,X), 

app([Xl] ,X, [XI IX]), 

app([Xl,X2] ,X, [X1,X2|X]), . . . }. 

5(REVERSE) = { reverse! [],[]), 

reverse ( [XI] , [XI] ) , 
reverse! [XI, X2] , [X2, XI] ), 
reverse_acc ! [] , X , X) , 
reverse_acc ! [XI] , X , [XI I X] ) , 
reverse_acc! [X1,X2] ,X, [X2,X1 |X] ), . . . }. 

Well and Nicely-Moded Programs. Even in presence of modes, the 5- 
semantics does not reflect the operational behavior of input-consuming programs 
(and thus of programs employing delay declarations) . In fact, if we extend APPEND 
by adding to it the clause q ^ app!X,Y,Z) . we have that q belongs to the 
semantics but the query q will not succeed (it suspends) . In order to guarantee 
that the semantics is fully abstract (wrt the computed answer substitutions) 
we need to restrict the class of allowed programs and queries. To this end we 
introduce the concepts of well-moded and of nicely-moded programs. 

® Here and in the sequel, when we write “C G I, renamed apart wrt some expression 
e” , we naturally mean that I contains a set of atoms C[, . . . , C ( , and that C is a 
renaming of C] , . . . , C( such that C shares no variable with e and that two distinct 
atoms of C share no variables with each other. 
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Definition 9 (Well-Moded). 

— A query pi(si,ti), ... ,pn(sn,tn) is well-moded if for all i G [1, n] 

i-l 

Var(si) C Varitj). 

i=i 

— A clause p(to, Sn+i) ^ pi(si, ti), . . . t„) is well-moded if for all 

i G [1, n -t“ 1] 

i-l 

Var{si) C Varitj). 

i=o 

— A program is well-moded if all of its clauses are well-moded. 

Thus a query is well-moded if every variable occurring in an input position 
of an atom occurs in an output position of an earlier atom in the query. A clause 
is well-moded if (1) every variable occurring in an input position of a body atom 
occurs either in an input position of the head, or in an output position of an 
earlier body atom; (2) every variable occurring in an output position of the head 
occurs in an input position of the head, or in an output position of a body atom. 

The concept of nicely-moded programs was first introduced by Chadha and 
Plaisted 0. 

Definition 10 (Nicely- Moded). 

— A query pi{si,ti), ... ,pnisn,tn) is called nicely-moded ifti,...,tn is a 
linear sequence of terms and for all i G [1, n] 

n 

Var(si) n Varitj) = 0. 
j=i 

— A clause piso, to) <— pi(si, ti), . . . is nicely-moded if its body is 

nicely-moded and 

n 

Var(so) n [J Varitj) = 0. 
i=i 

— A program P is nicely-moded if all of its clauses are nicely-moded. 

Note that an atomic query p)s,t) is nicely-moded if and only if t is linear and 

Var(s) n Var(t) = 0. 

Example 11. Programs APPEND and REVERSE are both well- and nicely-moded. 
Furthermore, Consider now the following program PALINDROME 

palindrome (Xs) ^ reverse (Xs , Xs) . 

Together with REVERSE. With the mode palindrome (In) , this program is well- 
moded but not nicely-moded (Xs occurs both in an input and in an output 
position of the same body atom). Nevertheless, it becomes both well-moded 
and nicely-moded if the adopted modes of REVERSE are the following ones: 
reverse (In, In) , reverse_acc (In, In, In) . □ 
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4 Semantics of Input-Consuming Programs 

In this section we are going to make the link between input-consuming program- 
s, well- and nicely-moded programs and the 5-semantics: We show that the 
iS-semantics of a program is compositional, correct and fully abstract also for 
input-consuming programs, provided that the programs are well- and nicely- 
moded and that only nicely-moded queries are considered. 

Properties of Well-Moded Programs. We start by demonstrating some im- 
portant features of well-moded programs. For this, we need additional notations: 
First, the following notion of renaming for a term t from Q will be used. 

Definition 12. A substitution 6 := {xi/yi, . . . , Xn/yn} is called a renaming for 
a term t if Dom{9) C Varft), yi,...,yn are different variables, and {Varft) — 
{si, . . . , a;„}) n {yi, . . . , y„} = % (6 does not introduce variables which occur in t 
but are not in the domain of 9). 

Observe that terms s and t are variants iff there exists a renaming 9 for s such 
that t = s9. Then, we need the following: Let Q := pi{si,ti), . . .,pn(sn, t„). We 
define 

— VIn*{Q) = X e Var{si) and x ^ [SfJi 

Thus, VIn*{Q) denotes the set of variables occurring in an input position of an 
atom of Q but not occurring in an output position of an earlier atom. Note also 
that if Q is well-moded then VIn*{Q) = 0. 

We now need the following technical result concerning well-moded programs. 
Because of lack of space, the proof is omitted, and can be found in 

Lemma 13. Let P be a well-moded program, Q be a query and S := Q — > Q' 
be a partial LD derivation of PU {Q}. If divin*(Q) is a renaming for Q then S 
is similar to an input- consuming partial (LD) derivation. 

We can now prove our crucial result concerning well-moded programs. Basi- 
cally, it states the correctness of the 5-semantics for well-moded, input-consu- 
ming programs. This can be regarded as “one half” of the main result we are 
going to propose. 

Proposition 14. Let P be a well-moded program, A be an atomic query and 9 
be a substitution. 

— If there exists A' G S{P) (renamed apart wrt A), and a = mgu{A, A') such 
that 

(i) In{A)a fv In{A) , 

(ii) Aa ~ A9, 

— then there exists an input- consuming (LD) derivation 6 := A — >pD, such 
that AD « A9. 
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Proof. Let A! G 5(P) (renamed apart wrt A) and a be such that the hypothesis 
are satisfied. By TheoremJ there exists a successful SLD derivation of PU { 2 I} 
with c.a.s. A' such that Ad' « A9. By the Switching Lemma Q, there exists a 
successful LD derivation 5' of P U {A} with c.a.s. d' . From the hypothesis, it 
follows that is a renaming for A. By Lemma^J there exists an input- 

consuming derivation ^pD similar to S'. The thesis follows by Lemmafl □ 

Properties of Nicely-Moded Programs. Now, we need to establish some 
properties of nicely-moded programs. First, we recall the following from 

Lemma 15. Let the program P and the query Q be nicely moded. Let 5 := 
Q — > Q' he a partial input- consuming deriuation of P U {Q}. Then, for all 
X G Var{Q) and x ^ Var{Out{Q)) , x9 = x. 

Note that if Q is nicely-moded then x G Var{Q) and x ^ Var{Out{Q)) 
iff a; G VLn*{Q). Now, we can prove that the 5-semantics is fully abstract for 
input-consuming, nicely-moded programs and queries. This can be regarded as 
the counterpart of Proposition 

Proposition 16. Let P be a nicely-moded program, A be a nicely-moded atomic 
query and 9 he a substitution. 

— If there exists an input- consuming SLD derivation 6 := A — >pD, such that 
Ad « A9, 

— then there exists A' G S(P) (renamed apart wrt A), and a = mgu{A, A') 
such that 

(i) In{A)a « In{A), 

(ii) Aa « A9. 

Proof. By Theorem J there exist A! G 5(P) (renamed apart wrt A) and a 
substitution a such that a = mgu{A, A') and (ii) holds. Since 5 is an input- 
consuming derivation, by Lemma^J it follows that d\jn(A) is ^ renaming for A. 
Hence (i) follows by the hypothesis and (ii). □ 

Semantics of Input- Consuming Derivations. We now put together the 
above propositions and extend them compositionally to arbitrary (non-atomic) 
queries. For this, we need the the following simple result. 

Lemma 17. Let the program P be well and nicely-moded and the query Q he 
nicely-moded. Then, there exists a well- and nicely-moded program P' and a 
nicely-moded atomic query A such that the following statements are equivalent. 

— There exists an input- consuming successful derivation S of P U {Q} with 
c.a.s. 9. 

— There exists an input- consuming successful derivation S' of P' U {H} with 

c.a.s. 9. 



204 



Annalisa Bossi, Sandro Etalle, and Sabina Rossi 



Proof, (sketch). This is done in a straightforward way by letting P' be the pro- 
gram PU {c : new{x,y) <— Q} where x = VIn*{Q), y — Var{Out{Q)), new is 
a fresh predicate symbol and A = new{x, y). □ 

We are now ready for the main result of this paper, which asserts that 
the declarative semantics S{P) is compositional and fully abstract for input- 
consuming programs, provided that programs are well- and nicely-moded and 
that queries are nicely-moded. 

Theorem 18. Let P be a well- and nicely-moded program, A he a nicely-moded 
query and 9 be a substitution. The following statements are equivalent. 

(i) There exists an input- consuming derivation A— ^pD, such that Ad « A6. 
(ii) There exists A' € S{P) (renamed apart wrt A), and a = mgu{A, A!) such 
that 

(a) (J\vin*(A) is a renaming for A, 

(h) Aa^AB. 

Proof. It follows immediately from Propositions^B^H^’^d Lemma^J □ 

Note that in case of an atomic query A := A, we might substitute condition 
(a) above with the somewhat more attractive condition (a’) In{A)a « In{A). 
Let us immediately see some examples. 

Example 19. 

— app([X,b] ,Y,Z) has an input-consuming successful derivation, with c.a.s. 
6 « {Z/[X,b|Y]}. This can be concluded by just looking at ^(APPEND), from 
the fact that A = app( [XI ,X2] ,X3, [XI ,X2 I X3] ) G S{P). Notice that 
app( [X,b] ,Y,Z) is - in its input position - an instance of A. 

— app(Y, [X,b] ,Z) has no input-consuming successful derivations. This is be- 
cause there is no A G S{P) such that /n(app(Y, [X, b], Z) is an instance of A 
in the input position. This actually implies that in presence of delay declara- 
tions app(Y, [X,b] ,Z) will eventually either deadlock or run into an infinite 
derivation; we are going to talk more about this in the next section. □ 

Note that Theorem^Jholds also in the case that programs are permutation 
well- and nicely-moded and queries are permutation nicely-moded i.e., pro- 
grams which would be well- and nicely-moded after a permutation of the atoms 
in the bodies and queries which would be nicely-moded through a permutation 
of their atoms. 

Deadlock. We now consider again programs employing delay declarations. An 
important consequence of Theorem^Jis that when the delay declarations imply 
that the derivations are input-consuming (modulo ~), then one can determine 
from the model-theoretic semantics whether a query is bound to deadlock or not. 
Let us establish some simple notation. In this section we assume that programs 
are augmented with delay declarations, and we say that a derivation respects the 
delay declarations iff every selected atom satisfies the delay declarations. 
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Notation 20. Let P be a program and A be a query. 

— We say that P U {A} is input- consuming correct iff every SLD derivation 
of PU{A} which respects the delay declarations is similar to an input- 
consuming derivation. 

— We say that P U {A} is input- consuming complete iff every input-consuming 
derivation of P U {A} respects the delay declarations. 

— We say that P U {A} is bound to deadlock if 

(i) every SLD derivation of P U {A} which respects the delay declarations 
either fails or deadlock^ and 

(ii) there exists at least one non-failing SLD derivation of P U {A} which 

respects the delay declarations. □ 

For example, consider the program REVERSE (including delay declarations). 

— REVERSE U reverse (s , Z) is input-consuming correct and complete provided 
that Z is a variable disjoint from s. 

Consider now the program APPEND augmented with the delay declaration dl of 
the introduction. 

— APPEND U app(s,t,Z) is input-consuming correct and complete provided 
that Z is a variable disjoint from the possibly non-ground terms s and t. 

— Now, following up on Example^J since APPEND U app( [X,b] ,Y,Z) is input- 
consuming complete, we can state that APPEND U app( [X,b] ,Y,Z) is not 
bound to deadlock. 

In order to say something about the other query of Example 
(app(Y, [X,b] ,Z)) we need a further reasoning: Consider for the moment the 
nicely-moded query app(X,Y,Z). Since ^(APPEND) contains instances of it, by 
Theorem^ app(X,Y,Z) has at least one successful SLD derivation. Thus, it does 
not fail. On the other hand, every atom in 5( APPEND) is in its input positions 
a proper instance of app(X,Y,Z). Thus by Theorem app(X,Y,Z) has no 
input-consuming successful derivations. Therefore, since APPEND U app(X,Y,Z) 
is input-consuming correct, we can state that app(X,Y,Z) either has an infi- 
nite input-consuming derivation or it is bound to deadlock. This fact can be 
nicely combined with the fact that APPEND is input-terminating Q: i.e., all its 
input-consuming derivations starting in a nicely-moded query are finite. In Q we 
provided conditions which guaranteed that a program is input-terminating; these 
conditions easily allow one to show that APPEND in input-terminating. Because 
of this, we can conclude that the query app(X,Y,Z) is bound to deadlock. 

By simply formalizing this reasoning, we obtain the following. 

Theorem 21. Let P be a well- and nicely-moded program, and A be nicely- 
moded atomic query. If 

* A derivation deadlocks if its last query contains no selectable atom, i.e., no atom 
which satisfies the delay declarations 
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1. 3 B £ S{P), such that A unifies with B, 

2. 'i B ^ S{P), if A unifies with B, then In{A) is not an instance of In{B), 

5. P U {A} is input-consuming-correct, 

then A either has an infinite SLD derivation respecting the delay declarations or 
it is bound to deadlock. 

If in addition P is input-terminating then A is bound to deadlock. 

This result can be immediately generalized to non-atomic queries, as done for 
our main result. Let us see more examples: 

— APPEND U app(Y, [X,b] ,Z) either has an infinite derivation or it is bound to 
deadlock. 

— Since APPEND is input terminating, we have that APPEND U app(Y, [X,b] ,Z) 
is bound to deadlock. 

One might wonder why in order to talk about deadlock we went back to 
programs using delay declarations. The crucial point here lies in the difference 
between resolvability - via an input-consuming derivation step - (used in input- 
consuming programs) and selectability (used in programs using delay declara- 
tions) . When resolvability does not reduce to selectability, we cannot talk about 
(the usual definition of) deadlocking derivation. Consider the following program, 
where all atom’s positions are moded as input. 

p(X) «— q(a). p(a). q(b) . 

The derivation starting in p(X) does not succeed, does not fail, but it also does 
not deadlock in the usual sense: in fact, p(X) can be resolved with the first 
clause, which however yields to failure. We can say that each input-consuming 
SLD tree starting in p(X) is incomplete, as it contains a branch which cannot be 
followed. In the moment that the program is input-consuming correct, we can 
refer to the usual definition of deadlocking derivation. 

Counterexamples. The following examples demonstrate that the syntactic 
restrictions used in Theorem^Jare necessary. Consider the following program. 

p(X,Y) V- equalJ.ists(X,Y) , list_of .zeroes (Y) . 
equalj-ists ( [ ] , [ ] ) . 

equalj.ists( [H|T] , [H|T’] ) ^ equal J.ists (T,T’ ) . 
list.of .zeroes ( [ ]). 

list.of .zeroes ( [0 I T] ) <— list.of .zeroes (T) . 

With the modes: p(In, Out) , equalj.ists (In, Out) , list.of .zeroes (Out) . The 
first clause is not nicely-moded because of the double occurrence of Y in the 
body’s output positions. Here, there exists a successful input-consuming deriva- 
tion starting in p([Xl],Y), and producing the c.a.s. {Xl/0, Y/[X1]}. Nevertheless, 
there exists no corresponding A! G S{P) (in fact, 5(P)|p contains all and only 
all the atoms of the form p(list0, listO) where listO is a list containing only 
zeroes). This shows that if the program is well-moded but not nicely-moded 
then the implication (i) (ii) in Theorem ^Jdoes not hold. Now consider the 
following program: 
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p(X) <— list(Y), equalj-ists (X,Y) . 
equalj-ists ( [ ] , [ ] ) . 

equalJ-ists ( [H I T] , [H I T ’ ] ) ^ equalj.ists (T , T ’ ) . 
list([ ]). 

list( [HHIT] ) ^ list(T) . 

With the modes p(In), equalj.ists (In, In), list(Dut). This program is 
nicely-moded, but not well-moded: The variable HH in the output position of the 
head occurs neither in an output position of the body nor in an input position 
of the head. It is easy to check that there does not exist any successful input- 
consuming derivation for the query p([a]); at the same time, p([Xl]) G S{P). 
Thus, if the program is nicely-moded but not well-moded then the implication 
(ii) => (i) in Theorem^Jdoes not hold. 

5 Concluding Remarks 

We have shown that - under some syntactic restrictions - the 5-semantics re- 
flects the operational semantics also when programs are input- consuming. The S- 
semantics is a denotational semantics which enjoys a model-theoretical reading. 
The relevance of the results is due to the fact that input-consuming programs 
often allow to model the behavior of programs employing delay declarations; 
hence for a large part of programs employing dynamic scheduling there exists a 
declarative semantics which is equivalent to the operational one. 

As related work we want to mention Apt and Luitjes Q. The crucial difference 
with it is that in Q conditions which ensure that the queries are deadlock-free are 
employed. Under these circumstances the equivalence between the operational 
and the Herbrand semantics follows. On the other hand, the class of queries we 
consider here (the nicely-moded ones) includes many which would “deadlock” 
(e.g., app(X,Y,Z)): Theorem proves that in many cases one can tell by the 
declarative semantics for instance if a query is “sufficiently instantiated” to yield 
a success or if it is bound to deadlock. 

Concerning the restrictiveness of the syntactic concepts we use here (well- 
and nicely-moded programs and nicely-moded queries) we want to mention that 
QB both contain mini-surveys of programs with the indication whether they 
are well- and nicely-moded or not. From them, it appears that most “usual” 
programs satisfy both definitions. It is important to stress that under this re- 
striction one might still want to employ a dynamic selection rule. Consider for 
instance a query of the form read_tokens (X) , modify (X,Y) , write_tokens (Y) , 
where the modes are read_tokens (Out) , modify (In, Out) , write_tokens (Out) . 
If read_tokens cannot read the input stream all at once, it makes sense that 
modify and write_tokens be called in order to process and display the tokens 
that are available, even if read_tokens has not finished reading the input. This 
can be done by using dynamic scheduling, using either delay declarations or an 
input-consuming resolution rule in order to avoid nontermination and inefficien- 
cies. 
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Abstract. Defeasible logic is an efficient non- monotonic logic for defea- 
sible reasoning. It is defined through a proof theory, and has no model 
theory. In this paper a denotational semantics is given for defeasible logic, 
as a step towards a full model theory. The logic is sound and complete 
wrt this semantics, but the semantics is not completely satisfactory as 
a model theory. We indicate directions for research that might resolve 
these issues. 



1 Introduction 

Defeasible logic is a logic designed for efficient defeasible reasoning. The logic 
was designed by Nute with the intention that it be efficiently imple- 

mentable. This intention has been realised in systems that can process hundreds 
of thousands of defeasible rules quickly Q. Over the years, Nute and others have 
proposed many variants of defeasible logic In this paper we will address a 

particular defeasible logic, which we denote by DL. However, our work is easily 
modified to address other defeasible logics. 

DL, and similar logics, have been proposed as the appropriate language for 
executable regulations contracts and business rules The logics are 
considered to have satisfactory expressiveness and the efficiency of the implemen- 
tations supports real-time response in applications such as electronic commerce 




Defeasible reasoning is rather similar to default reasoning, but differs in the 
way rules are employed Q. In default reasoning, if all the pre-conditions of 
a rule are satisfied then the consequent of the rule is established. In defeasible 
reasoning, however, such a consequent may be defeated by the action of other 
rules. 

Default logic has a model-theoretic semantics through the use of extensions 
as a kind of model. This has proven a fruitful tool for the analysis of default 
theories « | . 

On the other hand, neither DL nor any other variant of modern defeasi- 
ble logic has a model theory. DL is defined purely in proof-theoretic terms Q. 
Furthermore, a model theory based on the idea of extensions is likely to be inap- 
propriate for defeasible logic, since the kind of scepticism that is developed from 
intersection of extensions in default logic is different from the kind of scepticism 
that occurs in defeasible logic ^3. 
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In early work on semantics for defeasible logics, Nute ^3 defined a model 
theory for LDR, a substantially simpler precursor of DL, in terms of a minimal 
belief state for each theory. LDR defines defeat only in terms of definite prov- 
ability; this limitation is the main reason why the approach is successful 
Recently, this approach has been extended ^ to a defeasible logic that is closer 
to DL, and more general in one respect. However, the semantics is based on the 
idea of intersection of extensions and consequently the logic is sound but not 
complete for this semantics. 

There has been some work on providing a semantics for DL in other styles. 
In 33 we showed that DL can be defined in terms of a meta-program, defined 
to reflect the inference rules of the logic, and a semantics for the language of the 
meta-program. While this approach was successful in establishing a relationship 
between DL and Kunen’s semantics of negation-as-failure, it does not directly 
address model-theoretic reasoning. 

In recent work ^3 have described DL in argumentation-theoretic terms. 
Such a characterization is useful for the applications of the logic that we have in 
mind, but the resulting semantics is again a meta-level treatment of the proof 
theory: proof trees are grouped together as arguments, and conflicting arguments 
are resolved by notions of argument defeat that reflect defeat in defeasible logic. 
Thus this work also fails to address model theory. 

In this paper a semantics for DL is defined in the denotational style. Deno- 
tational semantics was developed as a framework for defining non-operational 
semantics for programming languages. It was inspired by model-theoretic seman- 
tics for classical logic ^3- 

Nevertheless, we do not claim that the denotational semantics we present 
represents a completely satisfactory solution to the problem of finding a model 
theory for defeasible logic. In particular, our semantics is not fully abstract. 
There are defeasible rule sets that are assigned different denotational semantics, 
but are not observably different. However, the denotational semantics is a strong 
basis from which to obtain a fully abstract semantics, and we suggest research 
directions that could achieve a satisfactory semantics. 

The structure of the paper is as follows. In the next section we introduce 
the constructs of defeasible logic, and part of the proof theory of DL. We then 
define a denotational semantics for DL. The next two sections address issues of 
correctness and full abstraction for this semantics. Finally, we discuss directions 
for further research. 



2 The Defeasible Logic DL 

We begin by presenting the basic ingredients of defeasible logic. A defeasible 
theory contains five different kinds of knowledge: facts, strict rules, defeasible 
rules, defeaters, and a superiority relation. 

Facts are indisputable statements, for example, “Tweety is an emu” . This 
might be expressed as emu(tweety) . 
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Strict rules are rules in the traditional sense: whenever the premises are 
indisputable (e.g. facts) then so is the conclusion. An example of a strict rule is 
“Emus are birds” . Written formally: 

emu{X) bird{X). 

Defeasible rules are rules that can be defeated by contrary evidence. An example 
of such a rule is “Birds typically fly” ; written formally: 

bird{X) flies{X) 

The idea is that if we know that something is a bird, then we may conclude that 
it flies, unless there is other evidence suggesting that it may not fly. 

Befeaters are rules that cannot be used to draw any conclusions. Their only 
use is to prevent some conclusions. In other words, they are used to defeat some 
defeasible rules by producing evidence to the contrary. An example is “If an 
animal is heavy then it might not be able to fly” . Formally: 

heavy(X) ^ ^flies(X) 

The main point is that the information that an animal is heavy is not sufficient 
evidence to conclude that it doesn’t fly. It is only evidence that the animal may 
not be able to fly. In other words, we don’t wish to conclude ^ fliesftweety) if 
heavy (tweety), we simply want to prevent a conclusion fliesftweety) . 

The superiority relation among rules is used to define priorities among rules, 
that is, where one rule may override the conclusion of another rule. For example, 
given the defeasible rules 

r : bird{X) flies{X) 

r' : brokenWing(X) ^flies(X) 

which contradict one another, no conclusive decision can be made about whether 
a bird with a broken wing can fly. But if we introduce a superiority relation > 
with r' > r, then we can indeed conclude that the bird cannot fly. We assume 
that > is acyclic. 

It is not possible, in this paper, to give a complete formal description of the 
logic. However, we hope to give enough information about the logic to make the 
discussion of the denotational semantics intelligible. 

A rule r consists of its antecedent (or body) A(r) which is a finite set of literals, 
an arrow, and its head, which is a literal. Given a set R of rules, we denote the 
set of all strict rules in i? by Rg, the set of strict and defeasible rules in R by 
R.sd, the set of defeasible rules in R hy Rd, and the set of defeaters in R by Rdft- 
R[q] denotes the set of rules in R with head q. If g is a literal, denotes the 
complementary literal (if g is a positive literal p then is ~^p; and if q is ~^p, 
then is p). 

A defeasible theory T is a triple (F, R, >) where F is a finite set of literals 
(called facts), R a finite set of rules, and > a superiority relation on the labels 
of R. 

A conclusion of T is a tagged literal and can have one of the following four 
forms: 
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+Z\g, which is intended to mean that q is definitely provable in T (i.e., using 
only facts and strict rules). 

—Aq, which is intended to mean that we have proved that q is not definitely 
provable in T. 

+dq, which is intended to mean that q is defeasibly provable in T. 

—dq which is intended to mean that we have proved that q is not defeasibly 
provable in T. 

Provability is based on the concept of a derivation (or proof) in T = (F, i?, >) . 
A derivation is a finite sequence P = (P(l), . . . P(n)) of tagged literals con- 
structed by inference rules. There are four inference rules (corresponding to the 
four kinds of conclusion) that specify how a derivation can be extended. (P(l..z) 
denotes the initial part of the sequence P of length i) : 

+A: We may append P{i -I- 1) = +Aq if either 
q G F or 

3r G i?s[g] Va G A{r) : +Aa G P{l..i) 

This means, to prove +Aq we need to establish a proof for q using facts and 
strict rules only. This is a deduction in the classical sense. To prove —Aq it is 
required to show that every attempt to prove +Aq fails in a finite time. Thus 
the inference rule for — Z\ is the constructive complement of the inference rule 
for +A Q. 

—A: We may append P{i + 1) = —Aq if 
q ^ F and 

Vr G i?s[g] 3a G A{r) : —Aa G P{\..i) 

The inference rule for defeasible conclusions is complicated by the defeasible 
nature of DL\ opposing chains of reasoning must be taken into account. 

-1-9: We may append P{i + 1) = +dq if either 

(1) +Aq G P{l..i) or 

(2) (2.1) 3r G Rsd[q]'^a G A{r) : +da G P{l..i) and 

(2.2) -A^q G P{l..i) and 

(2.3) Vs G either 

(2.3.1) 3a G A(s) : —da G P{l..i) or 

(2.3.2) 3t G Rsd[q] such that 

Va G A{t) : +da G P{l..i) and t > s 

Let us work through this inference rule. To show that q is provable defeasibly 
we have two choices: (1) We show that q is already definitely provable; or (2) we 
need to argue using the defeasible part of T as well. In particular, we require 
that there must be a strict or defeasible rule with head q which can be applied 
(2.1). But now we need to consider possible “attacks”, that is, reasoning chains 
in support of To be more specific: to prove q defeasibly we must show that 
^q is not definitely provable (2.2). Also (2.3) we must consider the set of all 
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rules which are not known to be inapplicable and which have head ~ q (note 
that here we consider defeaters, too, whereas they could not be used to support 
the conclusion q; this is in line with the motivation of defeaters given earlier). 
Essentially each such rule s attacks the conclusion q. For q to be provable, each 
such rule s must be counterattacked by a rule t with head q with the following 
properties: (i) t must be applicable at this point, and (ii) t must be stronger than 
s. Thus each attack on the conclusion q must be counterattacked by a stronger 
rule. 

As with — A, the inference rule for —9 is the constructive complement of the 
inference rule for +d. 

—d: We may append P{i + 1) = —dq if 

(1) —Aq e P{l..i) and 

(2) (2.1) Vr G Rsd[q] 3a G A{r) : —da G P{l..i) or 

(2.2) +A^q G P{l..i) or 

(2.3) 3s G R\^q] such that 

(2.3.1) Va G A(s) : +da G P{l..i) and 

(2.3.2) Vt G Rsd[q] either 

3a G A{t) : —da G P{l..i) or t s 

3 A Denotational Semantics 

The approach of denotational semantics is to map, using a function /i, every 
syntactic construct to its meaning, that is, the abstract thing that it denotes. 
The meaning of a compound syntactic object is defined in terms of the meaning 
of its components. Generally these definitions are recursive, and the meaning of 
each construct is then given by a fixedpoint of the corresponding equations. 

In comparison to the denotational semantics of programming languages, the 
denotational semantics of DL appears simple since there are few syntactic con- 
structs and there is no need to represent sequentiality or state. The meanings 
of all but one of the syntactic categories are defined non- recursively, in terms of 
the meaning of components. Only the semantics of an entire defeasible theory is 
defined recursively, that is, in terms of itself. 

We first introduce some notation and then discuss our assumptions about 
DL. pX denotes the powerset of A. f + g denotes the function (/ -|- g){X) = 
f{X) U g{X). When a; is a tuple, we write nix to denote the i’th element of x. 

We assume a given language consisting of a set of function symbols X and a 
set of predicate symbols U, all with fixed arities, an infinite set Vars of variables, 
and an infinite set Lab of labels. We extend Lab to Labels by the addition of 
a new element {null), which will be used as a placeholder for rules without a 
label. Thus Lab contains the labels that can be used in defining a theory, but 
Labels is the set of labels used in the semantics. 

Let T = {F, R, >) and let £ be the set of literals generated by the language 
of T. We assume that F, R, and > are finite. 

In all the functions to be presented, there is an implicit domain of inter- 
pretation V. T> consists of a set of values D and the interpretation of each 
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function symbol / of arity n by a function / : ^ D. Equality is inter- 

preted by identity in D. In this paper we will consider only the Herbrand do- 
main generated by an infinite set of constants, but we address later the issues 
in extending our results more generally. The set of evaluated literals is EL = 
{p{d \, . . . , dn) I p e 7 T, di, . . . , e D}. We represent the conclusions of DL by 
a 4 -tuple of sets of evaluated literals. Let Cone = {pEL)'^. Cone contains ele- 
ments such as {{emu{tweety),bird{tweety)},{heavy{tweety),^heavy{tweety)}, 
{ flies{tweety ) } , { heavy (tweety)}) . 

We define a function y from defeasible theories to Cone, that is p : T i-^- 
—A, +d, —d), which maps the defeasible theory T to the four sets of con- 
clusions that can be derived from a theory 

The functions presented below act on elements of Cone. Given an ele- 
ment X of Cone, or any 4 -tuple, we use a subscript {+A, —A, +d, or —d) 
to refer to the projection of X onto the corresponding field. For example, if 
X = (A, B, C, D) then X+a is A and X-g is D. We define the following order on 
Cone: (Ai, Bi, Ci, Di) < (A2, i?2, C2, E2) iff Ai C A2, B\ C B2, C\ C C2, and 
D\ C D2. Union is also defined pointwise, (Ai, i?i, Ci, Z 3 i) U (A2, i?2, C2, D2) = 
(Ai U A2, i?i U i?2, Cl U C2, idi U D2), and extends in the obvious way to infinite 
unions. 

A valuation is a function from variables to values in the domain. Thus VaZn, 
the set of valuations is defined to be Vars D. 

The meaning of a literal, given a single conclusion, is the collection of valu- 
ations that, when applied to the literal, produce the given conclusion. Since a 
conclusion may have one of four tags, when we generalize this statement to a set 
of conclusions, we use 4 -tuples for both the concluded literals and the valuations. 

For a literal in the body of a rule, we intend that y\literal\ maps collections 
of conclusions to collections of the corresponding valuations that map literal to 
one of the conclusions. That is, the meaning of a literal, given some conclusions, 
is the collections of valuations (one for each tag) that, when applied to the literal, 
produce one of the given conclusions. 

However, we also need to use the meaning of a literal to define the appropriate 
instance of the literal by a valuation. This aspect of the literal is used when the 
literal appears in the head of a rule. Thus the type is: 

y\literal\ : Cone ^ {{pValnY x {Vain — > EL)) 

The second aspect of the meaning of a literal appears in the codomain of this 
expression purely to simplify the notation; it is not dependent on the input 
value from Cone. We will use expressions such as v{Head) as shorthand for 
TT2{ylHeadl{X)){v) . Thus the meaning of a literal is defined as 

ylliteralj{X) = {{V+a,V-a, V+g, V-g), apply) 

where Vj = {v\v{literal) G Xt\ for each tag t, and apply{v) = v{literal). 

Define a function ® by (A, B, C, D) (g) {E, E,G,H) = (A n F, H U F, C n 
G, F U H). This function is clearly commutative and associative, with identity 
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(£,0,£,0), and so extends straightforwardly to a set of tuples. Note that (§> is 
monotonic wrt the pointwise extension of the containment ordering on pValn. 

The meaning of a rule body is simply the combination, by 0, of the (first 
part of the) meanings of its constituent literals. 

filBodyJ : Cone — > {pValn)'^ 
ylBodyj{X) = TTiulbjiX) 

b^Body 

Before we define the meaning of a rule, we introduce some more types. 
LATE = {Labels x Arrows x Tags x EL). Labels is the set of labels of rules. 
Arrows = Tags = {+A,—A,+d,—d}, EL is the set of evaluated 

literals. —A (respectively —d) is intended to represent the complement of —A 
(respectively —d). Elements of LATE are tentative conclusions (i.e. potential 
conclusions that might yet be defeated) including information on the rule used 
to produce the tentative conclusion (its label and its arrow) . An example element 
of LATE is (rulel, =>, +9, flies{tweety)) . 

The meaning of a rule is the function which maps a set of conclusions to 
further tentative conclusions which can be drawn using the rule. The tentative 
conclusions are only positive, in the sense that they are about inferences that 
could be made, rather than those that cannot be made. We represent a rule by 
label : Body ^ Head, where label, Body, and Head are syntactic variables. 

yllabel : Body ^ Head\ : Cone — > pLATE 

y\label : Body ^ Head\{X) = 

{{label,^,+A,v{Head))\ ^ is ^ and 

V & ylBody\{X)+A} 

U {{label,^,—A,v{Head))\ is ^ and 

V ^ ylBody\{X)_A} 

U {{label, ^,+d,v{Head))\ Arrows and 

V & ylBody\{X)+a} 

U {{label, ^,—d,v{Head))\ Arrows and 

V ^ ylBodyj{X)_o} 

We consider rules without a label to be rules where the label is {null). 
ylBody ^ Headl{X) = y,l{nuU) : Body ^ Headl{X) 

The meaning of a fact is a constant function of the same type as rules: 
Cone ^ pLATE. Essentially, facts are treated as unlabelled, strict rules with 
empty bodies. This possibility was already pointed out in 

mI/1 = {{{null),^,+A,v{f)) I V e Vain} 

U {{{null),^,—A,v{f)) I vG Vain} 

The meaning of a set of facts (or rules) is simply the sum of the meaning of 
every fact (or rule) 
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= Y. 

feF 

= Y 

r^R 

The meaning of an individual superiority statement is simply a binary rela- 
tion expressed as a function, and has type BinReln, where BinReln = Labels x 
Labels — > Boolean. 

> n2l(x, y) = ii {x = n\ /\ y = 712) then true else false 

The meaning of the superiority relation as a whole is simply the combination 
of the meaning of the individual statements in the obvious way. 

lI > i{x,y) = V 

se> 

The meaning of the theory T is defined as the least fixedpoint of a function 
yr determined by the three components of T : the facts F, the rules R and the 
superiority relation >. 

^|T] : Cone 



Lpl = Ifp(LT) 

yq- is an auxiliary function, used for clarity, which maps a collection of con- 
clusions to a new, larger collection of conclusions that can be drawn on the basis 
of the rules and the superiority relation. The requirement that be a fixed- 
point of yr (i-e. a solution oi Z = yriZ)) is thus a requirement that /i|T] be 
deductively closed. 

yr '■ Cone — > Cone 

yr{X) = XU combine{y\ > ], -I- ^|F])(X) 

combine performs the mediation, using the superiority relation, among the 
tentative conclusions produced by the rules and facts. It embodies most of the 
information that is part of the inference rules of DL and has been structured 
similarly to make the correspondence clear. For many variants of defeasible logic, 
only this function needs to be altered to produce a denotational semantics of the 
variant. 

combine : {BinReln x (Cone pLATE)) — > (Cone Cone) 
combine{)^, f){X) = {+A, —A, +d, —d) 



where 



+A = {p\ 3 {n,^,+A,p)& f{X)} 
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-Z\ = {p\ ^(n, -A,p) e f{X)} 



+d = +A U {p\ 

G f{X) and 

3(ni, '^ 1 , +5,p) G /(X) such that is ^ or =f>, and 
V(ri2,-^2,-9,~p) G f{X) 

3(n3,-^3,+a,p) G f{X), 

■^3 is ^ or =f>, and >- U 2 

} 



—d = —A n {p\ 

3(w,^,+Z\,^p) G f{X) or 

V(ni, '^ 1 , — 9,p) G /(A") such that is ^ or =>, 
3 (u2, -^2, +d,^p) G f{X) 

V(u3,-^3, -a,p) G f{X) 

■^3 is or ri3 )f U2 

} 



This ends the definition of the denotational semantics of DL. 

4 Correctness 

To show that this semantics is well-defined, we need to establish that a least 
fixedpoint of pT exists. Usually, in denotational semantics, all functions are 
chosen to be monotoni(| over a complete lattice, and the existence of the least 
fixedpoint then follows by Tarski’s result However, since we are dealing 
with a non-monotonic logic that option is not readily available. Specifically, the 
function pj- is not monotonic. For example, consider the theory (0, R, 0) where 
R = {b ^ a}. Let Y = /ir({6}, 0, 0, 0) and Z = /ir({^a, 5}, 0, 0, 0). Then 
a G Y+g but a ^ Z+g. 

Nevertheless, we are able to establish that the least fixedpoint of pr exists 
and thus the semantics is well-defined. 

Define 

Pt to =0 

MT T (a -I- 1) = Pt{pt T a) 

MT T a = Mr T /? 

where, in the last case, a is a limit ordinal. The semantics can be constructed 
using this definition. 

Theorem 1. 



= Mr T w 

^ A function / from a partially ordered set {A, <a) to a partially ordered set {B, <b) 
is monotonic if, for every x,y € A, A x <a y then f{x) <b f{y)- 
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The proof proceeds by showing, by induction, that (^t T o) < for every 
(X and every X that is a fixedpoint of [it . Key to the proof are the containment 
relations holding as a result of [ir t o < in particular, | a)+g C 

^|i?](X)+a and C | 0)3^, where Ug denotes the set of all 

tuples u in 17 such that tt^u = s. Thus, for example, 1 +a denotes the subset of 
Y containing all tuples of the form (. . . , . . . , + 9 , . . .). 

Furthermore, by the assumptions that the theory is finite and that the domain 
has only constants, t is a fixedpoint of /rr- The result follows immediately. 

Since the semantics is well-defined, we can now address its correctness. Rather 
than determine its correctness with respect to the original proof theory, we will 
use the bottom-up formulation of the proof theory presented in » t ] . That formu- 
lation is, in fact, an extension of the proof theory that permits non-propositional 
languages and infinite domains. The original proof-theoretic definitions im- 
plicitly assume that there are only finitely many ground instances of rules, and 
are inappropriate when the domain is infinite. If the domain consists of finitely 
many constants then and are essentially equivalent. 

The semantics is correct in the sense that it characterizes the conclusions 
that can be proved in the bottom-up formulation of the proof theory of DL. 
That is, the proof system is sound and complete with respect to this semantics. 

Theorem 2. Let Y he a defeasible theory and yt as defined above. 

• h-Pl+A = {P\'^^ +^P} 

• = {p I T\- -Ap} 

• Pp'l+a = {pIT^^ +dp} 

• plTl_g = {p\T\- -dp} 

The proof is by induction on the level of iteration a. The use of the bottom-up 
formulation greatly simplifies the proof. 

The denotational semantics has deliberately not addressed compositionality 
at the level of defeasible theories, so that the semantics reflects the proof theory 
exactly. The most reasonable operation on defeasible theories is union, defined 
by Ti U 7 ^ = (Fi U F2, R\ U i?2, >1 U >2), where Y = (F^, Ri, >i). Although 
the denotational semantics is not compositional in the sense that the meaning of 
Ti U 72 can be determined from the meanings of Y\ and 72, it can easily reflect 
the above definition through compositionality at the level of F, R and >. 

5 Full Abstraction 

A semantics is fully abstraet if whenever the semantics of two things (of the same 
syntactic type) differ there is a context in which the two things produce different 
operational (in this case, proof-theoretic) results. By context we mean a theory 
with a “hole” such that once the hole is filled the resulting theory is syntactically 
correct. 

If a semantics is fully abstract (and correct) then we can tell whether two 
syntactic items will behave equivalently or not by checking whether the semantics 
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assigns the same meaning to both items. Thus a fully abstract correct semantics 
expresses exactly the same distinctions that would be observable from the proof 
theory, and no more. 

For defeasible logic, we say a semantics is fully abstract if, for every syntactic 
category and every and S 2 in that category, els'll 7 ^ mI' 5'21 implies there is a 
context C[ ] such that 7^|C'[S'i]] 7 ^ 7 ^|C'[S' 2 ]] where V denotes the proof-theoretic 
semantics. 

We start by characterizing, for some syntactic categories, when two syntactic 
objects have the same meaning. Two rules Bodyi — > Headi, for i = 1,2, are 
subsumption-equivalent if there exists a variable renaming p such that Headi = 
Head 2 P and Body 2 p Q Bodyi and Bodyi p~^ C Body 2 - 

Lemma 3. Let Literak, Bodyi, labek and Headi be syntactic variables ranging 
over literals, bodies, labels and literals respectively, fori = 1 , 2 . 

• p\Literali\ — p\Literal 2 \ iff Liter ah and Literah are identical 

• p\Bodyi\ = p\Body 2 \ iff Bodyi = Body 2 as sets 

• p[labeli : Bodyi ^1 Headij = pflabeh '■ Body 2 ^2 Head 2 \ iff 

labeh = labeh, = ^ 2 , und Bodyi Headi is subsumption- 

equivalent to Body 2 Head 2 

The proof is straightforward, and very similar to a corresponding result for 
definite logic programs The possible presence of a literal and its negation 
in a body has no effect since the input X to the function is permitted to satisfy 
{p, ^P\ C X+A- 

We can now show that the semantics is fully abstract in all syntactic cate- 
gories except one. Specifically, the semantics is fully abstract for literals, bodies, 
rules, superiority statements, and the sets F of facts and the superiority relation 
>. It is only for the set of rules R that the semantics is not fully abstract. 

Theorem 4. The denotational semantics is fully abstract for every syntactic 
category, except the set of rules R. 

Proof. For bodies: If 7 ^ then Bi 7 ^ B 2 as sets, by the above lemma. 

Hence either Bi % B 2 or B 2 % Bi (or both) . We consider only the first case, since 
the second is symmetrical. Let 0 map all variables in Bi to distinct constants. 
Then B 16 is not an instance of i? 2 . Let C[ ] = (F, R, 0), where F = {bO \ b € Bi} 
and i? = {[ ] ^ h}, for an atom h not occurring in Hi U i? 2 . Then C\Bi] h -\-dh 
but C\B 2 \ F —dh. A similar argument applies to individual literals. 

For rules: If ^|ri] 7 ^ /^|r 2 ], then there are three cases by the above lemma: the 
difference is caused by labels, arrows, or the rules proper. Let be labeh '■ Bi =>1 
hi for i = 1 , 2 . 

If ri and V 2 have different labels, we can assume, by symmetry, that labeh 7 ^ 
{null). Suppose this is the only difference between /r|ri] and ^|r 2 ]. Let C[ ] = 
(0, R, >), where R = {[]}\J{true 50 | 6 G Hi}U{r : true =>~5i0}, > contains 

only r > labeh, and r is a (non-null) label different from labeh and labeh. Then 
C[ri] h -\-d^hi9 but C'[r 2 ] F — 9~5i0. 

Suppose ri and V 2 have different arrows but are otherwise subsumption-equal. 
Let C[ ] = (F, R, 0), where F = {50 | 5 G Hi} and H = {[ ]}. Then 
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• is ^ iff C[ri] h +dhi6 and C[rJ h +Ahi6 

• is iff C[rJ h +dhi9 and C[rj\ h —AhiO 

• is iff C[rJ h —dh\6 and C[rj\ h —Ah\6 

Thus this context can distinguish r\ and r^. 

Suppose ri and T2 are not subsumption-equal. Then one rule, say ri, does 
not subsume the other rule. Consequently, n does not subsume T20. Let C[ ] = 
where F = {bO \ b G B 2 } and R = {[ ]} U {true =i>~/i20}. Then 
C[ri] h +d^h20 but C[r 2 ] h — 9~/i20. 

For the set of facts: If ^|Fi] yf mI^ 21 then there is a tuple G 

^|Fi]\^|F 2 ] (or vice versa). Let C[ ] = ([], 0, 0). Then C[Fi\ h -l-Z\/ but C[F2\ F 

For superiority statements, full abstraction is trivial. For the superiority re- 
lation: If^|>i]yf^|> 2 ] then there are labels a and b such that a >i b but 
not a >2 b (or vice versa). Let C[ ] = (0,i?, [ ]) where R = [a : true ^ p,b : 
true ~^p}. Then C[>i] h +dp but C[> 2 ] F —dp. 

To see that the semantics is not fully abstract for R consider the rule sets 
Ri = [p ^ (1,<1 ^ r} and R2 = [p ^ q,q ^ r,p ^ r}. Clearly yf Ail^ 2 l 

but in any context the proof-theoretic semantics are the same. 

In a conventional logic programming setting we might overcome this problem 
by defining /r|i?] in terms of all unfoldings of rules of R. (See, for example, Q.) 
However, this approach is not immediately transferable to defeasible logics since 
tentative conclusions must be mediated by the superiority relation. It is perhaps 
possible to apply techniques used in giving compositional denotational semantics 
to concurrent languages (for example, something similar to failure sets) to solve 
this problem. Indeed, the result might be similar to the semantic kernel of Q. 
This is certainly a topic for further investigation. 



6 Further Work 

Extending these results to other domains, - for example, the Herbrand domain 
with function symbols, or linear real arithmetic - faces two hurdles. 

Firstly, the fixedpoint characterization is no longer valid. Consider the fol- 
lowing example in a Herbrand domain. 

p{X) ^ q{a) 
p{X)^p{f{X)) 

In this case the fixedpoint characterization will produce the conclusion 
—dq{a), which is not a valid conclusion in defeasible logic. The problem is es- 
sentially the same as the problem of representing finite failure in logic programs 
by fixedpoint techniques, although the function pj- is considerably more compli- 
cated. Thus, in more powerful domains the semantics should be defined in terms 
of pT T w, rather than lfp{pr). 

This fact, and the relationship between Kunen’s semantics of logic programs 
and defeasible logic ^3 suggests that a model theory based on three- valued logic 
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might be able to characterize /ir | w in the same way that Kunen showed 
that logical consequence in a three-valued logic characterizes 'Pp | oj, where Pp 
is a function introduced by Fitting Q. However, the greater complexity of /ir 
in comparison with Pp suggests that the required logic would be cumbersome. 
Nevertheless, this is a promising approach to achieving model-based semantics. 

Secondly, in general, other domains require built-in relations - constraints 
^ 3 . The denotational semantics is easily adapted to handle constraints in rule 
bodies by defining 



^lconstraintJ{X) = ((H, V, V, H), /) 

where V is the set of valuations under which the constraint is true, V is the 
complement of V in Vain, and / is a dummy value that is never used. However, 
the full abstraction results will require further extension since, for example, the 
definition of subsumption-equal is inadequate when constraints are admitted. 

7 Conclusion 

The problem of finding a model theory for defeasible logic has been a longstand- 
ing one. This paper has defined a denotational semantics for the defeasible logic 
DL. This is a notable achievement since non-monotonicity is a difficult hurdle 
to overcome. The semantics is a step towards a model theory, but is not com- 
pletely satisfactory since it is not fully abstract. Nevertheless, this work provides 
a sturdy basis for obtaining a satisfactory model theory. 
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Abstract. The Herbrand model H of a, definite logic program P is an 
initial model among the class of all the models of P, interpreting P as an 
initial theory. Such a theory (program) proves (computes) only positive 
literals (atoms) in P, so it does not deal with negation. In this paper, 
we introduce isoinitial semantics for logic programs and show that it 
can provide a rich semantics for logic programs, which can deal with 
not just negation, but also incomplete information, parametricity and 
compositionality. 



We dedicate this paper to the memory of the originator of isoinitial semantics: 
Pierangelo Miglioli (1946-1999). 



1 Introduction 

The intended model of a definite logic program P is its Herbrand model H. It 
interprets P under the Closed World Assumption ^9. Among the class of all 
the models of P, H interprets P as an initial theory Q. A distinguishing feature 
of an initial theory P is that, in general, it proves (computes) only positive 
literals in P, so it does not deal with negation. One way to handle negation 
is to consider program closures (e.g. program completion). In this paper, we 
introduce isoinitial semantics Q for (definite) logic programs, and we show that 
isoinitial closures are better able to handle negation than initial closures, and 
are, in general, richer than initial closures from the point of view of incomplete 
information, parametricity and compositionality. 

We will discuss full first-order theories in general, and consider definite pro- 
grams as a particular case, with its own peculiarities. Since it admits any kind of 
axioms, our treatment also applies to normal and disjunctive programs (which 
for lack of space we will only briefly mention in the Conclusion). Finally, we shall 
assume familiarity with the general terminology for logic programming, and refer 
readers to standard works such as for this terminology. 

The results of Sections 2 and 3 adapt the general results of ^^3 to logic 
programs (for the first time), while the other results are mainly new. 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 223^^ 2000. 
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2 Initial and Isoinitial Models 

In this section, we formally define, and exhibit examples of, theories with initial 
and isoinitial models. We show how we can characterise such models, and for 
isoinitial models, we state useful conditions for proving isoinitiality. 

A H-theory is a set of H-sentences, where S = (F, R) is a signature S 
with function symbols F and relation symbols R, where each symbol has an 
associated arity. For example, Peano Arithmetic is a Aai-theory, where Nat 

We shall work in first-order logic with identity, i.e. identity = and the usual 
identity axioms will always be understood. For example, we can introduce Nat 
as the signature Nat = ({0°, s^, *^}, {}), with = being understood. 

Let E = {F, R) be a signature. As usual, a E-structure is a triple Ai = 
{D, F^, R^), where F^ is a F-indexed set of functions interpreting F, and R^ 
is an i?-indexed set of relations interpreting R. Of course, the interpretation of a 
function symbol /” is an n-ary function : F” ^ D, and the interpretation 
of a relation symbol r"* G F is an m-ary relation C F"* . When no confusion 
can arise, we may omit the arity, i.e. we write instead of and instead 
of 

In a structure M., terms and formulas are interpreted in the usual way. t^ 
will denote the value of a ground term t in Ad, and M. \= A will indicate that 
the sentence (sentences) A is (are) true in Ad. A theory F is a set of sentences, 
and a model of F is a structure Ad such that Ad ^ F. 

Finally, homomorphisms, isomorphisms and isomorphic embeddings are de- 
fined in the usual way. Since the latter are less popularly used in the literature 
than homomorphisms and isomorphisms, we briefly recall them here. 

Definition 1. (Isomorphic Embeddings). An isomorphic embedding i : J ^ 
Ad is a homomorphism between the structures J and Ad that preserves the 
complements of relations, i.e.: (oi, . . . , a„) ^ r-^ entails (i(o;i), . . . , i{an)) ^ r-^ . 

Therefore, a ^ (3 entails i{a) yf *(/?), i.e. isomorphic embeddings are injective. 
Moreover, J is isomorphic to a substructure of Ad (viz. the i-image of J), i.e. 
J is ‘isomorphically embedded’ in Ad. 

Now we can define initial and isoinitial models of A-theories. 

Definition 2. (Initial Models). Let F be a first-order A-theory, and F be a 
model of F. F is an initial model of F iff, for every model Ad of F, there is a 
unique homomorphism h : F M. 

Definition 3. (Isoinitial Models). Let F be a first-order A-theory, and J' be a 
model of F. N is an isoinitial model of F iff, for every model Ad of F, there is a 
unique isomorphic embedding i \ J — s- Ad. 

Example 1. Consider the simple signature K = ({a°, 5°}, {}), containing just 
two constant symbols a and b. The corresponding Herbrand interpretation FI is 
defined by F = {a, b}, a^ = a and b^ — 

^ a" denotes a symbol a with arity n. 

^ The standard interpretation of = is understood. 
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H is an initial model of the empty theory 0. Indeed, for every other model 
Ai, the map h defined by (h{a) = a^, h{b) = b^) is the unique homomorphism 
from H into M. The empty theory does not prevent interpretations where a = b. 

H is not an isoinitial model of 0 however. Indeed, there is no isomorphic 
embedding from H into models Ai such that = b^, since isomorphic em- 
beddings have to preserve inequality. 

In contrast, H is an isoinitial model of the theory {^a = b}. Indeed, for 
every model Ai of {^a = 5}, we have ^ b^, and the map i such that 
(i(a) = a^, i{b) = b^) is the unique isomorphic embedding of H into Ai. 

In fact H is also an initial model of {^a = b}. 

In the rest of the paper, we will consider only the particular case of reachable 
initial and isoinitial models. The treatment of non-reachable models requires 
concrete data | that are omitted for lack of space; isoinitiality entails initiality in 
the reachable case, whereas in the general case the two notions are independent. 

Definition 4. (Reachable Models). A structure (model) Ai = {D, F-^ , R^) is 
reachable if, for every a G D, there is a ground term t such that = a. 

We can characterise reachable initial and isoinitial models as follows: 

Theorem 1. Let Lf he a reachable model of a F-theory T. Then J is an initial 

model of T if and only if the following initiality condition holds: 

for every ground atom A, J \= A iff {Ai ^ A, for every model Ai of T) (iNi) 

while it is an isoinitial model ofT if an only if the following isoinitiality condition 

holds: 

for every ground literal L, J \= L iff {Ai )= L, for every model Ai of T). (iSO) 

(The proof follows from the reachability hypothesis. We omit it for conciseness.) 

Thus initial models represent truth of atomic formulas in every model, while 
isoinitial models represent both truth and falsity of atomic formulas in every 
model. 

Now by the completeness theorem for first-order theories, we can prove: 

Corollary 1. In Theorenf^ we can replace (iNi) and (iSO) by (ini’) and (iSO’).' 
for every ground atom A, ff \= A iff T I A. (ini’) 

for every ground literal L, J \= L iffT\-L. (iSO’) 

That is, initial models represent provability of atomic formulas, while isoinitial 
models represent provability of literals, i.e. they behave properly with respect to 
negation of atomic formulas. 

Of course, in general, a first-order theory may have no initial or isoinitial 
models. To state the existence of such models, we could apply the above theo- 
retical (characterisation) results. However, for isoinitial models, we can state a 
condition that is more useful in practice for proving isoinitiality: 

Corollary 2. In Theorerr^^ we can replace (iSO) by the following atomic com- 
pleteness condition: for every ground atom A, T \- A or T \ lA. (atc) 
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In condition (atc) models disappear altogetherji.e., we have a purely proof- 
theoretic condition. This allows us to prove some interesting and useful results, 
that link classical and constructive proof theoretical properties with isoinitial 
models ^3- For example, we can prove the following theorem: 

Theorem 2. Let K = (T", {}) he a signature eontaining a non-empty set F of 
function and constant symbols, with at least one constant symbol. Let Hp he the 
corresponding Herhrand structure, and let CET(F) be Clark’s Equality Theory 
for F. Then Hp is an isoinitial model of CET(F). 

Proof. Hp is a model of CET{F), and, being a term-model, it is trivially reach- 
able. Atomic completeness follows from the fact that, for every ground atomic 

formula t = t' , ^ t = t' if t and t' coincide, and CET{F) I d = t', if t and t' 

are different. 



3 Initial and Isoinitial Semantics for Closed Theories 

In this section, we consider closed theories and their initial and isoinitial mod- 
els. For conciseness, we will use the abbreviations ini for initial semantics (i.e. 
semantics based on initial models), iso for isoinitial semantics (i.e. semantics 
based on isoinitial models) and sem for a parameter standing for either ini or 
iso. 

We will show that, for closed theories, iso is better able than ini to deal with 
negation. In the next section, we will show that for the special case of closed 
definite logic programs, iso also allows us to reason about termination. 

Closed first-order A-theories are defined as follows: 

Definition 5. (5em-Closed A-Theories). A A-theory T is sem-closed if and 
only if it has a (reachable) sem-model. 

Example 2. Consider the signature K = (A, {}) (in Theorem containing a 
non-empty set F of function and constant symbols, with at least one constant 
symbol. Let Hp be the corresponding Herbrand structure. 

The empty theory 0 is znz-closed, and Hp is an initial model of 0. By contrast, 
0 is not iso-closed (it is not atomically complete). However, CET{F) is an iso- 
closed theory, with isoinitial model Hp (see Theorem | . 

In general, iso is better equipped than ini to deal with negation: in Example 
J iso shows that 0 lacks information with regard to negation, whereas ini does 
not show this, ini and iso correspond to two different ways of looking at negation, 
and, more generally, at the role of axioms. Indeed, as a corollary of (ini’) and 
(iso’), we get the following properties: 

If T is an initial model, then for every ground atom A, 

I\=^AiST\/A. (ini”) 

If it is isoinitial, then for every ground atom A, 

J \= ^AiSTh ^A. (iso”) 



® However, models do not disappear completely from Theorem^ because the existence 
of at least one reachable model J is always assumed. 



Isoinitial Semantics for Logic Programs 227 



(ini” ) generalises the Closed World Assumption (CWA) to general first- 
order theories: a fact is false (in the intended reachable initial model) if and only 
if it cannot be proved. 

(iso” ) corresponds to Constructive Negation (CN) a fact is false (in the 
intended model) if and only if its negation can be proved. 

Thus ini and iso subscribe to different views. Ini corresponds to a principle 
of economy: we look for the smallest set of axioms that allows us to derive the 
positive facts. In contrast, iso semantics corresponds to a principle of richness: 
we look for rich theories, that allow us, at least, to treat negation constructively. 

Another remarkable difference is shown by the following corollary of (ini’) 
and (iso’): 

Corollary 3. Let T he sem-closed, and let 3xQ{x) be an existential sentence 
such that T h 3xQ{x). 

If sem is ini and Q{x) is a positive quantifier-free formula, then T h Q(t), 
for at least one ground t. 

If sem is iso and Q{x) is any quantifier-free formula, then T h Q{t), for at 
least one ground t. 

That is, an iso-closed theory T is rich enough to prove the answers ~^A{t) of 
negative existential queries 3x^A{x) that hold in the isoinitial model, whereas 
this is not guaranteed, in general, for ini-closed theories: the latter are guaran- 
teed to answer only positive existential queries. Moreover, as is well known, with 
CWA the set of false ground atoms may not be recursively enumerable, whereas 
reachable isoinitial models are guaranteed to be computable Negation and 
computability are not the only reasons that induced us to consider isoinitial 
semantics, however. As we will show in forthcoming sections, we will also use 
isoinitial semantics to deal with incomplete information, parametrisation and 
modularity. 



4 Closed Logic Programs 

Now, we consider closed logic programs as closed theories. For lack of space 
we will focus on definite programs. Consequently we do not discuss normal 
programs, but we will show that even for definite programs, iso has another 
advantage of being able to reason about termination. 

For a signature S = {F, R) with at least one constant symbol, interpreta- 
tions over the term-domain Hp will be called Herbrand S-structures (or E- 
interpretations) . As usual, a Herbrand A-interpretation can be uniquely repre- 
sented as a set of ground atoms. Thus we will consider Herbrand A-structures 
as term models or as sets of ground atoms, interchangeably. 

Let P be a logic program, with signature Ep = {Fp, Rp). We will use Cdef{p) 
to denote the completed definition of p in P (see, e.g., ^]). We will also use 
Cdef{P) to denote the set of Cdef{p), for p S Rp. 

The completion of P, Comp{P), is then the union CET{Fp) U Cdef{P). 
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Example 3. Consider the usual program Psum- 

sum{x, 0, x) ^ ( p \ 

sum{x, s{i), s{v)) ^ sum{x,i,v) ' 

for the sum of natural numbers (s is successor) , with signature = ({0*^, s^}, 

{sum^}). In this case, CET(0°, s^) contains the axiomj 

{Va; . ^0 = s{x), Wx, y . s{x) = s{y) — > a; = y} U {Va; . ^s^”^(a;) = a;|n > 0}. 
The completed definition of sum, Cdef{sum), is (after some obvious simpli- 
fications): \/x, y, z . sum{x, y, z) {y = 0 A z = x) V (3z, v . y = s{i) A z = 
s{v) A sum{x, i, f))). 

The completion of Psum is Comp{Psum) = CET{0^, s^) U Cdef{sum). 

The minimum Herbrand model M.{P) is defined in the usual way. We have 
the following theorem: 

Theorem 3. Eor a (definite) logic program P, M.{P) is an initial model of P 
and of Comp{P), but it is not an isoinitial model of P. 

Proof. The initiality of M.{P) is well-known Q. M{P) cannot be an isoinitial 
model of P, because P cannot be atomically complete (no negated formula is 
provable from it). 

We might expect Ai{P) to be an isoinitial model of Comp{P), but this is not 
necessarily so, as shown by the following example: 

Example 4- Consider the program P\ : p{a) q{a) (Pi) 

q{a) ^ p{a) 

with signature Ei = ({a°}, {p^, g^}). CET{a) is empty. Cdef{p) is Va; . p{x) ^ 
(x = a A q(a)), and Cdef{q) is Va; . q{x) ^ (x = a A p(a)). 

For Comp{Pi) to have a reachable isoinitial model, atomic completeness re- 
quires that Comp{Pi) h p{a) or Comp(Pi) I 'p(a), and Comp{Pi) h q{a) or 

Comp{Pi) I 'q{a). However these requirements are not met and, therefore, no 

reachable isoinitial model can exist for Comp{Pi). 

On the other hand, AI(Pi) (where p{a) and q(a) are false) is an initial model 
of Comp{Pi). Therefore Pi and Comp{Pi) are mi-closed, but not iso-closed. 

Now consider the program P 2 : p{a) ^ q{a) (P 2 ) 

Comp{P 2 ) is both ini- and iso-closed. Indeed, now Cdef{q) is Va; . ^q(x), and we 
can prove ^q{a) and ~^p{a). M{P 2 ) is the same as Ad(Pi), but it is both initial 
and isoinitial for Comp{P 2 ) . 

Finally, it is worth noting that while Pi does not terminate with respect to 
the goals ^ p{a) and ^ q{a), P 2 finitely fails for both. 

4.1 Termination 

Example H suggests that termination (see ^ for a survey) and iso-closure are 
related. Indeed, we can prove the following result: 

Definition 6. (Existential Ground- Termination) . Let P be a definite program. 
P existentially ground-terminates if and only if its Herbrand universe is not 
empty and, for every ground goal <— A, either there is a refutation of <— A, or 
^ A finitely fails. 



^ Here denotes the iteration of s for n times. 
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Theorem 4. Let P be a definite program with a non-empty Herhrand universe. 
Comp{P) is iso-closed if and only if P existentially ground-terminates. 

Proof. If Comp{P) is «so-closed, then it is atomically complete. By completeness 
of SLDNF-resohxtion for definite programs, P existentially ground-terminates. 
If P existentially ground-terminates, then Comp{P) is atomically complete. 

It follows that we can use termination analysis for stating isoinitiality. 

Example 5. Consider the program Psum in Example^ We can prove that Psum 
existentially ground-terminates. Therefore, we can conclude that its minimum 
Herbrand model is an isoinitial model of Comp{Psum) ■ 

Moreover, the converse also holds, i.e. we can study existential ground- 
termination by studying isoinitiality, as the following example shows. 



Example 6. Consider the following program Ppath' 
path{x, y) ^ arc{x, y) 
path{x, y) <— arc{x, z),path{z, y) 
arc{l,l) <— 
arc{2,2) -i— 

Its completion contains the axioms: 

= 2 



{,Ppathf 



Va;, y . path{x, y) ^ arc{x, y)\/3z . arc(x, z) A path{z, y) 

Va;, y . arc{x, y) ^ {x = 1 A y = 1) V {x = 2 A y = 2). 

Instead of considering termination, we apply directly a model theoretic argu- 
ment. We consider two term models Mi and M 2 - Both interpret arc in the 
same way, according to the axioms. In Mi, the meaning of path{x, y) is: “there 
is a finite path connecting x to y” . In M 2 , the meaning of path{x, y) is: “there is 
a finite path connecting x to y, or there is an infinite path starting from a;” . As 
we can see, both satisfy the axiom for path. In the first one, path{l, 2) is false, 
while in the second one it is true. Therefore, we cannot have an isoinitial model. 
This entails that Ppath does not existentially terminate for the goal ^ path{l, 2). 

This model-theoretic argument applies to any graph, that is, we can define 
Ml and M 2 that satisfy the axiom for path and interpret path(a,b) in two 
different ways, if there is a cycle starting from a, but no finite path from a to 
b. In contrast, if the graph is finite and acyclic, or if it is infinite but arc is well 
founded, then both these interpretations interpret path{a, b) in the same way for 
every a and b. On the other hand, for acyclic finite graphs, or infinite graphs 
with a well founded arc, the recursive clause for path existentially terminates. 



5 Initial and Isoinitial Semantics for Open Theories 

In this section we consider sem-open theories, namely theories without sem- 
models, and we will compare initial and isoinitial semantics from the point 
of view of incomplete information, parametricity and compositionality. We will 
show that zso-closures provide a rich semantics for these. 
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5.1 Incomplete Information 

Definition 7. (sem-Open 27-Theories). A 27-theory T is sem-open if and only 
if it is consistent but has no sem-model. 

We consider a sem-open 27-theory as an incomplete axiomatisation of a sem- 
model, to be completed by adding new axioms and, possibly, new symbols to 
the signature 27. 

Here we will consider the simpler case where 27 is fixed, i.e., no new symbol is 
added. In this case, it is interesting to consider the sem-closures of a sem-open 
theory T, i.e., the theories T' that contain rjand are sem-closed. The minimal 
ini-closures give rise to a poorer semantics compared to iso-closures, as we show 
in the following example. 

Example 7. The theory Tdisj = {p{a) V p{b)} with signature ({a°, 6°}, {p^}) is 
both ini- and iso-open. In general, positive occurrences of V and 3 in the axioms 
give rise to theories that are both ini and iso-open. 

Tdisj bas two minimal ini-closures, namely Tdisj U {p(a)} and Tdisj 
and four minimal iso-closures, namely Tdisj U {a = b}, Tdisj U {^a = b,p{a), 
~^p{b)}, Tdisj U {^a = 5, ^p{a),p{b)}, Tdisj U {^a = 5,p(a),p(6)}. 

This example shows that initial semantics allows more compact closures. 
However, (as we will see later in Example | in Section 6) isoinitial semantics is 
better at showing up missing or incomplete information. Dealing with incomplete 
information is an important issue for databases Q. 

5.2 Parametricity 

In this section, we introduce parametrised theories as a particular case of open 
theories. 

A parametrised E-theory T{1T) is a theory with signature 27 = (A, R) and 
a set 7T C F U i? of parameters. We denote by En = {F D II, R D II) the 
subsignature of the parameters. 

A 2777-structure V can be seen as a kind of parameter passing. To do so, we 
have to consider interpretations over different signatures. A signature 27 = (F, R) 
is a subsignature of 27' = {F',R'), written 27 C 27', if and only if F C F' and 
RCRI 

For E C E\ we have the well-known notions of reduct and expansion. The 
E-reduct of a 27'-structure M is the 27-structure M\E that has the same domain 
as TV and interprets each symbol s of 27 in the same way as TV, i.e., = s^ . 

Conversely, if TVd = TV| 27, TV is said to be a E'- expansion of M. 

A well known property of reducts is that, for every 27-formula G, TV ^ G iff 
Af|27 hG. 

Now we can define the semantics of a parametrised theory T{II) by consid- 
ering its F-models: 



® In the sense that Theorems{T') D Theorems{T). 
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Definition 8. ('P-Models) . Let T{II) be a i7-theory, and 7^ be a L’/j-interpreta- 
tion. A V-model of T(7T) (if one exists) is a model MoiT such that M \ Sn = V. 

That is, 7^-models are models that agree with the parameter passing V. We 
can define 7^-initial models and 7^-isoinitial models in a similar manner to initial 
and isoinitial models. The difference is that here we use 7^-homomorphisms and 
7^-isomorphisms . 

Definition 9. (7^-Homomorphism and 7^- (Isomorphic Embedding)). Let 7T C 
S be two signatures, 7^ be a 7T-structure, and N and M. be two H-expansions 
of V ■ A V -homomorphism /i : Ad — > Af is a homomorphism such that h{s-^) 
= = s^, for every symbol s of 7T. A V-{isomorphic embedding) is a V- 

homomorphism that preserves the complements of the relations. 

Thus 7^-homomorphisms and isomorphisms completely preserve the parameter 
passing V, i.e., they work as identity over the parameters. 

Now we can define parametric theories: 

Definition 10. Let E = {F, R) be a signature and T(7T) be a parametric E- 
theory. T{II) is ini-parametric if and only if, for every AyY-interpretation V, the 
class MOD'p{T{n)) of the 7^-models of T{II) contains a 7^-initial model X-p. If 
Xp is 7^-isoinitial in MODp(T(II)), then T is iso-parametric. 

All the model-theoretic results that we have shown for initial and isoinitial 
models extend to 7^-initial and 7^-isoinitial models, considering the class of V- 
models of a theory. Here reachability is not required, since the domain of the 
7^-models is completely left to V. 

With respect to provability, an open theory in general does not prove any 
ground atomic formula, since relation symbols are left open. We have to complete 
the theory, by adding a set Ax of new axioms, that characterises a parameter 
passing V. Here we have the following sufficient completeness problem: how 
much of V has to be codified by Ax, in order to obtain a sem-complete theory 
T{n)X>Axl It turns out that the use of constructive systems allows us to develop 
a proof theory for stating jso-parametricity (see ^]). 

Another possibility is to characterise the minimal iso-closures, as we will see 
in Section 6. 



5.3 Compositionality 

Parametrised theories can be used for composing small well-defined theories into 
new larger theories Q. Similarly, parametrised programij can be used (and 
composed) as modules PQ. In this section, we study only the consequences of 
initial and isoinitial semantics for composition. 

In general, a parametrised theory Oi leaves open the intended meaning of 
its parameters and, possibly, the intended domain. Oi can be used to produce 
a larger, composite theory, by composing it successively with other (closed or 
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parametrised) theories O 2 , O 3 , ■ ■ ■ We can make sure that the final composite 
theory O 1 O 2 O 3 ... is closed if we choose suitable closed sub-theories for the 
composition. 

If composition is associative, i.e. {0i02)0s = 0 i( 0203 ), then each sequence 
O 1 O 2 ■■■On is equivalent to a two-step sequence OiT, with T = O 2 ■ • ■ On- 
For example, composition of logic programs is associative. Moreover, in many 
interesting cases, if OiT is closed, then so is T. This is the case, for example, for 
program composition without mutual recursion. In the sequel we shall consider 
cases where T is assumed to be sem-closed. 

So we start from a sem-closed theory T, with sem-model X, and consider 
adding new constant, function or relation symbols to T. In general, the new 
symbols are open symbols, since, in the new language, T is no longer sem-closed. 
In our previous discussion, these symbols can be closed by the axioms of some 
Oi, but the question is: what is preserved of the sem-model X of X, by the 
sem-model X' of OiX? 

The following theorem provides a first answer: 

Theorem 5. Let S = {F, R) be a signature, and T be a sem-closed S-theory, 
with sem-model X = {D, F^, R^). Let E' = {F', R') be a larger signature, and T' 
be a sem-closed theory containing T, with sem-model X' . Then there is a unique 
sem-morphism h : X — > X'|i7. 

The proof follows easily from the fact that TXT' and, hence, X'\E \=T. 

The consequences of this theorem are the following: 

Corollary 4. Let T , T' , X, X' be as in Theorem^^ Lf sem is ini, then for every 
positive existential E-sentence 3{W), X ^ 3(VF) entails X' ^ 3{W). Lf sem is 
iso, then for every existential E-sentence 3{Q), X ^ 3(Q) entails X' ^ 3(Q). 
Moreover, for a quantifier-free E -sentence, X \= Q iff X' \= Q . 

The proof follows from Theorem H X'\E being a model of X. 

This means that j so-closed theories preserve truth and falsity of quantifier- 
free formulas. This corresponds to the fact that X is isomorphically embedded 
into X'\E. In initial semantics, X is only guaranteed to be homomorphic. 

When the domain is preserved, iso-closure has a strong consequence: 

Corollary 5. Let T, T' , X, X' , h be as in Theorem^^ Lf sem is iso and h is 
surjective, then, for every E -sentence S, X \= S iffX'\=S. 

The proof follows from the fact that a surjective isomorphic embedding is an 
isomorphism. 

Corollary B does not hold for initial semantics, because surjective homomor- 
phisms are not necessarily isomorphisms. 

Corollary H applies when we add new constant or function symbols, while 
Corollary J applies when we add only new predicates. This suggests that it is 
useful to start from a large signature, that contains all the possible function and 
constant symbols. Another, more reasonable alternative is to introduce many- 
sorted theories. In general, we can show that Corollary Hcan be extended to the 
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many-sorted case, and it holds whenever the domains interpreting the old sorts 
are preserved, even if the larger signature contains new sorts, interpreted as new 
domains. 

6 Open Logic Programs 

Now, we consider open logic programs as sem-open theories. In general, the 
domain and/or some predicates are open. Predicates may be open because they 
are incompletely axiomatised, or because they are used as parameters. 

6.1 Incomplete Information 

In a program with incomplete information, open predicates are incompletely 
axiomatised. 

Example 8. Consider the following informal specification: 

Every bird flies, if it is normal; tweety and pingu are birds. 

We do not know the entire domain of birds, and we do not say whether or 
not tweety and pingu are normal, that is, we have incomplete information. We 
could codify this situation by the open program Pbird- 

flies(x) ^ bird{x),normal{x) 
bird{tweety) ^ (Pbird) 

bird(pingu) ^ 

We leave normal as an open symbol, without any clause for it, because we do not 
have any information on it. bird is only partially axiomatised, i.e., its clauses are 
intended to fix it only in the known universe. Nevertheless, in contrast, the first 
clause is intended to completely define flies, since this happens in our informal 
problem. 

Pbird is mz-closed. On the other hand, Pbird is zso-open, but there are mini- 
mal zso-closures that are at variance with our intention that flies is completely 
defined by the program. That is, initial semantics does not directly expose the 
presence of open symbols, while isoinitial semantics shows both that there is 
incomplete information and that the axiomatisation is too weak (in iso) to ax- 
iomatise our informal open problem. On the other hand, pure Horn clauses are 
not sufficiently expressive with respect to iso. 

To get a more expressive language, we introduce the open completion, denoted 
by Ocomp(P). Based on the idea that non-open predicates are completely defined 
by P, Ocomp(P) contains the completed definition Cdef(p) for every non-open 
predicate p, the clauses for open predicates q in P, and CET(Fp) for the function 
and constant symbols of P. 

Let P be a program with at least one open predicate, and with a non-empty 
Herbrand Universe. We can easily prove that Ocomp(P) is zzzz-closed, but it is 
not zso-closed. That is, even using the open completion, initial semantics does 
not expose the fact that some information is missing, while isoinitial semantics 
does. 
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We consider the isoinitial models of the minimal zso-closures of Ocomp(P) 
in a (possibly partial) domain as the intended models of the open program P in 
that domain. In this sense, Ocomp(P) represents the interpretation of an open 
program P in the isoinitial semantics. 

Example 9. In the informal problem, bird and normal are open. Thus, the 
open completion Ocomp{Phird) of Purd is: {^tweety = pingu, \/x . flies{x) ^ 
bird{x) A normal{x), bird{tweety) , bird{pingu)} . Ocomp{Pi,ird) is mz-closed, 
and in its initial model tweety and pingu do not fly. In contrast, Ocomp{Phird) 
is zso-open. There are four minimal zso-closures, that is, four different ways of 
completing the information within the known domain {tweety , pingu} . One is: 
Ocomp{P},ird) U {normal{tweety) , ^normal{pingu)} . 

In its isoinitial model Third, tweety flies, but pingu does not. By isoinitiality, if 
we add further individuals and further closed information on them, we get larger 
models, that contain (an isomorphic copy of) Third as a substructure. 

6.2 Parametricity 

In a parametric program P, open predicates occur in the body of clauses and 
act as parameters. P can be ‘closed’ by composition with different (closed, non- 
parametric) Q’s, that compute the open predicates in different ways. 

We assume that P completely specifies all its defined predicates, and param- 
eters are exactly the predicates that are not defined by P. Moreover, the domain 
may be open, (i.e. we also consider the constant and function symbols (if any) 
as parameters) , to be completed into a larger signature. 

Let P be a parametric program with signature Up = {Fp,Rp U O), where 
Fp are the constant and function symbols (if any) of P, and Rp are its defined 
predicates. We will use Ftp = {Fp, O) to denote the parameter signature of P. 

Theorem 6. A program P with parameter signature Ftp is ini-parametric. 

That is, for every TTp-interpretation V, there is a P-initial model of P. It is easy 
to show that such a P-initial model is the minimum P-mode|of P. This result 
holds for every interpretation P, i.e., we do not necessarily require that P is 
reachable in the signature of program P. 

Example 10. Consider the open program Ptimes- 

times{x, 0, z) ^ u{z) (Ptimes) 

times(x, s(y), z) <— times(x, y, w), q(x, w, z) 

The parameters are Flumes = ({0°, s^}, [u^, q^}). If Vsum interprets u(z) as z = 0 
and q(a, b, c) as c = a b, then the Psum-initial model interprets times(x, y, z) 
as z = X * y. If Vprod interprets u(z) as z = s(0) and q(a, b,c) as c = a * b, then 
the Ppr-od-initial model interprets times(x, y, z) as z = x^ . 

To introduce isoinitial semantics for parametric programs, we have to con- 
sider their open completion Ocomp(P), as defined in the previous section. Here 
the open symbols are the parameters. 



^ It always exists, as shown in | ' ' | . 
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Example 11. The open completion Ocomp{Ptimes) contains Cdef (times), i.e. 
Vx, V, z . times(x, ti, z) <-> (?; = 0 A u(z))V 

(3y, w . V = s(y) A times(x, y, w) A q(x, w, z)) 

and CET(0,s). 

While P and Ocomp(P) are mi-parametric for every program P, this is no 
longer true for isoinitial semantics. As for closed programs, iso-parametricity of 
Ocomp(P) depends on the termination properties of P. More precisely, we need 
to consider ground existential termination in a TTp-interpretation V (formally de- 
fined in . Informally, ground existential termination in V is defined in terms 
of the iSTD-derivations and trees computed by an idealised 7^-interpreter, that 
can solve the goals involving the parameters according to their interpretation in 
V. 

Theorem 7. Let P he a program with parameter signature lip and open com- 
pletion Ocomp(P). Ocomp(P) is iso-parametric in a class of lip -interpretations 
if and only if P ground existentially terminates in every interpretation of the 
class. 



That is, P ground existentially terminates in a TTp-interpretation V if and 
only if there is a 7^-isoinitial model of Ocomp(P) . The proof requires the results 
of ’I I and the properties of 7^-isoinitial models. We omit it for conciseness. 



Example 12. Consider the open program Pumes- Ocomp(Ptimes) is iso-parame- 
tric in the class of interpretations over the Herbrand structure corresponding to 
CET(0, s). Indeed, in this class ground existential termination can be proved by 
the fact that times(x, s(y), z) activates a recursive call with y < s(y). 

For an example where iso-parametricity fails, consider the following simple 
program Pp. p(a) ^ q(a) p(b) ^ p(b) (Pp) 

Its parameters are lip — ({a°, 5°}, {g^}). Its open completion Ocomp(Pp) con- 
tains the axioms: = 6, Va; . p(x) ^ (x = a A q(a)) V (x = b A p(b)). 

A possible lip interpretation is the term interpretation V with domain {a, 6} 
and q true in a and false in b. Every P-model has to interpret p(a) as true, but 
p(b) can be interpreted as true by some P-models and as false by others. Thus, 
a 7^-isoinitial model cannot exist. This is a consequence of the presence of the 
cyclic clause p(b) ^ p(b). 



6.3 Compositionality 

Let P be a sem-parametric program with parameter signature TTp, and let V 
be a TTp-interpretation. Let Q be a sem-closed program that computes the 
parameters of P correctly with respect to P, and let us consider the composite 
program P U Q. As remarked in Section 5, there is a sufficient completeness 
problem here. For P U Q, this problem can be stated as follows: which kind 
of goals have to be solved by Q, in order that it can replace the idealised V- 
interpreter considered in the previous section? 

For initial semantics the answer is easy, and is given by Theorem H while 
isoinitial semantics can expose termination problems in program composition 
and requires a more complex analysis (see Theorem^. 
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Theorem 8. Let P be a program with signature Up = {Fp, Rp U O) and pa- 
rameters lip = {Fp, O) . Let A = {F, O) be a signature such that F A Fp, and 
Lf be a reachable A-interpretation. Let Rj be the set of ground atoms true in 
J . Then PUTtj is an ini-closed expansion of P with a reachable initial model 
I. Moreover, X is isomorphic to the (J\LIp)-initial model of P. 

Proof. Since P is mi-parametric, it has a ff \ TTp-initial model, that we will 
indicate by Jp. Since every model of PU Ttj is a model of P, there is a unique 
homomorphism h : Jp — > X. By the initiality of X, there is a unique homomor- 
phism h! \X ^ Jp. Since Fp f-F,X and Jp are F-reachable. This allows us to 
show that h! is the inverse map of h, i.e., h is an isomorphism. 

Let P, lip, A, J, Hj and Jp as in Theorem^ As an easy corollary, we can 
prove that, for a program Q with signature A, if the success set of Q coincides 
with H J, then M{P i) Q) is isomorphic to Jp. 

Informally, this means that, to get a program Q such that P U Q correctly 
computes the {J \ 7Tp)-initial model Jp of P, it suffices that the success set of 
Q coincides with the set of ground atoms true in J . This result easily extends 
to the case where the signature A of Q contains the open predicates O of P and 
other auxiliary predicates not in the signature of P. 

For isoinitial semantics of open programs, we have to consider the open com- 
pletion Ocomp{P). In this case, the answer to the sufficient completeness problem 
is more complex and involves termination, as we now explain. 

Let us consider P, Lip, A, J,TLj and Jp as in Theorem^ As explained in 
the previous section, there is a | Pp-isoinitial model of Ocomp{P) if and only 
if P ground existentially terminates in J . We can show that this model is also 
1 Pp-initial, i.e., it is Jp. 

Now, let Q be an iso-closed program with success set TLj. By Theorem J 
M{P U Q) is isomorphic to Jp. However, M{P LI Q) is an isoinitial model of 
Comp{P U Q) if and only if P U Q ground existentially terminates. The ground 
existential termination of PUQ is not guaranteed by the iso-closure of Q. This is 
due to the fact that, in general, Q must terminate also for suitable non-ground 
goals, to get existential termination of P L Q. We can link this termination 
problem to the sufficient completeness problem by Theorem J below. 

An goal axiom is a closed formula of the form 3a; . G or ^3a; . G, where G 
is a conjunction of atoms and 3a; is a possibly empty sequence of existential 
quantifiers. If it is empty, we will simply write G. A goal theory is a (possibly 
infinite) set of goal axioms. 

We say that a closed program Q computes a goal theory T if and only if, for 
every 3a;G S T, the goal <— G is successful in Q, and for every ->3a;G G T, G 
is finitely failed in Q. We have the following theorem. 

Theorem 9. Let P be a program with parameter signature Lip = {Fp,0), 
such that Ocomp{P) is iso-parametric. Let J be a reachable A-interpretation, 
where A = (F,0), with F C Fp, and let Jp be the J \ Lip -isoinitial model of 
Ocomp{P). Let Q be a closed program with signature A. If there is a goal the- 
ory T such that J \= T, Q computes T and Ocomp{P) LT is iso-closed, then 
Comp{P U Q) is iso-closed and Jp is an isoinitial model of it. 



Isoinitial Semantics for Logic Programs 237 



Proof. Since Ocomp(P) U T is zso-closed and J7p is reachable, then one can show 
that J'p is an isoinitial model of Ocomp{P) U T. Comp{Q) h H for every H G T, 
because Q computes T, and Ocomp{P) U Comp{Q) = Comp{P U Q), because Q 
is a closed Z\-program. Therefore, the models of Comp{P U Q) are a subset of 
those of Ocomp{P) U T and Jp is an isoinitial model of Comp{P U Q). 

This theorem shows that there is a link between termination properties of 
program composition and the minimal tso-closures of Ocomp(P). This justifies 
our choice of zso-closures as an interesting semantics for open programs. 

Example 13. Consider the open program Pumes and the axiom Cdef {times) of 
Ocomp{Ptimes) of Example^] We can prove, for example: 
times{sQ, sO, sO) ^ 

3wi . times{sQ, 0, wi) A (?(s0, wi, sO) 
dwi . u{wi) A q{s0, wi, sO) 

Thus, if a goal theory T proves 3wi . u{wi) /\q{s0, wi, sO), then Ocomp{Ptimes)^ 

T h times{s0, sO, sO). If T I ^3wi . u{wi) A q{s0, wi, sO), then Ocomp{Ptimes) U 

T I limes{s0, sO, sO). 

In general, T has to decide existential formulas of the form 3wi, . . . , Wn ■ 
u{wi) Aq{a, wi, W 2 ) A ... A q{a, c), in order that Ocomp{Ptimes) U T be iso- 
closed. 

This means that, for a closed program Q with predicates u and g, P U Q 
existentially ground terminates, if and only if Q computes a goal theory T of the 
above kind. 

7 Conclusion 

The traditional view of a definite logic program (e.g., Q) treats it as an initial 
theory. This in our opinion is too restrictive because it basically takes the Closed 
World view and does not provide a uniform semantics for negation and open 
programs, parametricity or compositionality. This view is therefore very much 
one of programming-in-the-small. 

Our motivation is to search for a suitable uniform semantics for both program- 
ming-in-the-large and programming-in-the-small. We believe that isoinitial se- 
mantics fits the bill, for logic programs. It handles not only negation but also 
parametricity and compositionality in a uniform manner with respect to both 
closed and open programs. Moreover, constructive formal systems can help to 
formally prove isoinitiality and treat composition of iso-parametric theories Q. 
Future work here will include a comparison with other semantics for modularity 
(e.g. PQ) and compositionality (e.g. BQ). Clearly such a uniform semantics 
is important if logic programming is to be used for large-scale software develop- 
ment. We have already used isoinitial semantics in our work in formal program 
development (e.g. |9). 

Finally, a brief comment on definite and normal programs. Under initial 
semantics, for every definite program D, both D and Comp{D) are ini-closed, 
whereas for some normal programs N, both N and Comp{N) are ini-open. Under 
isoinitial semantics, this asymmetry disappears if we consider Comp{D) and 
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Comp{N) only: both definite and normal programs may be zso-open (and non- 
termination is one of the causes of zso-openness) . For normal programs, other 
kinds of semantics have been proposed (for a survey see e.g. B). A comparison 
with these semantics is also one of our next steps. For example, we can link 
iso-closures and stable models by using open completion in a suitable way. 
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Abstract. A large variety of computing systems, such as compilers, in- 
terpreters, static analyzers, and theorem provers, need to manipulate 
syntactic objects like programs, types, formulas, and proofs. A com- 
mon characteristic of these syntactic objects is that they contain variable 
binders, such as quantifiers, formal parameters, and blocks. It is a com- 
mon observation that representing such binders using only first-order 
expressions is problematic since the notions of bound variable names, 
free and bound occurrences, equality up to alpha-conversion, substitu- 
tion, etc., are not addressed naturally by the structure of first-order 
terms (labeled trees). This overview describes a higher-level and more 
declarative approach to representing syntax within such computational 
systems. In particular, we shall focus on a representation of syntax called 
higher-order abstract syntax and on a more primitive version of that rep- 
resentation called X-tree syntax. 



1 How Abstract Is Your Syntax? 

Consider writing programs in which the data objects to be computed are syntac- 
tic structures, such as programs, formulas, types, and proofs, all of which gener- 
ally involve notions of abstractions, scope, bound and free variables, substitution 
instances, and equality up to renaming of bound variables. Although the data 
types available in most computer programming languages are rich enough to rep- 
resent all these kinds of structures, such data types do not have direct support 
for these common characteristics. Instead, “packages” need to be implemented 
to support such data structures. For example, although it is trivial to represent 
first-order formulas in Lisp, it is a more complex matter to write Lisp code to 
test for the equality of formulas up to renaming of variables, to determine if a 
certain variable’s occurrence is free or bound, and to correctly substitute a term 
into a formula (being careful not to capture bound variables). This situation is 
the same when structures like programs or (natural deduction) proofs are to be 
manipulated and if other programming languages, such as Pascal, Prolog, and 
ML, replace Lisp. 

Generally, syntax is classified into concrete and abstract syntax. The first is 
the textual form of syntax that is readable and typable by a human. This repre- 
sentation of syntax is implemented using strings (arrays or lists of characters). 
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The advantages of this kind of syntax representation are that it can be easily 
read by humans and involves a simple computational model based on strings. 
The disadvantages of this style of representation are, however, numerous and 
serious. Concrete syntax contains too much information not important for many 
manipulations, such as white space, infix/prefix notation, and keywords; and im- 
portant computational information is not represented explicitly, such as recursive 
structure, function-argument relationship, and the term-subterm relationship. 

The costs of computing on concrete syntax can be overcome by parsing con- 
crete syntax into parse trees (often also called abstract syntax). This representa- 
tion of syntax is implemented using first-order terms, labeled trees, or linked lists, 
and it is processed using constructors and destructors (such as car/cdr/cons in 
Lisp) or using first-order unification (Prolog) or matching (ML) . The advantages 
to this representation are clear: the recursive structure of syntax is immediate, 
recursion over syntax is easily accommodated by recursion in most programming 
languages, and the term-subterm relationship is identified with the tree-subtree 
relationship. Also, there are various semantics approaches, such as algebra, that 
provide mathematical models for many operations on syntax. One should realize, 
however, that there are costs associated with using this more abstract represen- 
tation. For example, when moving to greater abstraction, some information is 
lost: for example, spacing and indenting of the concrete syntax is (generally) 
discarded in the parse tree syntax. Also, implementation support is needed to 
provide recursion and linked lists. These costs associated with using parse tree 
syntax are generally accepted since one generally does not mind the loss of pag- 
ination in the original syntax and since a few decades of programming language 
research has yielded workable and effective runtime environments that support 
the required dynamic memory demands required to process parse trees. 

When representing syntax containing bound variables, there are, however, 
significant costs involved in not using a representation that is even more ab- 
stract than parse trees since otherwise the constellation of concepts surround- 
ing bindings needs to be implemented by the programmer. There are generally 
two approaches to providing such implementations. The first approach treats 
bound variables as global objects and programs are then written to determine 
which of these global objects are to be considered free (global) and which are 
to be considered scoped. This approach is quite natural and seems the simplest 
to deploy. It requires no special meta-level support (all support must be pro- 
vided explicitly by the programmer) and is the approach commonly used in text 
books on logic. A second approach uses the nameless dummies of de Bruijn Q. 
Here, first-order terms containing natural numbers are used to describe alpha- 
equivalence classes of A-terms: syntax is abstracted by removing bound variable 
names entirely. There has been a lot of success in using nameless dummies in 
low-level compilation of automated deduction systems and type systems. Con- 
sider, for instance, the work on explicit substitutions of Nadathur and 

Abadi, Cardelli, Curien, and Levy y. Nadathur, for example, has recently built 
a compiler and abstract machine that exploits this representation of syntax 
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While successful at implementing bound variables in syntax, nameless dummies, 
however do not provide a high-level and declarative treatment of binding. 

We will trace the development of the ideas behind a third, more abstract 
form of syntactic representation, called X-tree syntax ^3 and the closely related 
notion of higher-order abstract syntax 

Logic embraces and explains elegantly the nature of bound variables and 
substitution. These are part of the very fabric of logic. So it is not surprising 
that our story starts and mostly stays within the area of logic. 

2 Church’s Use of A- Terms within Logic 

In Church presented a higher-order logic, called the Simple Theory of Types 
(STT), as a foundation for mathematics. In STT, the syntax of formulas and 
terms is built on simply typed A-terms. The axioms for STT include those gov- 
erning the logical connectives and quantifiers as well as the more mathemati- 
cal axioms for infinity, choice, and extensionality. The A-terms of STT are also 
equated using the following equations of a, /3, and ry-conversion. 

(a) Xx.M = Xy.M[y/x], provided y is not free in M 

Ip) {Xx.M) N = M [N/x] 

(rj) Xx.{M x) = M, provided x is not free in M 

Here, the expression M\t/x] denotes the substitution of t for the variable x in M 
in which bound variables are systematically changed to avoid variable capture. 

Church made use of the single binding operation of A-abstraction to encode 
all of the other binding operators present in STT : universal and existential quan- 
tification as well as the definite description and choice operators. This reuse of 
the A-binder in these other situations allows the notions of bound and free vari- 
ables occurrences and of substitution to be solved once with respect to A-binding 
and then be used to solve the associated problems with these other binding op- 
erations. In recent years, this same economy has been employed in a number of 
logical and computational systems. 

Church used the A-binder to introduce a new syntactic type, that of an 
abstraction of one syntactic type over another. For example, Church encoded 
the universal quantifier using a constant II that instead of taking two augments, 
say, the name of a bound variable and the body of the quantifier, took one 
argument, namely, the abstraction of the variable over the body. That is, instead 
of representing universal quantification as, say, TI{x,B) where II has the type 
T*o ^ o (here, o is the type of formulas and r is a type variable), it is represented 
as n{Xx.B), where II has the type (r ^ o) — > o. (This latter expression can 
be abbreviated using more familiar syntax as Wx-B.) The A-binder is used to 
construct the arrow (^) type. Similarly, the existential quantifier used a constant 
E of type {t ^ o) — > o and the choice operator l had type {t ^ o) ^ t: both 
take an abstraction as their argument. 

Since Church was seeking to use this logic as a foundations for mathematics, 
A-terms were intended to encode rich collections of mathematical functions that 
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could be defined recursively and which were extensional. By adding higher-order 
quantification and axioms for infinity, extensionality, and choice, the equality 
of A-term was governed by much more than simply the equations for a, (3, and 
77 -conversion. Hence, A-abstractions could no longer be taken for expressions 
denoting abstractions of one syntactic types over another. For example, the 
formula II{\x.{p x) A q) would be equivalent and equal to the formula II{\x.q/\ 
{p x)): there is no way in STT to separate these two formulas. Thus, the domain 
o became associated to the denotation or extension of formulas and not with 
their intension. 

3 Equality Modulo o:/3r7-Conversion 

One way to maintain A-abstraction as the builder of a syntactic type is to weaken 
the theory of STT significantly, so that A-terms no longer represent general func- 
tional expressions. The resulting system may no longer be a general foundations 
for mathematics but it may be useful for specifying computational processes. 
The most common approach to doing this weakening is to drop the axioms of 
infinity, extensionality, and choice. In the remaining theory, A-terms are gov- 
erned only by the rules of a, /3, and 77 -conversion. The simply typed A-calculus 
with an equality theory of a, /3 , 77 is no longer a general framework for functional 
computation although its is still rather rich 

The presence of /3-conversion in the equality theory means that object-level 
substitution can be specified simply by using the meta-level equality theory. For 
example, consider the problem of instantiating the universal quantifier Wx.B with 
the term t to get B[t/x]. Using Church’s representation for universal quantifi- 
cation, this operation can be represented simply as taking the expression (HR) 
and the term t and returning the term (R t). Here, R denotes the abstraction 
Xx.B, so {R t) is a meta-level /3-redex that is equal to B[t/x]. Thus, /3-reduction 
can encode object-level substitution elegantly and simply. For example, consider 
the following signature for encoding terms and formulas in a small object-logic: 

V, 3 : {term — > formula) —>■ formula a, b : term 
D : formula — > formula formula f : term term term 

r, s : term formula t : formula. 

The A-term \/Xx.3Xy. r {f x y) D s {f y x) is of type formula and is built by 
applying the constant V to the a A-term of type term formula, the syntactic 
type of a term abstracted over a formula. This universally quantified object-level 
formula can be instantiated with the term (/ a 6) by first matching it with the 
expression (V R) and then considering the term {R (/ a b)). Since R will be 
bound to a A-expression, this latter term will be a meta-level /3-redex. If (3 is 
part of our equality theory, then this term is equal to 

3Ay.r (/ {f a b) y) D s {f y {f a b)), 
which is the result of instantiating the universal quantifier. 
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Huet and Lang were probably the first people to use a simply typed A- 
calculus modulo a, (3, r] to express program analysis and program transformation 
steps. They used second-order variables to range over program abstractions and 
used second-order matching to bind such variables to such abstractions. The 
reliance on /3-conversion also meant that the matching procedure was accounting 
for object-level substitution as well as abstractions. Second-order matching is 
NP-complete, in part, because reversing object-level substitution is complicated. 
There was no use of logic in this particular work, so its relationship to Church’s 
system was rather minor. 

In the mid-to-late 80’s, two computational systems, Isabelle and AProlog 
Q, were developed that both exploited the intuitionistic theory of implications, 
conjunctions, and universal quantification at all non-predicate types. In Isabelle, 
this logic was implemented in ML and search for proofs was governed by an ML 
implementation of tactics and tacticals. This system was intended to provide sup- 
port for interactive and automatic theorem proving. AProlog implemented this 
logic (actually a extension of it called higher-order hereditary Harrop formulas 
^3) t>y using a generalization of Prolog’s depth-first search mechanism. Both 
systems implemented versions of unification for simply typed A-terms modulo 
a, /3, r] conversion (often called higher-order unification) . The general structuring 
of those unification procedures was fashioned on the unification search processes 
described by Huet in In AProlog, it was possible to generalize the work 
of Huet and Lang from simple template matching to more general analysis of 
program analysis and transformation 

The dependent typed A-calculus LF Q was developed to provide a high- 
level specification language for logics. This system contained quantification at 
higher-types and was based on an equality theory that incorporated a, /3, and 
77 -conversion (of dependent typed A-calculus). Pfenning implemented LF as the 
Elf system using a AProlog-style operational semantics. The earliest version 
of Elf implemented unification modulo a, /3, 77. 

It was clear that these computer systems provided new ways to compute on 
the syntax of expressions with bound variables. The availability of unification 
and substitution in implementations of these meta-logics immediately allowed 
bound variable names to be ignored and substitutions for all data structures 
that contain bound variables to be provided directly. 

Pfenning and Elliott in coined the term higher-order abstract syntax for 
this new style of programming and specification. They also analyzed this style of 
syntactic specification and concluded that it should be based on an enrichment of 
the simply typed A-calculus containing products and polymorphism, since they 
found that these two extensions were essential features for practical applications. 
To date, no computational system has been built to implement this particular 
notion of higher-order abstract syntax. It appears that in general, most practical 
applications can be accommodated in a type system without polymorphism or 
products. In practice, higher-order abstract syntax has generally come to refer 
to the encoding and manipulating of syntax using either simply or dependently 
typed A-calculus modulo a, /3, and 77 -conversion. 
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4 A Weaker Form of /3-Conversion 

Unification modulo a, (3, and r] conversion of A-terms, either simply typed or 
dependently typed, is undecidable, even when restricted to second-order. Com- 
plexity results for matching are not fully know, although restricting to second- 
order matching is known to be NP-complete. Thus, the equalities implemented 
by these computer systems (Isabelle, AProlog, and Elf) are quite complex. This 
complexity suggests that we should find a simpler approach to using the A-binder 
as a constructor for a syntactic type of abstraction. The presence of bound vari- 
ables in syntax is a complication, but it should not make computations on syntax 
overly costly. We had some progress towards this goal when we weaken Church’s 
STT so that A-abstractions are not general functions. But since the equality and 
unification remains complex, it seems that we have not weakened that theory 
enough. 

We can consider, for example, getting rid of /3-conversion entirely and only 
consider equality modulo a, 77 -conversion. However, this seems to leave the equal- 
ity system too weak. To illustrate that weakness, consider solving the following 
match, where capital letters denote the match variables: 

'i\x{P A Q) = VAy((r7/ D sy) A t). 

There is no substitution for P and Q that will make these two expressions equal 
modulo a and 77 -conversion: recall that we intend our meta-level to be a logic and 
that the proper logical reading of substitution does not permit variable capturing 
substitutions. Hence, the substitution 

{P I— > (rx D sx), Q I— > t} 

does not equate these two expressions: substituting into the first of these two 
terms produces a term equal to VAz((ra; D sx) A t) and not equal to the intended 
term y\y{(ry D sy) At). If we leave things here, it seems impossible to do inter- 
esting pattern matching that can explore structure underneath a A-abstraction. 

If we change this match problem, however, by raising the type of P from 
formula to term formula and consider the following matching problem 
instead, 

y\x{Px AQ) = y\y{{ry D sy) A t) 
then this match problem does, in fact, have one unifier, namely, 

{P 1 -^ \w{rw D sw), Q 1 -^ t}. 

For this to be a unifier, however, the equality theory we use must allow (fXw.rw D 
sw) x) to be rewritten to (rx D sx). Clearly (3 will allow this, but we have really 
only motivated a much weaker version of /3-conversion, in particular, the case 
when a A-abstraction is applied to a bound variable that is not free in the 
abstraction. The restriction of (3 to the rule {\x.B)y = B[y/x\, provided y is not 
free in (Xx.B), is called /3o-conversion In the presence of a-conversion, this 
rule can be written more simply and without a proviso as (Xx.B)x = B. Our 
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example can now be completed by allowing the equality theory to be based on 
a, Po, and 77 -conversion. In such a theory, we have 

y\x{{Xw{rw D sw)x) At) = y\y{{ry D sy) A t). 

If the A-binder can be viewed as introducing a syntactic domain representing the 
abstraction of a bound variable from a term, then we can view Pq as the rule 
that allows destructing a A-binder by replacing it with a bound variable. 

It is easy to imagine generalizing the example above to cases where match 
variables have occurrences in the scope of more than one abstraction, where 
different syntax is being represented, and where unification and not matching is 
considered. In fact, when examining typical AProlog programs, it is clear that 
most instances of /3-conversion performed by the interpreter are, in fact, instances 
of /3o-conversion. Consider, for example, a term with a free occurrence of M of 
the form 

\x . . .\y . . . {M y x) . . . 

Any substitution for M applied to such a term introduces /3o redexes only. For 
example, if M above is instantiated with a A-term, say XuXv.t, then the only new 
/3-redex formed is {{XuXv.t) y x). This term is reduced to normal form by simply 
renaming in t the variables u and v to y and x — a very simple computation. 
Notice that replacing a /3o-redex {Xx.B)y with B\y/x] makes the term strictly 
smaller, which stands in striking contrast to /3-reduction, where the size of terms 
can grow explosively. 

5 IvA-Unification 

In Miller introduced a subset of hereditary Harrop formulas, called L\, 
such that the equality theory of a, /3 , 77 only involved a, /3 q, 77 rewritings. In that 
setting. Miller showed that unification of A-terms is decidable and unary (most 
general unifiers exist when unifiers exist). 

When L\ is restricted to simply comparing two atomic formula or two terms, 
it is generally referred to as L\-unification or as higher- order pattern unification. 
More precisely, in this setting a unification problem a set of ordered pairs 

{(tl,Si),..., {tm Sn)}j 

where for i = 1 , . . . , tt. and where ti and Si are simply typed A-terms of the 
same type. Such a unification problem is an LA-unification problem if every 
free variable occurrence in that problem is applied to at most distinct bound 
variables. This severe restriction on the applications of variables of higher-type 
is the key restriction of L\. 

This kind of unification can be seen both as a generalization of first-order 
unification and as a simplification of the unification process of Huet Q. Any /3- 
normal A-term has the top-level structure Xx\ . . . Xxp{h ti . . . tq) where p,q > 0, 
the binder xi, . . . , Xpis a, list of distinct bound variables, the arguments ti, . . . ,tq 
are /3-normal terms, and the head h is either a constant, a bound variable {i.e., 
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a member of {xi, . . .,Xp}), or a free variable. (We shall sometimes write x to 
denote a list of variables xi, . . . , Xn, for some n.) If the head is a free variable, 
the term is called flexible; otherwise, it is called rigid. Notice that if a term in 
L\ is flexible, then it is of the form Axi . . . Xxn-V y\ ... yp where each lists 
xi, . . . , x„ and yi, . . . , j/p contain distinct occurrences of variables and where the 
the set {yi , . . . , yp} is a subset of {a;i, . . . , Xn}- Pairs in unification problems will 
be classified as either rigid-rigid, rigid-flexible, flexible-rigid, or flexible-flexible 
depending on the status of the two terms forming that pair. We can always 
assume that the two terms in a pair have the same binders: if not, use y to make 
the shorter binder longer and a to get them to have the same names. 

We present the main steps of the unification algorithm (see for for a fuller 
description). Select a pair in the given unification and choose the appropriate 
steps from the following steps. 

Rigid-Rigid Step. If the pair is rigid-rigid and both terms have the same head 
symbol, say, {Xx.hti . . .t^ Xx.hsi . . .Sn), then replace that pair with the pairs 
{Xx.ti, Ai.si), . . . , {Xx.tn, Xx.Sn) and continue processing pairs. If the pair has 
different heads, then there is no unifier for this unification problem. 

Flexible- Flexible Step. If the pair is flexible-flexible, then it is of the form 
{Xx.Vyi . . . 2/n, Xx.Uzi . . . Zp) where n,p > 0 and where the lists yi, . . . , y„ and 
zi . . .Zp are both lists of distinct variables and are both subsets of the binder x. 
There are two cases to consider. 

Case 1. If V and U are different, then this pair is solved by the substitution 
[V 1 -^ Xy.Ww^U 1 -^ Xz.Ww], where IP is a new free variable and w; is a list 
enumerating the variables that are in both the list y and the list z. 

Case 2. If V and U are equal, then, given the typing of A-terms, p and n must 
also be equal. Let w be an enumeration of the set {yi \ yi = Zi,i & {1, . . . , n}}. 
We solve this pair with the substitution [V Xy.Ww] (notice that this is the 
same via a-conversion to [V i— > Xz.Ww\), where IP is a new free variable. 

Flexible- Rigid Step. If the pair is flexible-rigid, then that pair is of the form 
{Xx.Vyi .. .yn,r). If V has a free occurrence in r then this unification has no 
solution. Otherwise, this pair is solved using the substitution [V i— > Ayi . . . Ay„.r]. 
Rigid- Flexible Step. If the pair is rigid-flexible, then switch the order of the pair 
and do the flexible-rigid step. 

Huet’s process ^3, when applied to such unification problems, produces the 
same reduction except for the flexible-flexible steps. Huet’s procedure actually 
does pre-unification, leaving flexible-flexible pairs as constraints for future uni- 
fications since general (non-L^) flexible-flexible pairs have too many solutions 
to actually enumerate effectively. Given the restrictions in L\, flexible-flexible 
pairs can be solved simply and do not need to be suspended. 

Qian has shown that LA-uniflcation can be done in linear time and space 
(using a much more sophisticated algorithm than the one hinted at above) . 
Nipkow has written a simple functional implementation of LA-uniflcation and 

has also showed that results concerning first-order critical pairs lift naturally to 
the L\ setting 
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It was also shown in that LA-unification can be modified to work with 
untyped A-terms. This observation means, for example, that the results about L\ 
can be lifted to other type systems, not just the simple theory of types. Pfenning 
has done such a generalization to a dependent typed system Pfenning has 
also modified Elf so that pre-unification essentially corresponds to LA-unification: 
unification constraints that do not satisfy the L\ restriction on free variables are 
delayed. The equality theory of Elf, however, is still based on full /3-conversion. 

Notice that unification in L\ is unification modulo a, Pq, and rj but unifica- 
tion modulo a, /3 q, and rj on unrestricted terms is a more general problem. For 
example, if 5 is a constant of type i ^ i and E is a variable of type i ^ i ^ i, 
the equation \x.F x x = Xy.g y has two solutions modulo a, /3q, rj, namely, 
F I— !■ XuXv.g u and F 1 — > XuXv.g v. Notice that this unification problem is not in 
L\ since the variable F is applied to the bound variable x twice. As this example 
shows, unification modulo a, Po,r] is not necessarily unary. 



6 Logic Programming in L\ 

Successful manipulation of syntax containing bound variables is not completely 
achieved by picking a suitable unification and equality theory for terms. In order 
to compute with A-trees, it must be possible to define recursion over them. This 
requires understanding how one “descends” into a A-abstraction Xx.t in a way 
that is independent from the choice of the name x. A key observation made with 
respect to the design of such systems as Isabelle, AProlog, and Elf is that such 
a declarative treatment of bound variables requires the generic and hypothetical 
judgments that are found in intuitionistic logic (via implication and universal 
quantification) and associated dependent typed A-calculi. The need to support 
universal quantification explicitly forces one to consider unification with both 
free (existentially quantified) variables and universally quantified variables. To 
handle unification with both kinds of variables present, Paulson developed V- 
lifting and Miller developed raising (V-lifting can be seen as backchaining 
followed by raising) . 

The name L\ is actually the name of a subset of the hereditary Harrop for- 
mula used as a logical foundation for AProlog, except for restrictions on quan- 
tified variables made to ensure that only LA-unification occurs in interpreting 
the language. {L\ is generally also restricted so as not to have the predicate 
quantification that is allowed in AProlog.) While we do not have adequate space 
here to present the full definition of the L\ logic programming language (for 
that, see ^ 3 ) we shall illustrate the logic via a couple of examples. 

We shall use inference figures to denote logic programming clauses in such a 
way that the conclusion and the premise of a rule corresponds to the head and 
body of the clause, respectively. For example, if Ao,Ai, and A 2 are syntactic 
variables for atomic formulas, then the two inference figures 

Ai A2 Va;(Ai D A2) 

Aq Aq 
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denote the two formulas 

Vy(Ai A A2 D ^0) and Vy(Va;(^i D A2) D ^0) 

The list of variables y is generally determined by collecting together the free 
variables of the premise and conclusion. In the inference figures, the correspond- 
ing free variables will be denoted by capital letters. The first of these inference 
rules denotes a simple Horn clause while the second inference rule is an example 
of a hereditary Harrop formula. The theory of higher-order hereditary Harrop 
formulas provides an adequate operational and proof theoretical semantics 
for these kinds of clauses. The central restriction taken from Lv-unification must 
be generalized to this setting. Note that in our examples this restriction implies 
that a variable in the list y can be applied to at most distinct variables that are 
either A-bound or universally bound in the body of the clause. 

Consider, for example, representing untyped A-terms and simple types. Let 
tm and ty be two types for these two domains, respectively. The following four 
constants can be used to build objects in these two domains. 

app : tm — > tm — > tm arr \ ty ^ ty ^ ty 

abs : {tm — s- tm) — > tm i : ty 

The constants app and abs are constructors for applications and abstractions, 
while the constants arr and i are used to denote functional (arrow) types and a 
primitive type. 

To capture the judgment that an untyped A-term has a certain simple type, 
we introduce the atomic judgment (predicate) typeof that asserts that its first 
argument (a term of type tm) has its second argument (a term of type ty) as a 
simple type. The following two inference rules specify the typeof judgment. 

typeof M {arr A B) typeof N A Wx{typeof x AZ} typeof {R x) B) 
typeof {app M N) B typeof {abs R) {arr A B) 

Notice that the variable R is used in a higher-order fashion since it has an 
occurrence where it is an argument and an occurrence where it has an argument. 

The conventional approach to specifying such a typing judgment would in- 
volve an explicit context of typing assumptions and an explicit treatment of 
bound variables names, either as names or as de Bruijn numbers. In this spec- 
ification of the typeof judgment, the hypothetical judgment (the intuitionistic 
implication) implicitly handles the typing context, and the generic judgment 
(the universal quantifier) implicitly handles the bound variable names via the 
use of eigenvariables. 

Since the application of variables is restricted greatly in L\, object-level 
substitution cannot be handled simply by the equality theory of L\. For example, 
the clause 



bredex {app {abs R) N) {R N) 

defines a predicate that relates the encoding of an untyped A-term that represents 
a top-level /3-redex to the result of reducing that redex. The formula that encodes 
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this inference rule does not satisfy the L\ restriction since the variable R is not 
applied to a A-bound variable: notice that instances of {R N) might produce 
(meta-level) /3-redexes that are not /3o-redexes. Instead, object-level substitution 
can be implemented as a simple logic program. To illustrate this, consider the 
following two classes for specifying equality for untyped A-terms. 

copy M M' copy N N' \/x Vy {copy x y D copy {R x) {S y)) 
copy {app M N) {app M' N') copy {ahs R) {abs S) 

Clearly, the atom copy 1 1' is provable from these two clauses if and only if t and 
t' denote the same untyped A-term. Given this specification of equality, we can 
now specify object-level substitution with the following simple clause: 

\/x {copy X N D copy {R x) M) 
subst R N M 

which axiomatizes a three place relation, where the type of the first argument 
is i > z and the type of the other two arguments is i. We can now finally 
re-implement bredex so that it is now an L\ program: 

subst R N M 
bredex {app {abs R) N) M 

The entire specification bredex is now an L\ logic program. For a general ap- 
proach to accounting for object-level substitution in L\, see |^. 

For a specific illustration that classical logic does not support the notion of 
syntax when higher-orders are involved, consider the following signature. 

p,q,r : term — *■ o g : {term — > term) — *■ term f : term —>■ term 

and the two clauses 



p X \/x {p xZ} q {U a;)) 

r {f X) r {g U) 

Using the familiar “propositions-as-types” paradigm, the three atomic formulas 
p t\,q t 2 , and r t^ can be seen as specifying subtypes of the type term, that 
is, they can be read as U '■ p,t 2 ■ q, and t^ : r. Using this analogy, these two 
clauses would then read as the type declarations f : p ^ r and g : {p ^ q) ^ r. 
Now consider the question of whether or not there is a term of type r. Simple 
inspection reveals that there is no term of type r built from these two constants. 
Similarly, there is no intuitionistic proof of 3X.r X from the two displayed 
clauses. On the contrary, there is a classical logic proof of 3X.r X from these 
formulas. We leave it to the reader to ponder how classical logic can be so 
liberal to allow such a conclusion. (Hint: consider the classical logic theorem 
{3w.p w) V {\/w.^p w).) 
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7 A- Tree Syntax 



In contrast to concrete syntax and parse tree syntax, a third level of syntax 
representation, named X-tree syntax was introduced in This approach to 
syntactic representation uses A-terms to encode data and LA-unification and 
equality modulo a, Pq, and r] to construct and deconstruct syntax. There is no 
commitment to any particular type discipline for terms nor is typing necessary. 

As we have observed, a programming language or specification language that 
incorporates A-tree syntax must also provide an abstraction mechanism that 
can be used to support recursion under term level abstractions. In logic or typed 
languages, this is achieved using eigenvariables (a notion of bound variable within 
a proof). Such a mechanism can be described in a logic programming setting, 
like AProlog, as one where new, scoped constants are introduced to play the role 
of bound variables. 

While supporting A-tree syntax is more demanding on the languages that 
implements it, there has been a lot of work in making such implementations 
feasible. Consider for example the work on explicit substitutions and 

the abstract machine and compiler Teyjus Q for AProlog. The Isabelle the- 
orem prover implements L\ and the Elf system Q provides an effective 
implementation of L\ within a dependently typed A-calculus. 

Support for A-term syntax does not necessarily need to reside only in logic 
programming-like systems. In Miller proposed an extension to ML in which 
pattern matching supported L\ matching and where data types allowed for the 
scoped introduction of new constants (locally bound variables) . A second type, 
written a ’ => b ’ , was introduced to represent the type of syntactically ab- 
stracted variables: the usual function type, written a’ -> b’, was not used for 
that purpose. It is possible, following the techniques we described for L\, to 
implement in the resulting ML extension, a function subst that maps the first 
domain into the second, that is, subst has type (a’ => b’) -> (a’ -> b’). 
To our knowledge, this language has not been implemented. 

The need for the new term X-tree syntax instead of the more common term 
higher-order abstract syntax can be justified for a couple of reasons. First, since 
types are not necessary in this style of representation, the adjective “higher- 
order” , which refers to the order of types for variables and constants, seems in- 
appropriate. Second, higher-order abstract syntax generally denotes the stronger 
notion of equality and unification that is based on full /3-conversion. For example. 
Pfenning in Q states that “higher-order abstract syntax supports substitution 
through A-reduction in the meta-language” . Thus, the term higher-order ab- 
stract syntax would not be appropriate for describing projects, such as L\ and 
the proposal mentioned above for extending ML, in which /3-reduction is not 
part of the meta-language. 



8 Related Work 

As we have mentioned. Church intended the function space constructor to be 
strong enough to model mathematical functions and not to support the weaker 
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notion of representing an abstraction over syntactic types. As a result, we argued 
that Church’s system should be weakened by removing not only the axioms of 
infinity, choice, and extensionality but also full /3-conversion. On the other hand, 
there has been work in trying to recover higher-order abstract syntax from rich 
function spaces such as those found in Coq: the main issue there is to restrict 
the function space constructor to exclude “exotic” terms, like those inhabiting 
function spaces but which do not denote syntactic abstractions 

For conventional specifications using parse trees syntax, well understood se- 
mantic tools are available, such as those of initial algebras and models for equal- 
ity. Similar tools have not yet been developed to handle A-tree syntax. Since the 
logic that surrounds A-tree syntax is that of intuitionistic logic, Kripke models 
might be useful: a simple step in this direction was taken in Q by recasting the 
cut-elimination theorem for intuitionistic logic as a kind of initial model. Simi- 
larly, the notion of Kripke A-models due to Mitchell and Moggi could also 
be quite useful. The LICS 1999 proceedings contained three papers that 

proposed semantics for abstract syntax containing bound variables that were 
based (roughly) on using initial models based on certain categories of sheaves. 
Pitts and Gabbay have used their semantics to develop an extension to ML that 
supports a notion of syntax somewhat similar to A-tree syntax 

9 Conclusions 

One might have some impatience with the idea of introducing a more high- 
level form of abstract syntax: just implement substitution and the associated 
support for bound variables and move on! But what we are discussing here is 
the foundations of syntax. The choices made here can impact much of what is 
built on top. 

There is also the simple observation that with, say, the parse tree representa- 
tion of syntax, it is natural to use meta-level application to encode object-level 
application. But application and abstraction are not two features that acciden- 
tally appear in the same logic: they are two sides of the same phenomenon, just 
as introduction and elimination rules in proof theory are two sides of a connec- 
tive, and they need to be treated together. It should be just as natural to use 
meta-level abstractions to encode object-level abstractions, and indeed, this is 
what A-tree syntax attempts to make possible. 
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Abstract. A key property in the definition of logic programming languages is 
the completeness of goal-directed proofs. This concept originated in the study of 
logic programming languages for intuitionistic logic in the (single-conclusioned) 
sequent calculus LJ, but has subsequently been adapted to multiple-conclusioned 
systems such as those for linear logic. Given these developments, it seems inter- 
esting to investigate the notion of goal-directed proofs for a multiple-conclusioned 
sequent calculus for intuitionistic logic, in that this is a logic for which there are 
both single-conclusioned and multiple-conclusioned systems (although the lat- 
ter are less well known). In this paper we show that the language obtained for 
the multiple-conclusioned system differs from that for the single-conclusioned 
case, show how hereditary Harrop formulae can be recovered, and investigate 
contraction-free fragments of the logic. 



1 Introduction 

Logic programming is based upon the observation that if certain restrictions are placed 
on the class of formulae that can be used, then statements of mathematical logic can 
be interpreted as computer programs. In particular, computation consists of searching 
for a proof of a goal from a program, and the restrictions placed on both the program 
and the goal ensure that this proof search is sufficiently deterministic. The best known 
such restriction is to allow programs to consist of Horn clauses and goals to consist 
of existentially quantihed conjunctions of atoms, which form the basis of the language 
Prolog. 

When looking to extend such results to other logical systems, we proceed by starting 
from a logic C (or indeed a set of inference rules for £) a proof search strategy S, 
and then determining a set of goal formulae Q and a set of program formulae V such 
that S is complete with respect to C. This process amounts to a systematic method for 
designing logic programming languages, and has two important properties. Firstly, such 
a systematic process can uncover a richer, more expressive programming language. For 
example, analysis in intuitionistic logic has uncovered extensions to Horn clauses such 
as allowing implications, universal quantifiers, and negations in the bodies of clauses [3, 
16], incorporation of higher-order facilities [16], and negations and disjunctions in the 
heads of clauses [17]. Secondly, this process can be applied to logics other than classical 
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(or intuitionistic) logic. For example, a number of logic programming languages have 
been derived from linear logic including Lygon[ll], Forum[15], LinLog [1], LO [2], 
Lolli [12], ACL [13], and CC [21], 

A popular proof search strategy is the notion of goal-directed proof [16], which, 
roughly speaking, requires that the goal be decomposed before the program, and hence 
the computation uses the program as a context, and the goal as the controlling sequence 
of instructions. The original presentation of goal-directed proof (and its formalisation 
- uniformity) were derived for the single-conclusioned sequent calculus LJ. However, 
this notion has been generalised to multiple-conclusioned sequent calculi in much of the 
work on linear logic^ As pointed out in [23, section 3.1], there are some weaknesses 
in this approach, but it remains the best-known way to derive logic programming lan- 
guages from inference rules. 

In this paper we focus on the generalisation of uniformity to multiple-conclusioned 
logics. We investigate this question in the familiar territory of intuitionistic logic. The 
standard sequent calculus for intuitionistic logic is LJ, which is single-conclusioned. It 
is known that hereditary Harrop formulae are a logic programming language in intu- 
itionistic logic, using goal-directed proof search in LJ. Further, there is evidence that 
this class of formulae is, in some sense, maximal [9] (at least for the first-order case). 

Thus it would seem that the identification of logic programming languages in in- 
tuitionistic logic is a solved problem. However, it is less widely known that there are 
multiple-conclusioned sequent calculi for intuitionistic logic [22]. Whilst these are not 
as well known as LJ, they have been of some interest for the relationship between 
intuitionistic and classical inference [20]. Given such inference systems, the question 
naturally arises as to what logic programming languages would look like in such sys- 
tems, and what the results of the previous analysis would be. This is a particularly 
interesting question given that there has been a significant amount of investigation of 
notions of goal-directed provability for multiple-conclusioned systems such as linear 
logic [1, 15, 19,21] and classical logic [10, 18]. Thus it seems appropriate to inves- 
tigate the design of logic programming languages via goal-directed provability for a 
multiple-conclusioned system for intuitionistic logic, and to compare the results with 
the single-conclusioned case. 



2 Preliminaries 

2.1 Sequent Calculi 

Sequent calculi are due originally to Gentzen [7] and are often used in the analysis of 
proof systems. This is because sequent calculus rules are local (and hence conceptually 
straightforward to implement) and there is a natural distinction between programs and 
goals. 

A sequent F \- A may be thought of as stating that if all the formulae in F are true, 
then at least one of the formulae in A is true. F is referred to as the antecedent and A 
as the succedent. The sequent calculus for classical logic, LK, is the best known (and 
arguably the simplest). Below we give a few of the rules for this calculus. 

* Actually, there appear to be at least two distinct such generalisations. 
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r\-F,A r,F\-A F\-Fi,F 2 ,A f\-f,a 

F\- F r\- A F\- Fiy F 2 ,A F,^F\- A 

F\-Fi,A F,F2\-A ^ F,Fi\-F2,A ^ F, Fi A F, F 2 A _ ^ 

F,Fi^ F2\- A ^ ^ F\- Fi^ F2,A ^ ^ F, Fi A F2\- A 

LK has the cut-elimination property [7], i.e. that any proof containing occurrences 
of the Cut rule can be replaced with a (potentially much larger) proof in which there are 
no occurrences of the Cut rule. Both of the other sequent calculus systems used in this 
paper (LJ and LM) also have the cut-elimination property. 



2.2 Permutabilities 

It is well known that the sequent calculus contains redundancies, in that there may be 
several trivially different proofs of the same sequent. In particular, the order of the rules 
can often be permuted, in that given a sequence of inference rules, we can change the 
order of the rules to obtain an equivalent sequence (i.e. one which has the same root and 
leaves as the original). 

In order to study such properties, we require some further terminology [ 6 ]. The 
active formulae of an inference are the formulae which are present in the premise(s), 
but not in the conclusion. The principal formula of an inference is the formula which is 
present in the conclusion, but not in the premise(s). Intuitively, the inference converts 
the active formulae into the principal formula (but as discussed in [14], this is sometimes 
too simplistic). 

When looking to permute the order of two inferences, it is necessary to check that 
the principal formula of the upper inference is not an active formula of the lower one; 
otherwise, no permutation is possible. When this property occurs, the two inferences 
are said to be in permutation position [6, 14]. 

For example, consider the two inferences below. 



q\- p,q\/ r 
~^p, q\- q\/ r 
-^p A q q \/ r 



VR 



AL 



q'rp,q,r 
~^p, q,r 
^p, q\- q\J r 
^p A q\- q\J r 



VR 

AL 



In either inference, we have the following: 



Rule 


Principal Formula 


Active Formulae 


AL 


~^p A q 


^p, q 




^P 


p 


VR 


q\J r 


q,r 



Note that in the left-hand inference, as ^p is both the principal formula of and 
an active formula of AL, and AL are not in permutation position. On the other 
hand, as the active formula of ^L is p, this is distinct from the principal formula of 
VR, which is (7 V r, and hence ^L and VR are in permutation position. In particular, we 
can permute VR below ^L (or alternatively ^L above VR) resulting in the right-hand 
inference above. 
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2.3 Intuitionistic Logic and LJ 

The standard sequent calculus for intuitionistic logic, LJ, can be obtained from LK by 
requiring that in every sequent L h Z\ the succedent A contains at most one formula. 
Amongst other changes, this means that the conclusion of the rule must have an 
empty succedent. Other rules which are significantly affected are the and VR rules, 
which have the following form in LJ : 

rhFi r,F2hF FhFi 

F,Fi^ F 2 I- F ^ ^ Fh F 1 VF 2 

The — >L rule thus omits the duplication of F in the left-hand premise and the VR 
rule must choose which of Fi and F 2 is to appear in the premise. As we shall see, this 
is a crucial difference between LJ and the multiple-conclusioned version. 



2.4 Multiple- Conclusioned Systems for Intuitionistic Logic 

Below is the multiple-conclusioned system taken from [22]. 



Fh F 

r,F,Fh A 
F, F h A 



Axiom 



Fh F, A FFh A 



CL 



Fh A 

Fh F,F, A 



Cut 



Fh A 



FFh A 



WL 



Fh A 
Fh FA 



WR 



Fh F. A 



CR 



F,Fi,F 2 h A 



G Fi A F 2 h A 



AL 



FhFi,A FhF2,A 



F h Fj^ A F 2 , A 



AR 



F,Fih A F,F2h A 



F F[y/x] h A 



3L 



F, Fi \/ F 2 h A 
F h F[t/x],A 



VL 



FhFi,F2,A 



3R 



F h Fi \/ F 2 , A 
F, F[t/x] h A 



VR 



F, 3xF h A Fh 3xF, A 

Fh Fi, A F,F2h A F,Fih F 2 



F,VxF h A 
Fh F. A 



VL 



F,Fi ^ F2h A 



F h Fi ^ F2,A 



■ R 



F.^Fh A 



F h F[y/x] 
F h \/xF, A 

F,Fh 
Fh -,F.A 



VR 



The rules 3L and VR have the usual side condition that y is not free in F, A or F. 

Following [20], we refer to this system as LM. Unlike LJ, contraction on the right 
may be used arbitrarily here. Note that this is effectively negated by the form of the 
rules for VR, — ^R and ^R. Note also that the VR rule is classical (ie the LK rule), and 
the rules VR, — >R and ^R are different from both LK and LJ. Following Wallen [22], 
let us call these latter rules special rules. 

As an illustration of the differences between LK, LJ and LM, consider Peirce’s for- 
mula {{p ^ q) ^ p) ^ p, which is provable classically, but not intuitionistically. The 
LK proof is below, as are the corresponding failed attempts in LJ and LM respectively 
(in left to right order). 



P l~ 9.P 
h p - 



Ax 



9.P 



p h p 



{p ^ q) ^ ph p 

1“ ((p ^ q) ^ P) ^ 



Ax 
^ L 
R 



-^^R — 

h p — ^ g p p 

ip^ q) ^ ph p 
^ {{p^ q) ^ P) ^ P 



ph q 



L 

R 



h p - 



ph p 



(p ^ q) ^ ph p 

1“ ((p ^ q) ^ P) ^ 



Ax 



Ax 
^ L 
R 
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Note that in LK, the rule does not make a choice between p ^ q and p, whereas 

in LJ it chooses p. In LM, the does not make a choice between p q and p, but 
the — rule does. 

2.5 Goal-Directed Proofs 

The logic programming interpretation of a sequent T h Z\ is that the antecedent F 
represents the program, and the succedent A the goal. Hence when searching for a 
proof of r h A (i.e. performing computation), the search should be “driven” by A 
(and thus be goal-directed). The proof-theoretic characterisation of this property is the 
notion of uniform proof \\6\. 

Definition 1. An U proof is uniform if for every sequent F \~ A in which A is a 
non-atomic formula, the inference rule used to derive F A is the right rule for the 
principal connective of A. 

Thus the search process must reduce a non-atomic succedent before it looks at the 
program. We also need a proof-theoretic account of resolution, which is given by the 
notion of a simple proof [16]. 

Definition 2. An LJ proof is simple if for every occurrence of — the right hand 
premise is an axiom. 

Clearly it is possible for an LJ proof to be neither uniform nor simple. Hence the 
question is to identify a class of formulae for which simple uniform proofs are com- 
plete (i.e. do not “miss” any consequences). The fragment known as hereditary Harrop 
formulae (HHF) has these properties and is defined as follows, where A ranges over 
atomic formulae. 

Definite formulae D ::= A \ D f\ D \ G ^ A\fJx . D 

Goal formulae G ::= H|GVG|GAG|U— >G|Va;.G|3a;.G 

A program, then, is a set of definite formulae, and a goal is a goal formula. We then 
have the following theorem. 

Theorem 1 (Miller et. al [16]). 

Let P \- G be a hereditary Harrop sequent. Then P \- G iff P \~ G has a simple 
uniform proof in LJ. 

3 Deriving a Logic Programming Language in LM 

We now turn to the problem of identifying logic programming languages in LM. Fol- 
lowing the above pattern, we need to find an appropriate conception of goal-directed 
proof in LM. Having done so, a class of formulae is then a logic programming lan- 
guage if for any P and G in the appropriate class, P h G is provable iff P h G has a 
goal-directed proof in LM. We can establish such a result by considering permutabili- 
ties of rules and showing that a given proof of P h G can always be transformed using 
permutabilities into a goal-directed proof. We are particularly interested in permuting 
right rules downwards (i.e. towards the root of the proof). A non-permuting right rule 
indicates a situation that needs to be avoided; this implies a constraint on the class of 
formulae considered to be a logic programming language. 
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3.1 Permutation Properties of LM 

Since the only rules in LM which differ from LK are VR, and ^R these are the 
only ones whose permutation behaviour will differ from LK. Note that in LK all of the 
propositional logical rules permute with each other. The following table summarises 
when we can permute a right rule above a left to a left above a right. 





VR 


-nR 


^R 


3R 


AR 


VR 


VL 














^L (right) 














^L (left) 


can be 


eliminated 


using W 








AL 














VL 














3L 





























Note that we distinguish between the right rule appearing in permutation position 
above the left premise of ^L and above the right premise. We do not do this for VL as 
the two are symmetric. For the ^L (left) case the row marked “can be eliminated ...” 
corresponds to the transformation which replaces the left inference below with the right 
one, thus eliminating altogether the occurrence of the ^L rule. 



r, Fa h F4 

r h Fi,Fa ^ F4,A 



r, F2 1 “ — >■ F4 , 



F, Fi — >■ F2 1 “ ^ F4 , zi 



F, F3 h F4 

F Fa ^ Fi, A ^ ^ 
F, Fi — >■ F2 i ^3 — * F4 , Zi 



WL 



A point to note is that in LM, the VR rule can be permuted below the VL rule, 
which is not the case in LJ (but is the case in LK). As a result, it is possible to use 
disjunctions positively in programs in LM. This gives a proof-theoretic characterisation 
of the notion of disjunctive logic programs [17], which have been used to model certain 
types of uncertain information. This may be thought of as a particular instance of the 
general observation that there is a trade-off between the expressiveness of the language 
and the strength of the properties of the search strategy. In this case, no choice has to 
be made when the VR rule is applied, and hence a larger fragment of the logic may 
be used; quid pro quo, the resulting proofs no longer have the disjunctive property (i.e. 
that if Fi V F2 is provable, then so is L) for some i = 1,2). Note, though, that the 
3R rule cannot be permuted below the 3L rule (just as in LK), and hence there is no 
corresponding property for 3. 

Hence the main observation is that the special rules do not permute downwards past 
VL or — >L on the right. Below is a proof in which — >R occurs above the right premise 
of — >L, but cannot be permuted downwards. 



p\- p,q^ r,q q\~ p,q^ r,q py q,q,r\~ r 

py q\- p,q —> r,q py q,r \~ q —> r,q 



py q,p ^ r h q ^ r,q 



R 

L 
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Attempting to prove this sequent with results in an unprovable premise: 



P,q'^r,p g, 
p\/q,q\-r,p 



VL 



p\J q,r,q\- r 



p\/ q,p^r,q\-r ^ ^ 
p\/q,p—>r\-q—>r,q 



L 



3.2 Identifying a Subset of the Logic 

In order for a class of formulae to be a logic programming language (using a goal- 
directed proof search) we need to ensure that the no (“ ”) cases in the above table 
cannot occur. We do this by ensuring that one of the non-permuting rules cannot occur 
by constraining the class of formulae to limit occurrences of the relevant connective. 
We have two orthogonal choices: (1) 3L versus 3R; and (2) The special rules (VR, ^R 
and -^R) versus VL and ^L. 

Note that the rules VL, AL, ^L, VR and AR can be freely used. This yields the 
following four combinations: 

Right rules Left rules 

1. A,V,V,->,^ V,A,-i,3 

2. A,V,V,-i,^,3 V,A,^ 

3. A,V V,3,A,V,-i,^ 

4. A,V,3 V,A,V,-i,^ 

The first three possibilities don’t appear to be very useful since they do not include 
Horn clauses: the first two possibilities do not allow implication on the left (and hence 
do not allow rules in programs) and the third possibility does not allow existential quan- 
tification in goals. 

Hence the most useful language is the last one, which, when compared to hereditary 
Harrop formulae, allows disjunctions and negations on the left, but disallows universal 
quantifiers and implications on the right. 

One question that quickly arises in any discussion of goal-directedness in a multiple- 
conclusioned setting is that there is a choice to be made between applicable right rules 
(whereas in the single-conclusioned case there is only one). Clearly there are only two 
possibilities: either the choice is arbitrary (and hence any choice will suffice) or it is 
not (and so more care must be taken to maintain completeness). The former is what is 
assumed in Forum, and hence all right rules must permute over each other. The latter is 
what is assumed in Lygon, and hence the possible execution strategies must be derived 
from an analysis of the permutation properties of the right rules, which in the case of 
Lygon, is based around Andreoli’s analysis of such rules [1]. 

The following table summarises permutability properties among the right rules. A 
“ ” indicates that the right rule of the column can be permuted below the right rule of 
the row. A indicates that it is not possible for the pair of rules to occur in permutation 
position and a “( )” indicates that although a normal permutation is not possible, a sub- 
proof with the same premises and conclusion is possible which only applies the special 
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rule. For example consider the transformation below: 
r,G^ H 

F'r Fx,F 2 ,G ^ H 7^^ F,G'r H 

F 'r Fx\J F2,G ^ H ^ F 'r Fx\J F2,G ^ H ^ 

This is similar to the case involving a special rule above the left premise of ^L. 





V-R 


-n-R 


->-R 


3-R 


A-R 


V-R 


V-R 


- 


- 
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- 


- 


- 


^-R 
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- 


- 


- 


- 


-^-R 


- 


- 


- 


- 


- 


- 


3-R 


( ) 


( ) 


( ) 








A-R 


( ) 


( ) 


( ) 








V-R 


( ) 


( ) 


( ) 









Thus, for LM, all right rules effectively permute over each other and so proof search 
can arbitrarily choose an applicable right rule without any loss of completeness. 

3.3 Formal Results 

Hence we arrive at the following notion of goal-directness and class of formulae. 

Definition 3. An LM proof is uniform if every sequent which contains a non-atomic 
formula in the succedent is the conclusion of a right rule. 

Definition 4. LM- definite formulae and LM- goal formulae are given by the grammar: 

LM-defnite formulae D ::= A \ D f\ D \ DM D \ \ G ^ D \ '^x . D 

LM- goal formulae G ::= A \ G \J G \ G A G \ 3x . G 

Note that although negations occurring positively in programs are permitted accord- 
ing to uniformity, they are in some sense not goal directed in that it is possible to have 
programs which are provable regardless of the goal given. For example, p, h G is 
provable for any goal formula G. 

Theorem 2 (Uniformity). Let V be a set of LM-definite formulae and Q be a set of 
LM- goal formulae. Then V L Q has an LM-proofiffV h Q has a uniform proof. 

Proof, (sketch) The basic idea is that since all of the possible right rules permute down 
over all of the possible left rules we can eliminate non-uniform inferences by permuting 
right rules down so they are beneath left rules. The details are more subtle and are 
omitted due to space limitations. □ 

As for simple proofs, we need to restrict the formulae in the programs to be clausal, 
i.e. of the form C? — > A rather than G ^ D. This is done so that when permuting other 
left rules down below on the right, we can be sure that the two rules are always in 
permutation position (as an atom can never be the principal formula). Hence we arrive 
at the following definition. 
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Definition 5. Clausal LM- definite formulae are given by the grammar: 

D :■= A \ D AD \ DV D\G A\Wx.D 

Then it is straightforward to show the following result from the permutation prop- 
erties by a simple inductive argument. 



Theorem 3. Let V be a set of clausal LM-definite formulae and Q be a set of LM-goal 
formulae. Then V L Q has an LM-proofiffV h Q has a simple uniform proof. 

Proof. By theorem 2, there is a uniform proof of 7^ h From the permutation proper- 
ties we know that any occurrences of 3R, VR or AR can be permuted down past on 
the right. By a similar argument, it can be shown that any occurrences of AL, ^L, VL 
and VL can be permuted downwards. Hence the right premise of an occurrence of 
must be the conclusion of either an axiom, or another ^L. The following permutation 
can be applied to the highest non-simple occurrence of — >L in a chain of to make 
it simple. We repeat this until all occurrences of — >L in the chain are simple. 



r, AihG2,^ r, 

r, G2 ^ ^2 H Gi , ^ r, G2 ^ ^2, h- ^ 

^ 1 

r, Gi Ai, G2 — A2 ^ ^ 



L 



-u- 



r, G2 ^ A2 Gi , ^ r, Aih-G2,^ 

WR WL 

r, G2 ^ A2 ^ Gi , G2 , ^ r, G2 ^ A2, Ai f- G2, ^ 

r, G2 -> ^2, Gi -> h G2 , ^ ^ r, Gi -> Aj , G2 -> ^2, A2 H 

r, G2 ^ A2, Gi ^ Aj, G2 ^ A2 H Zi 

CL 

r, Gi -> Aj , G2 -> A2 H 

Consider the sequent F,Ai,A 2 L A in the first inference. Since it is the conclusion 
of an axiom rule (modulo structural rules) we have that either A 2 F Z\, or Hi h Z\, or 
FLA for some F e Z\. In the last two cases we can simply delete the top occurrence 
of — >L altogether thus making the remaining — >L simple. In the remaining case we have 
that F, Gi ^ Hi , G 2 ^ H 2 , H 2 F Z\ and hence the permutation has produced a simple 
occurrence of — >L as desired. □ 



Theorem 4. LM-definite and LM-goal formulae are not a logic programming language 
in LJ. 



Proof. LM-definite and LM-goal formulae allow disjunction as a top-level connective. 
The sequent pW q FpVgis provable, but does not have a uniform (in the sense of 
definition 1 ) proof. □ 

Hence the analyses for LM and LJ lead to different logic programming languages. 
However, whilst HHF do not qualify “directly” as a logic programming language in 
LM, it is possible to recover HHF as a logic programming language in LM by a simple 
analysis of the role of disjunctions in programs. 
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4 Definite Formulae in LM 

One interpretation of the results of the previous sections is that whilst it is possible to 
use disjunctions positively in programs in an intuitionistic setting hy using LM rather 
than LJ, the cost is that the richer language of HHF cannot he used. On the other hand, it 
is well-known that in LJ, HHF can be used, but at the cost of not allowing disjunctions in 
programs. However, we can recover HHF without changing inference rules by omitting 
disjunctions in programs (and hence not using the VL in proofs). We explore this issue 
in this section. 

It is not hard to show that in LM, WL can always be permuted upwards, and WR 
can either be permuted upwards or “absorbed” by the special rules. For the latter case, 
note the transformation below. 

r^F[y/x] 

r h VxF, A L h F[y/x] 

^ WR ==^ — Vi? 

F\-yxF,F',A F\-yxF,F',A 

Hence we can use the form of the axiom rule below, and omit the WL and WR rules. 

F,F\- F, A 

This means that we can show the following result. 

Theorem 5 . Let F L A be a provable sequent in LM in which ML does not occur. Then 
either F h is provable in LM or F \- F for some F G A is provable in LM. 

Note the strength of the contrapositive of this result; if a proof requires multiple 
conclusions, then it must include an occurrence of VL. 

Proof. We proceed by induction on the size of the proof. In the base case, FLA is just 
an axiom, and clearly the result is trivially true. Hence we assume the result is true for 
all proofs of no more than a given size. The cases for CL, AL, AR, 3 L, 3 R, VL, ^L and 
the special rules are all trivial. That leaves CR, VR, and ^L. 

CR: The previous sequent is F \- F, F, A, and so by the hypothesis we have that either 
F \- F' for some F' G Z\, in which case we are done, or L h F in which case we 
are done. 

VR: The previous sequent is F h Fi, F2, A, and so by the hypothesis we have that 
either F h F for some F G Z\, in which case we are done, or F h Fj, in which 
case we can derive F h Fi V F2 via WR and VR. 

The previous sequents are F h Fi, Z\ and F, F2 h A, and so by the hypothesis, 
we have that F, F2 h F' for some F' G A and either F h F for some F G A, 
in which case we can derive F, Fi ^ F2 h F by WL, or we have F h Fi . In the 
latter case we have F h Fi and F, F2 h F', and hence we have F, Fi — > F2 h F'. 

□ 
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Thus once (positive) disjunctions are removed from programs (i.e. antecedents), we 
essentially recover LJ. 

In particular, this shows that we can use the following versions of and VR: 

T h Fi T, F2 h F rh Fi 

r,Fi^ F2\- F T h Fi V F 2 

These are clearly just the LJ rules. This means that by using this form of — >L, we 
can recover the downwards permutability of the special rules over — >L. For example, 
consider the rule and the transformation below: 



F, F2, F3 \- F4 

F\- Fi F, F2\- Fa ^ F4, A ^ ^ 
F, Fi ^ F2 h Fa ^ F4, A ^ ^ 



— WL 

r.F’sFT’i F,F2,Fs^F4 

F, F\ F2, F^}- F4 
F, Fi ^ F2 h Fa ^ F4, A ^ ^ 



Thus we can recover the completeness of uniform and simple (LJ) proofs by using 
particular properties of LM. This, together with the earlier arguments about disjunctions 
in LM, may be seen as evidence that the approach using LM is more general than using 
LJ. 



5 Contraction-Free Fragments 



One issue which becomes relevant in the analysis involving LM is the role of contraction 
in succedents. In LJ, such contraction is forbidden; in LM, a naive interpretation would 
require that each formula be copied before being used as the principal formula of a rule 
application. However, it is not hard to show that the CR rule is only necessary when 
such a rule application is 3R — in all other cases the CR rule can either be permuted 
upwards or can be eliminated. 

That such contractions are necessary is shown by the following proof. 



p{a) h p{a),p{b) p{b) h p{a),p{b) 



p{a)W p{b) p{a),p{b) 
p{a) V p{b) h p{a), 3xp{x) 
p{a) V p{b) h 3xp{x), 3xp{x] 
p{a) V p{b) h 3xp{x) 



VL 



3R 

3R 

CR 



Hence an implementation will require existentially quantified goals to be copied. 
However, Theorem 5 shows that such copying will not be necessary in the absence 
of disjunctions in programs, or for any fragment which does not contain existentially 
quantified goals. In particular, this argument shows that the propositional fragment does 
not require contraction on the right. 

It is then interesting to pursue the question of whether contraction on the left is 
required in the propositional case. Dyckhoff [4] has shown that it is possible to use a 
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more intricate proof system in which contraction is not needed at all for any proposi- 
tional fragment. In our case, we are interested in determining whether the standard rules 
of LM are contraction-free for various propositional fragments. 

An intriguing result is that propositional Horn clauses are contraction-free, but 
propositional hereditary Harrop formulae are not. That the latter are not may be shown 
by the following proof: 



p h p V (p ^ g) ^ 
(pV (p ^ g)) ^ g,p h g 
{pV {p ^ q)) ^ q\- p ^ q 
(p V (p ^ g)) ^ g h p V (p ^ 
{pV {p^ g)) ^ q,{pV {p ^ g)) - 
(pV (p^ g)) ^ gh g 



^ L 
CL 



However, if we try to omit the contraction, we quickly arrive at an unprovable se- 
quent: 

h p V (p ^ g) ^ 

(pV (p^ g)) ^ gh g 

It is interesting to note that Dyckhoff shows in [4] that the formula V ^p) 
requires contraction in LJ; this formula is essentially the same as the above formula 
under the transformation of to F ^ _L. 

We now proceed to show that propositional Horn clauses do not require contraction. 

We denote by the fragment defined by the following rules: 

D ::=A\ DADI’dvd] \ G ^ A 
G ::= A \ G A G \ G\/ G \ \ D ^ G 

We use similar notation for smaller fragments such as 

Definition 6 . Given an occurrence F, F h F, Z\ of the Axiom! rule, we refer to F as 
the context. 

In a proof <P of a propositional sequent F \~ A, a formula F in F is passive if is 
not the principal formula of any rule occurrence in <I>, and F is in the context of every 
occurrence of the Axiom' rule. 

Now in order to show that a given fragment is contraction-free, we proceed by 
showing that if a contraction is used, then the formula that is copied by the rule is 
passive (i.e. plays no active part in the proof). 

It is not hard to show that CL permutes up past all propositional rules except ^L. 

Hence, we need only consider occurrences of CL which are immediately below ^L, 
and for which the principal formula of — >L is an active formula of CL, i.e. 

F, Fi ^ F2 h Fi 
F, Fi ^ F2, Fi ^ F2 h F2 ^ ^ 

F,Fi^F2hF2 
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Theorem 6 . Let <P be a proof of a v sequent P L G. Then for every occur- 

rence 



r, f 1 ^ f 2 I- f 1 
P, F\ — > F2, Fi — > F2L F2 
F, Fi ^ F2L F2 



of CL and —*L in <P, F\ — > F2 is passive in F. 



Proof We proceed by induction on the number of occurrences of — >L in T>. Consider 
an occurrence of — >L closest to the leaves. As there are no occurrences of — >L in F, 
Fi — > F2 is clearly passive. 

Hence we assume that the result holds for proofs which contain no more than a 
given number of occurrences of ^L. 

Consider an occurrence of as above. If Fi — > F2 is not passive in F, then there 
must be an occurrence of in F in which F\ — > F2 is the principal formula. It is not 
hard to see that as the goals consist only of conjunctions and disjunctions (and hence 
the antecedents in the proof can never be changed), this must be of the form 



r, Cl ^ C2 h Cl 

r, Cl — > C2 , Cl — > C2 h C2 

C, Cl — > C2 h C2 
F 

c, Cl ^ C2 h Cl 
C, Cl — > C2 , Cl — > C2 h C2 
C, Cl — > C2 h C2 

By the hypothesis we know that F\ — > C2 is passive in S'. 

Now as there is a sequent identical to one closer to the leaves, we can eliminate the 
part of the proof between these two occurrences, and in particular we can remove the 
copy of the identical sequent closer to the root. □ 

In a similar manner, it is not hard to show that the fragment is also 

contraction-free. 

Theorem 7 . Let <F be a proof of a sequent PPG. Then for every occur- 

rence 

F 

c, Cl ^ C2 h Cl 
c, Cl ^ C2, Cl ^ C2 I- C2 
C, Cl ^ C2 I- C2 

of CL and -^L in <L, F\ — > F2 is passive in F. 

Proof. Similar to the above argument. □ 

Hence we arrive at the following classification: 

- (Horn clauses) is contraction-free. 

- is contraction-free. 



^ L 
CL 



L 

CL 
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- is not contraction-free (see above). 

- is not contraction-free (Dyckhoff [4]). 

Note that the third case implies that propositional hereditary Harrop formulae are not 
contraction-free. Note also that these cases cover all the fragments of 



6 Conclusions and Further Work 

We have seen that the permutation properties of LM mean that the straightforward ap- 
plication of the notion of goal-directed proof from the single-conclusioned case results 
in a different class of formulae than hereditary Harrop formulae, and in particular that 
disjunctions may be used in programs. We have also seen that it is possible to recover 
hereditary Harrop formulae by not using such disjunctions. This suggests that LM is a 
potentially more general framework for logic programming languages based on intu- 
itionistic logic than LJ. 

Another topic of interest is the relationship between search in LM and search in 
LJ. In particular, the search properties of LM may be thought of as allowing “delayed” 
choices when compared with LJ, particularly for the VR and — >L rules as mentioned 
above. This means that an attempt at a proof in LM may correspond to more than one 
such attempt in LJ; a correspondence of this sort seems worthy of further investigation. 

Another property of interest is the precise notion of equivalence used. It is known 
that for hereditary Harrop formulae in LJ, there is no increase in power by allowing 
clauses of the form G ^ D, due to the following intuitionistic equivalences^: 

G ^ (Di A L»2) = (G ^ Di) A (G ^ Da) 

G ^ (G' ^ G) = (G A G') D 
G {VxD) = Vx(G — > D) where x is not free in G. 

In the LM case, this is no longer true, due to the presence of clauses of the form Gi V G 2 , 
and that G — > {Di V D 2 ) is not intuitionistically equivalent to (G — > Di) V (G — > 
G 2 ). However, it should be noted that this equivalence does hold in a slightly stronger 
logic (called Godel-Dummett logic in [5]), in which this is one of the Independence 
of Premise rules. This logic is also relevant to issues of program equivalence [8], and 
so an investigation of the proof theory of such a logic and its relation to LM would be 
particularly interesting. 
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Abstract. We have been developing a general symbolic-statistical mod- 
eling language based on the logic programming framework that 

semantically unifies (and extends) major symbolic-statistical frameworks 
such as hidden Markov models (HMMs) probabilistic context-free 
grammars (PCFGs) ^3 and Bayesian networks "' | . The language, 
PRISM, is intended to model complex symbolic phenomena governed by 
rules and probabilities based on the distributional semantics^^. Pro- 
grams contain statistical parameters and they are automatically learned 
from randomly sampled data by a specially derived EM algorithm, the 
graphical EM algorithm. It works on support graphs representing the 
shared structure of explanations for an observed goal. In this paper, we 
propose the use of tabulation technique to build support graphs, and 
show that as a result, the graphical EM algorithm attains the same time 
complexity as specilized EM algorithms for HMMs (the Baum- Welch 
algorithm and PCFGs (the Inside-Outside algorithm ^). 



1 Introduction 

We have been developing a general symbolic-statistical modeling language 
Q based on the logic programming framework that semantically unifies (and 
extends) major symbolic-statistical frameworks such as hidden Markov models 
(HMMs) lOj, probabilistic context-free grammars (PCFGs) and Bayesian 
networks The language, PRISM (programming in statistical modeling), is 
intended to model complex symbolic phenomena governed by rules and proba- 
bilities using the distributional semantics^^. Programs contain statistical pa- 
rameters and they are automatically learned from randomly sampled data by a 
specially derived EM algorithm, the graphical EM algorithm. It works on support 
graphs representing the shared structure of explanations for an observed goal. In 
this paper, we propose the use of tabulation technique to build support graphs, 
and show that as a result, the graphical EM algorithm attains the same time 
complexity as specilized EM algorithms for HMMs (the Baum- Welch algorithm 
■ ^ I ) and PCFGs (the Inside-Outside algorithm^). Our subject in this paper 
is inter-deciplinary, concerning logic programming, probability theory, statistics 
and formal languages, and the reader is assumed to be familiar with basics of 
these deciplines 
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The rest of this paper is as follows. After having a look at background in the 
next section, and preparing basic materials of PRISM in Secfl we present an 
efficient learning algorithm for PRISM (Sec.^. We evaluate the time complexity 
of our algorithm in Sec-H Sec. ^contains a conclusion. Throughout the paper, 
we use Prolog conventions for logic programs. 



2 Background 

2.1 Constraint Approach and Distribution Approach 

Since our work is at the crossroads of logic programming and probability, it 
might help to first review various attempts made to integrate probability with 
logic, or logic programming (though we do not claim exhaustiveness of the list 
at all). In reviewing, one can immediately notice there are two different basic 
attitudes towards the use of probability in logic or logic programming. One type, 
constraint approach, emphasizes the role of probabilities as constraints and does 
not necessarily seek for a unique probability distribution over logical formulas. 
The other type, distribution approach, explicitly defines a unique distribution by 
model theoretical means or proof theoretical means, to compute various proba- 
bilities of propositions. 

A typical constraint approach is seen in the early work of probabilistic logic 
by Nilsson He considered probabilities assigned to formulas in a knowl- 
edge base as constraints on the possible range of probability of a formula of 
interest. He used linear programming techniques to solve constraints that nec- 
essarily delimits the applicability of his approach to finite domains. Turining 
to logic programming, probabilistic logic programming formalized by Ng and 
Subrahmanian used clauses of the form A \ F\ : pi, . . . , Fn '■ Pn annotated 
by probability intervals piS (J. Lakshmanan and Sadri also used annotated 
clauses A ^ Bi, ... , where c = {Ib, Id) in the formalization of their prob- 
abilistic logic programming. Here Ib represents an expert’s belief interval. Id a 
doubt interval respectively Q. Both formalizations only allowed for a finite 
number of constant and predicate symbols, but no function symbols^J^J. 

Some of the early works of the distribution approach to combining orobabil- 
ity with logic programs came out of the Bayesian network communit)! Breese 
made a first attempt to use logic programs to automatically build a Bayesian 
network from a query After identifying atoms relevant to the query, a lo- 
cal Baysian network for them is constructed to compute posterior probabil- 
ities. Logical variables can appear in atoms but no function symbol was al- 
lowed B (see also ^3 for recent development of the use of logic programs to 
build Bayesian networks). Poole proposed “probabilistic Horn abduction” 

His program consists of definite clauses and disjoint declarations of the form 
disjoint ( [hi :pi , . . . ,h„:p„]) which specifies a probability distribution over 
the hypotheses (abducibles) {hi, ... , h„}. He assigned unique probabilities to all 

^ A Bayesian network is a finite directed acyclic graph representing probabilistic de- 
pendences between (continuous or discrete) random variables | | 
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ground atoms with the help of the theory of logic programming, and furthermore 
proved that Bayesian networks are representable in his framework He how- 
ever imposed various conditions (the covering property, the acyclicity property, 
etc on the class of applicable programs. 

In a more linguistic vein, Muggleton formulated SLP (Stochastic Logic Pro- 
gramming) procedurally, as an extension of logic programming to PCFGs 
So, a clause C, which must be range-restricte(^ is annotated with a probability 
p like p : C. The probability of a goal G is the products of such ps appearing 
in its derivation, but with a modification such that if a subgoal g can invoke n 
clauses, Pi '■ Ci {1 < i < n) at some derivation step, the probability of choos- 
ing fc-th clause is normalized, that is Pkl'Y^=\Vi- SLP was further extended 
by Cussens by introducing the notion of loglinear models for SLD refutation 
proofs and defining probabilities of ground atoms in terms of their SLD-trees 
and “features” 



2.2 Limitations and Problems 

Approaches described so far have more or less similar limitations and problems. 
Descriptive power confined to finite domains is the most common limitation, 
which is due to the use of linear programming techniques Q, or due to the syn- 
tactic restrictions not allowing for infinitely many constant, function or predicate 
symbols Bayesian networks have the same limitation as well (only a finite 

number of random variables are representable). Also there are various seman- 
tic/syntactic restrictions on logic programs. For instance the acyclicity condi- 
tion prevents the use of clauses with local variables unconditionally, and 

the range-restrictedness ^^3 excludes programs such as the usual membership 
Prolog program. These restrictions would cause problems when we model the 
distribution of infinitely many objects such as natural language sentences 

There is another type of problem, the inconsistent assignment of probabilities. 
Think of extensions of PCFGs to logic programs Since they define the 

probability Pr(A) of an atom A in terms of syntactic features of the proof trees 
for A, it is quite possible for Pr(A) and Pr(A A A) to differ as their proof trees 
are different, though logically, they are one and the same. 

Last but not least, there is a big problem common to any approach using 
probabilities: where do the numbers eome froml Generally speaking, if we use n 
binary random variables, we need to get 2" probabilities to completely specify 
their joint distribution, and this kind of attempt quickly becomes impossible as 
n grows. Also if there are “hidden variables” in the model such as true causes of 
a disease, we need lots of work to get reliable probabilities of those variables. De- 
spite these difficulties, all approaches in subsection^^assume their numbers are 
given a priori, and none of them address the problem of how to find probabilities, 
excepts attempts to use learning techniques for Bayesian networks 

^ A syntactic property that variables appearing in the head also appear in the body 
of a clause. So, a unit clause must be ground. 
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2.3 The Idea of PRISM 



We have been developing a general symbolic-statistical modeling language called 
PRISM since 1995 along the line of the distribution approach that is free of limi- 
tations mentioned above It is a probabilistic logic programming language 

equipped with a new semantic framework termed the distributional semantics 
^3, an extension of the least Herbrand model semantics to possible world se- 
mantics with a distribution. Theoretically, a PRISM program DB = F U R is 
comprised of a denumerabl(| number of ground facts (hypotheses, abducibles) F 
and a denumerable number of rules (definite clauses) i? in a first-order language 
with a denumerable number of constant symbols, function symbols and predicate 
symbols. F is supposed to come with a basic distribution Pp that is a completely 
additive probability measure. So every ground atom in F is considered a random 
variable taking on 1 (true) or 0 (false). A sampling of Pp determines a set F' 
of true atoms, which in turn determines the set of true atoms as Mob{F' U R) 
where Mpp denotes the least Herbrand model of F' U R. Hence, every ground 
atom in DB is a random variable. Their joint distribution Pdb, a completely ad- 
ditive probability measure as an extension of Pp, is defined to be the denotation 
(declarative semantics) of DB (the distributional semantics) 

Thanks to a general semantic framework, we need none of restrictions such 
as no function symbols and a finite number of constant and predicate symbols 
the acyclicity and the covering assumption the range- 

restrictedness of clauses oi' the finiteness of domains . A user can 

write whatever program he/her likes at their own risk without a fear of inconsis- 
tent probabilities. Also we succeeded in deriving a new EM learning algorithm 
for learning statistical parameters in PRISM programs (BS programs) ^3, and 
hence every program can learn from positive examples. So far, we have confirmed 
the descriptive/learning power of PRISM by tackling various domains including 
thr^ major symbolic-statistical models, HMMs, PCFGs and Bayesian networks 



2.4 Problem of Computational Complexity 

The major problem with the current implementation of PRISM is the slow speed 
of learning. After determining the scope of symbolic-statistical phenomena we 
model such as stochastic language generation, we write a parameterized model 
DB (= FUR) that can explain conceivable observations (sentences for instance). 
If independent observations Gi, . . . , Gp are given, we let our EM algorithm to 
learn statistical parameters in DB by (locally) maximizing PosiGt = !)• The 
learning process starts with collecting all such S C F that S' U i? ^ G for each 
observation G*. This all solution search usually contains a lot of redundancy, 

® We hereafter use a term “denumerable” as a synonym of “countably infinite.” The 
finite case is similarly treated. 

^ Roller has proposed a probabilistic functional language Q which can represent 
HMMs, PCFGs and Bayesian networks, but left the problem of declarative semantics 
and learning untouched. 
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and in case of HMMs, we end up in the time complexity exponential in the 
length of an input string. The reason is obvious: in the stochastic automata 
such as HMMs, the number of transition paths is exponential, but the Baum- 
Welch algorithm the specialized EM algorithm for HMMs, achieves linear 
time complexity by taking advantage of structure-sharing of transition paths 
represented as a trellis diagram, which corresponds to the reuse of solved subgoals 
in logic programming. We therefore introduced a reuse mechanism of solved goals 
such as OLDT search in PRISM, and thus rederived the whole EM algorithm 
to combine with the OLDT search. Owing to this entire reconstruction, our EM 
algorithm, though applicable to even type-0 stochastic grammars, has achieved 
the same time complexity as specialized EM algorithms as far as HMMs and 
PCFGs are concerned, as described in the sequel. 

3 PRISM Programs 

In this section, we define PRISM programs and the related concepts. See also 
the basic idea of the distributional semantics in Sec.^J 

Definition 1. A PRISM program is a definite clause program DB = F U R 
which satisfies the following conditions on facts F , their distribution Pp and 
rules R. 

1. F is a set of ground atoms of the form msv(i ,n ,v) . The arguments i and n 
are called group-id (or switch name^ and trial-id, respectively. We assume 
that ^finite set Vi of ground terms is associated with each i, and v G Vi 
holds^Vi corresponds to a set of possible values of switch i. 

2. Let Vi be {ui, U 2 , . . . , U|Vi|}- Then, one of the ground atoms msw(i,u,ui), 

msw(i,u,U 2 ), ..., msw(i,u,U|y^|) becomes exclusively true (takes the value 
1) on each trial. For each i, Oi^y S [0,1] is a parameter of the (marginal) 
probability of msvi(i ,■ ,v) being true (v € Vi), and ^ holds. 

3. For each ground terms i, i! , n, n' , v G Vi and v' G Vi/, random variable 
msvii ,n ,v) is independent of msvii' ,n' ,v') if nf^n! or i^ i' . 

4 . Define head(R) as a set of atoms appearing in the head of R. Then, F n 
head{R) = 0. 

In the first condition, we introduce a predicate msw/3 to represent a basic 
probabilistic choice such as coin-tossing (msw stands for multi-valued switch) . A 
ground atom msv(i ,n ,v) represents an event “a switch named i takes on u as a 
sample value on the trial n.” We combine these switches to build a probability 
distribution of complex phenomena. The second and the third condition say 
that a logical variable V in msw(i,n,V) behaves like a random variable which is 
realized to Vk with probability (fc = 1 . . . 1 14 1)| Moreover, from the third 
condition, the logical variables VI and V2 in msw(i ,ni , VI) and msw(i ,ri 2 , V2) can 

® As described before, we consider DB as a denumerable set of ground clauses, i and 
n are arbitrary ground terms in the Herbrand universe. 

® These probabilities are either learned or given by the user. 
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be seen as independent and identically distributed (i.i.d.) random variables if rii 
and U 2 are different ground terms. The fourth condition says that no msw(- , • , 
appears in the head of R. 



3.1 A Program Example 

We here pick up a PRISM program which represents an HMM, also known as a 
probabilistic regular grammar. HMMs define a probability distribution over the 
string s of given alphabets, and can be considered as probabilistic string gener- 
ators in which an output string is a sample from the defined distribution. 
The HMM represented belovjhas two states {sO, si} and outputs a symbol a 
or b in each state. For simplicity, the length of output strings is fixed to three. 



(1) target (hmm/l) . 

(2) data( ’hmm. dat ’ ) . 

(3) table ( [hmm/l ,limin/3] ) . 

(7) hmm(Cs) : - 

mswdnit , null , Si) , 
hmrnd , Si ,Cs) . 

(8) hmrnd, S, [CiCs] ):- T=<3, 

mswCout (S) ,T, C) , 
msw(tr(S) ,T,NextS) , 
T1 is T+1, 
hinmdl ,NextS ,Cs) . 

(9) hmrnd, []) T>3 . 



(4) values (init , [sO , si] ) . 

(5) values (out (_), [a, b] ) . 

(6) values (tr(_) , [sO, si] ) . 

’/. To generate a string (chars) Cs... 

"/, Set initial state to Si, and then 
"/, Enter the loop with clock = 1 . 

'/, Loop : 

"/, Output C in state S . 

"/, Transit from S to NextS. 

7, Put the clock ahead. 

7, Continue the loop (recursion) . 

7« Finish the loop if clock > 3. 



Procedurally, the above HMM program simulates the generation process of 
strings (see the comments in the program). Clauses (7)~(9) represent the prob- 
abilistic behavior of the HMM. In clause (8), to output a symbol C, we use differ- 
ent switches out (S) conditional on the state sjNote that T in msw(out (S) ,T,C) 
is used to guarantee the independency among the choices at each time step. Re- 
cursive clauses like (8) are allowed in the distributional semantics, and so are 
in PRISM. Clauses (1)~(6) contain additional information about the program. 
Clause (1) declares only the ground atoms containing hmm/l are observable. 
hmm( [a,b,a] ) being true means this HMM generates the string aba. Clause (2) 
specifies a file storing learning data. Clause (3) specifies the table predicates 
(described later) are hmm/l and hmm/3. We can read that Pinit = {sO, slj, 
pQutt-) = {^jb}, Ftrt-) = {sO, slj from clauses (4)~(6). 



^ The clause numbers are not written in the actual program. 

® Generally speaking, a conditional probability table (CPT) of a random variable 
X can be represented by the switch msw(/ (ci, C 2 , . . . , Cn) , • ,*), where n is the 
number of conditional variables, / is the id of A, Ci (i = 1 . . . n) is the value of each 
conditional variable Ci, and x is one of A’s possible values xi, X 2 , ■ ■ ■ , Xk- Of course, 
^/(ci C 2 Cn) ~ ® 2 , . . . , Xk} should be declared in advance. 
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3.2 Further Definitions and Assumptions 



For the learning algorithm for PRISM, we need some definitions and assump- 
tions. For the moment, we assume the set / of group-ids coincides with the 
Her brand universe of DB. Based on /, a(-n infinite-dimension) parameter space 
O is defined as follows: 



e =^n 



i^I 









)\Vi = {ui, . ..,v\Vi\}, E 






= !}■ ( 1 ) 



We next define the probabilistic inconsistency (consistency), probabilistic 
exclusiveness, and independency w.r.t. facts and goals. 



Definition 2. Consider a PRISM program DB = FUR and a set S of facts in 
F (S C F). S is said to he p-inconsistent if Pf{S = \\6) = 0 for any parameters 
6 S 0^ Otherwise, S is said to he p-consistent . Consider two sets Si and S 2 
of facts in F, which are p-consistent. Then Si is said to he p-exclusive to S 2 if 
Si U S 2 is p-inconsistent. Furthermore, let Bi and B 2 he arbitrary two atoms 
in head{R). Then, Bi is said to he p-exclusive to B 2 if and only if Pdb{Bi = 
\,B 2 = 1\9) = 0 for any 9 € &. 



Definition 3. For each B in head{R), let S^B ^ ^ minimal subsets of 

F such that 

comp{R) \=B^ S'(i) V • • • V , (2) 

where 0 < m and comp{R) is the completion Q 07.^0 Then, each of . . , 
^(m) referred to as a minimal support set or an explanation for B. We put 

Together with a PRISM program DB = F U R, we always consider a (denu- 
merable) subset obs{DB) of head{R), which is referred to as a set of observable 
atoms. Each G G obs{DB) is called a goal. Note that the following assumptions 
are made only for practical reasons (e.g. program termination and efficiency), 
and that the distributional semantics itself does not require these assumptions. 

Assumption 1. Consider a PRISM program DB . In Eq.^^ m is finite {m < 
00 ), and each of S^^\ . . . , is a finite set (finite support condition). For 

any G G ohs{DB), explanations in ifosiG) are p-consistent and p-exclusive 
(exclusiveness condition). Goals in obs(DB) are p-exclusive to each another, 
and '^ceobs(DB) Pdb{G = 1\9) = 1 holds for some parameter 9 G 0 (uniqueness 
condition) . 

From the uniqueness condition, we know that just one atom in obs{DB) 
becomes true at each observation. Suppose we make T (< 00 ) independent ob- 
servations, and Gt is the atom obtained at the t-th observation {Gt G obs{DB), 

® S is a random vector whose elements are in S. 1 (resp. 0) is a vector consisting of 
all Is (resp. Os). S = 1 means all atoms in S are true. 

We sometimes consider a conjunction of atoms Ai, A 2 , ... as a set {Ai, A 2 , . . .}. 
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t = Observed data ^ is a finite sequence {G\,G 2 , ■ ■ ■ ,Gt) ■ Then, / 

(d.0f 

is redefined here as a set of the group-ids of relevant switches to i.e. / = 
U^i UsGV>DB(Gt)i* I 3n, G S')}. Also, we redefine O as the (finite- 

dimension) parameter space by Eq.^ 



4 Learning PRISM Programs 

Learning a PRISM program means maximum likelihood estimation (MLE) of the 
parameters in the program. That is, given observations Q = (Gi, . . . , Gt), we 
find the parameter 0 G 0 which (locally) maximizes the likelihood A{Q\6) 
Yl’t^iPosiGt = l|0)n Although the PRISM program is affected by the be- 
havior, hence by the parameters 0 of switches msw(- , • , •) it contains, we cannot 
directly observe their behavior (i.e. these switches are “hidden”). Hence we apply 
the EM algorithm . The learning procedure comprises two phases: 

— Find all explanations 4’DB{Gt) for each goal Gt {t = 1 . . .T). 

— Run the EM algorithm based on the statistics from il^DB{Gt) {t = 1 .. .T). 

In the resW)f this section, we first quickly derive a naive version of the EM 
algorithmH assuming iIjdb- We then introduce support graphs, a compact data- 
structure for ipoB- After the introduction of support graphs, the graphical EM 
algorithm, an efficient EM algorithm working on support graphs, is described. 



4.1 Naive Approach 

To derive an EM algorithm for PRISM, we must define a Q function. First, from 
the exclusiveness and the uniqueness condition, it is easily shown that expla- 
nations in Adb UGGobs(riB) 4’db{G) are all p-exclusive each other. Besides, 
also from the uniqueness condition. 



J2Geobs{DB) Pdb{G —l\0) — J2Geobs{DB) J2seipDB{G) Pdb{S — 1\0) 

= T^sgAob Pdb(S = 1\0) = 1 



holds for any 0 G 0. Hence, exactly one of the explanations in Aob is true. 
Since Abb denumerable, we can consider an isomorphic map f : Abb 
where is a set of positive integers, and temporarily introduce a new random 

Under the exclusiveness condition, each marginal probability of Gt being true is 
calculated as below. (Ji,„(S) is defined as cri,«(S') ||n | msw(i,n,n) G S||. 



PoB{Gt = l\e) = Es,^^BiOt) PHS-m = 



„(7i^v(S) 



In Q, PRISM* programs are introduced to remove computationally intractable 
terms. We here present an alternative way to remove them. 
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variable E on Qp such that E = f{S) if S £ Aps exclusively true {S = 1 ), 
OY E = 0 otherwise. Now we are in a position to define the Q function: 

Q{e',6)‘^A^Y:LiJ:eeNPDB{E = e\Gt = l,e)logPDB{E = e,Gt = l\e'), (3) 

where Af is a set of non-negative integers. It is easy to show Q{0' , 0) > Q{0,0)^ 
PoBiGt = f\0') > PosiGt = 1|0). Therefore, for MLE, starting with some pa- 
rameters 0^^\ we iteratively update parameters by := argmaxe g(6/, 

until the log-likelihood log A(Q\0) converges. Transforming Eq. | the following 
formula is obtained: 



Q{0\ 0) = Eiei,vGV, V, S) log0',„ < Ei,v 



0i^^v,0)log 



where rj{i,v,0) ELi PoB{Gt=i\e) T.s^DB(Gt) = Hence, we 

reach the procedure learn-naive in Fig. J that finds the MLE of the parame- 
ters. The array variable rj[i, v] contains rj(i, u, 0) under the current 0. In this 
procedure, the calculations for Ppip(Gt = l\0) and rj[i,v] (LineOO^'^dH are 
computationally intractable when |'0Ds(Gt)| is exponential (though finite) in 
the complexity of the model^J 



4.2 Tabulation Approach 

For efficient computation of PoBiGt = 1|0) and r][i, u], we introduce structure- 
sharing of explanations by tabulation, which requires more assumptions on DB . 
We assume that a set of table predicates table(DB) is declared in advance (like 
the HMM program in Sec. ^3- Let be a set of ground atoms containing 
the table predicate in table{DB). We use comp{R), the completion of rules R, 
again in the following assumption. 

Assumption 2. Let DB be a PRISM program which satisfies the finite support 
condition, the exclusiveness condition, and the uniqueness condition. Assume 
that, for each t = 1 . . .T , the following condition holds for some finite ordered 
subset PpB = {t{, of 

comp{R)'^ SlpV ■■■y (4) 

(''’l ‘^1,1 V • • • V A • • • A i^Kt ^ ^Kt,l V • • • V 

where 

For example, the complexity of the HMM depends on the number of states, the 
length of input/output string or the number of output alphabets. 

From the finite support condition, for k — 0 . . . Kt, mk is finite and each of j ■ - i 
^k,rrn, is finite. Also, from the exclusive condition, ji ■ • ■ i s-r® p-consistent 

and p-exclusive (k — O...Kt). Besides, from the uniqueness condition, Gp ^ 
holds for any t,t' = 1 . . .T. 



278 Yoshitaka Kameya and Taisuke Sato 



1: procedure learn-naive {DB ,Q) begin 

2: Select some 0 from 6>; := log -PoB(Gt = 1|0); 

3: repeat 

4: foreach i £ I,v £ Vi do 

5: T][i, n] := X)t=i PDB(Gt=i|e) SseV’cslGt) Pf{S = l\9)ai^v{S)-, 

6: foreach i £ I,v £ Vi do 

7: 9i,v 

8: m := m + 1; 

9: log PoB(Gt = lie) 

10: until a'"*) - < e 

11: end. 

Fig. 1. A procedure for naive approach. 

- Letting Gt he Tq, each of Sl^^, . . -^k^mk ® subset of F LI {r^+i, • • • , 

and is also called a t-explanatioi^| /or (for k = 0 . . .Kt). We here put 
^dbK) =' {5fc.i, . . . , } (fork = Q... Kt). 

— Each of S^f. n ■■■ rrik (^ = 0 ■ ■ ■ Kt) is a set of independent atoms^^ 

Each (fc = 1 . . . Kt) is referred to as a table atom. We call the former condition 
acyclic support condition, and the latter independent support condition. 

The task here is to construct such tfoB and from the source PRISM pro- 
gram. One way is to use OLDT {OLD with tabulation) a complete search 
technique for logic programs. In OLDT, a (sub-)goal g containing a table predi- 
cate is registered into a solution table, whereas the instance of g is registered in 
a lookup table. The latter reuses solutions in the solution table. In what follows, 
we illustrate our tabulation approach by using the HMM program in Sec. ^3 
First, we translate the PRISM program to another logic program. Similarly 
to the translation of definite clause grammars (DCGs) in Prolog, we add two 
arguments (which forms D-lisf) to each predicate for collecting t-explanations. 
In the case of the HMM program, the translation results in: 

(Tl) top_lmffli(Cs ,X) : - tab_hinm(Cs ,X, [] ) . 

(T3) tab_hmin(Cs , [hniin(Cs) I X] ,X) : - hmm(Cs 

(T3’) tab_hmm(T,S,Cs, [hmm(T,S,Cs) |X] ,X) :- hmm(T, S , Cs , [] ) . 

(T4) e_msw(init ,T, sO , [mswCinit ,T, sO) |X] ,X) . 

(T4’ ) e_msw(init ,T, si , [mswCinit ,T, si) |X] ,X) . 

(T7) hmmCCs , XOjXl) : - e_msw(init .null ,Si ,X0 ,X2) , tab_hmm(l ,Si ,Cs ,X2,X1) . 
(T8) hmmCT.S, [CiCs] ,X0,X1) :- 

T=<3, e_msw(out (S) ,T, C,X0 ,X2) , e_msw(tr (S) ,T,NextS,X2,X3) , 

Tl is T+1, tab_hmm(Tl,NextS,Cs,X3,Xl) . 

(T9) hmmCT.S, [] ,X,X) :- T>3. 

Prefix “t-” is an abbreviation of “tabled-”. 

For B\,B 2 £ head{R), B\ is independent of B 2 if Pdb{B\ = yi,B 2 = V2\0) = 
PDB{Bi=yi\9) ■ PDB(B2=y2\9) for any yi,y 2 € {0, 1} and any 9 £ 0. 
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hmm( [a,b,a] ) : [hinm( [a,b, a] ) : [ [m(init ,null , sO) ,hnrai(l , sO , [a,b, a] ) ] , 

[m(init ,null , si) ,himn(l , si , [a,b, a] ) ] ] ] 

hmm d,sO,[a,b,a]): 

[hmm(l , sO , [^)b, a] ) : [ [m(out (sO) , 1 > a) ,m(tr (sO) , 1 . sO) ,hmm(2 , sO , [b.a] ) ] , 
[m(out (sO) , 1 ) a) ,m(tr (sO) , 1 . sD ,hmm(2 , si , [b,a] ) ] ] ] 



hnfflid ,sl,[a-,b,a]): 

[humid , si , [a,b, a] ) : [ [m(out (si) d>a) ,m(tr(sl) d>sO) ,hmm(2 , sO , [bj^] ) ] , 

: [m(out (si) d>a) ,m(tr(sl) d.sl) ,hmm(2 , si , [b,a] ) ] ] ] 



Fig. 2. Solution table (m is an abbreviation of msw) . 



Clauses (Tj) and Clj’) correspond to the original clause (.j), respectively. In 
the translated program, p/{n + 2) is a table predicate if p/n is a table predicate 
in the original program. We use the predicate tab_p/(n + 2) to keep the t- 
explanations (in Eq. 4). Note that tab_p/(n + 2) is called instead of the table 
predicate pj{n + 2). We then apply OLDT search while noting (i) added D-list 
does not influence the original OLDT procedure, and (ii) we associate a list of 
t-explanations with each solution. For example, running OLDT for the above 
translated program gives the solution table in Fig.^ Finally, we extract ipDB, 
the set of all t-explanations, from this table. The remaining task is to get totally 
ordered table atoms, i.e. the ordered set respecting the acyclicity in Eq. 4. 
Obviously, it can be done by topological sorting. 

To help visualizing our learning algorithm, we introduce a data-structure 
called support graphs^ though the algorithm itself is defined using only ipoB 
and the ordered set As illustrated in FigH(a), the support graph for 

Gt {t = 1 . . .T), a graphical representation of Eq. 4, consists of disconnected 
subgraphs, each of which is labeled with the corresponding table atom in 
{k = 1 . . .Kt). Each subgraph labeled comprises two special nodes, the start 
node and the end node, and explanation graphs, each of which corresponds to 
a t-explanation Si ^ in iPobItI) (j = 1 . . .irik)- An explanation graph of Si ^ 




Fig. 3. A support graph (a) in general form, (b) for the HMM program with 
Gt = hmm( [a,b,a] ). A double-circled node refers to a table node. 
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1: procedure learn-gEM (DB,Q) 


1 


procedure get-inside-probs {DB, Q) 


2: begin 


2 


begin 


3: 


Select some 9 from 0\ 


3 


for t := 1 to r do begin 


4: 


get-inside-probs{DB , Q)\ 


4 


Put Gt = Tq- 


5: 




5 


for k ~ Kt downto 0 do begin 


6: 


repeat 


6 


V[t,ri] :=0; 


7: 


get-expectations{DB , Q)\ 


7 


foreach S £ ipoBirl) do begin 


8: 


foreach i £ I,v £ Vi do 


8 


Put S = {Ai, A 2 , . . . , ^|s|}; 


9: 


ri[i,v] : = 


9 


:=1; 


10: 




10 


for f := 1 to |S| do 






11 


if At — msw (i , • , u) then 


11: 


foreach i £ I,v £ Vi do 


12 


TZ[t,Tl, S] *= 


12: 


:= v[i,v]/J2v>eVi 


13 


else TZ[t, tI, S] *= Ai]\ 


13: 


get-inside-probs{DB , Q)\ 


14 


'P[t-, "Cfc] TZ[t, tI, S] 


14: 


\ogV[t,Gt] 


15 


end /* foreach S */ 


15: 


until < e 


16 


end /* for A */ 




17 


end /* for t */ 




18 


end. 


1 


procedure get-expectations (DB,Q) begin 


2 


for t := 1 to r do begin 






3 


Put Gt = tq; Q[t,To]:=l; for A: 


:= 1 to Kt do Q[t, tI] := 0; 


4 


for A := 0 to Kt do 






5 


foreach S £ ipoBirl) do begin 




6 


Put S = {Ai,A 2 , . . . ,^|s|} 


1 




7 


for f := 1 to |S| do 






8 


if Ai — msw (i , • , u) then r][t, 


i,v] += Q[t,Tl] 


9 


else Q[t,Ai] += Q[t,Tl] 


n[t,ri,s]/v\hAf\ 


10 


end /* foreach S */ 






11 


end /* for t */ 






12 


end. 







Fig. 4. Graphical EM algorithm. 



is cascaded nodes, where each node is labeled with a table atom r or a switch 
msw (•,•,•) in Sj. j. It is called a table node or a switch node. Support graphs 
have a similar structure to recursive transition networks (RTNs). FigH(b) is 
the support graph for hmm( [a,b,a] ) obtained from the solution table in FigH 
Each table node labeled r refers to the subgraph labeled r, so data-sharing is 
achieved by the distinct table nodes referring to the same subgraph. 
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4.3 Graphical EM Algorithm 

We describe here a new learning algorithm, the graphical EM algorithm, that 
works on support graphs (more specifically, on ip db and prepare four 

arrays for each support graph for Gt {t = 1 . . .T): V[t,T] for inside probabilities 
of r, Q[t, t] for outside probabilities of r, TZ[t, r, S'] for explanation probabilities 
of S in iPdb{t), and T][t, i, u] for expected counts of msw(i, • ,v). The algorithm is 
shown in Fig.J Due to the space limitation, details are omitted. It can be shown 
however that learn-gEM is equivalent to the procedure learn-naive (Sec. 

As shown in Sec. ^3 learn-naive is the MLE procedure, hence the following 
theorem holds. 

Theorem 1. Let DB be a PRISM program, and Q be the observed data. Then 
learn-gEM finds 9* G 0 which (locally) maximizes the likelihood A{Q\9). 

5 Complexity 

In this section, we estimate the time complexity of our learning method in case of 
PRISM programs for PCFGs, and compare with the Inside-Outside algorithm. 
Since our method comprises two phases (OLDT and the graphical EM), we 
estimate the computation time in each phase. 

In the Inside-Outside algorithm, time complexity is measured by N, the 
number of non-terminals, and L, the number of terminals in the input/output 
sentence. Assuming that the target grammar is in Chomsky normal form, the 
worst-case time complexity is the computation time for the largest grammar, i.e. 
a set of all combinations of terminals and non-terminals. Hence, we may start 
with a logic program (not a PRISMprogram) representing the largest grammar: 

{qii,d,d') : - q(j ,d,d") ,q(k ,d” ,d') \ i, j, k = I . . . N, 0 < d < d” < d' < L] 
U {q(i,d,d') |z=l...A, 0<d<L — 1, d' = d-\- 1}. (5) 

q(i,d,d') says that the i-th non-terminal spans from (d -\- l)-th word to d'-th 
word. The textual order over the clauses “qCi.d.dO q(j ,d,d”) ,q{k,d" ,d'V' 
is the lexicographic order over the tuples (i,j,k,d,d',d”). We then make an 
exhaustive search for the query by OLDT. Assuming that the solution table 
is accessible in 0(1) time, the time complexity of OLDT is measured by the 
number of nodes in OLDT tree (the search tree for OLDT). We fix the search 
strategy to multi-stage depth-first strategy Let Td be an OLDT tree for the 
query ?-q(l ,d,L) . Fig. H illustrates the case of 0 < d < L — 3. As can be 
seen, even for this simple grammar, the tree has many similar subtrees, so we 
put them together (see [Note] in Fig.fl. Then, due to the depth-first strategy, 
Td has a recursive structure, i.e. Td+i is a part of Td- We enumerate hd, the 

To be more specific, under the same parameters 9 , the value of g[i, u] in learn-naive 
(Line^ is equal to that in learn- gEM (Line^J. Hence, the parameters are up- 
dated to the same value. Furthermore, starting with the same initial parameters, 
the converged parameters are also the same. 
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?-q(l,d,L) 



1 =<j =<N 
d+2 =< e =< L-1 




2=<k=<N ' 
\ 

?-q(l,d,d+l), ?-q(l,d,d+l), ?-qO,d,d+l), ?-q(j4,d+l), ?-q(j,d,e), ?-q(j,d,e), 

q(l,d+l,L) q(l,d+l,L) q(l,d+l,L) q(k,d+l,L) q(l,e,L) q(k,e,L) 

cb 

1 =< i' =< N, 

1 =<j' =< N, 
d+2 =< e’ < e 

?- q(i\d,e’), ?- q(k,e,L) 

q(j’,e’,e), I 

q(l,e,L) 




?-q(l.d+l,L) ?-q(l,d+l,L) ?-q(l,d+l.L) 






q(i,d’4”) already appears 
d+l=<d’<d”=<L, l=<i=<N 



[Note]- 



q 
/ 

i =< i =< N 



P(i) 




p(l)p(2) p(N) 




?- q(i’,e’,e), 

q(l,e,L) 

I 

?-q(l.e,L) 



Fig. 5. an OLDT tree Td for the query ?-q(l,d,L). 



number of the nodes in Td but not in Td+i . The node with an underlined leftmost 
atom is a lookup node, which only consumes the solution obtained in other 
place. From Fig.^ hd = 0{N^{L — Total time for OLDT search is the 

number of nodes in the OLDT tree for ?-q(l ,0,L) (the whole sentence), that is, 
Sd=o ~ 0(fV^L^)Hln the case of a DCG program below, it can be proved 
similarly that the time complexity is 0{N^L^). 

(qCOLO.Ll):- q(j , LO , L2) , q(fc , L2 , LI) | t, j, fc = 1 . . . 7V} 

U {q(i,L0 ,L1) : - L0= [w I LI] | z = 1 . . . iV, w is a terminal symbol} 

Since our method respects the original OLDT procedure, the search time for the 
corresponding PRISM program given T observed goals is 0{N^L^T). 

On the other hand, the learning time of the graphical EM algorithm is propo- 
tional to the size of the support graphs used, i.e. the number of nodes in the 
graphs. It is easily shown, from the description of learn-gEM, that the size of 

the graphs is O(^num^maxsizeT), where ^num — maXi<i< 7 ^ I , ^maxsize — 

max^<(<y ’i’DBi.T). In the case of the PCFG pro- 

gram, ^num = O(N^L^) and ^maxsize = 0(1). Hence, the computation time per 
update of the graphical EM algorithm is 0{N^L^T). We therefore have: 

We here focus on the subtree T^. Each of j, i' , j' ranges from 1 to N, and 
I {(e, e') I d + 2 < e' < e < 1/ — 1 } I = 0{{L — d)^). Hence, the number of nodes in 
T'd is 0{N^{L — d)^). The number of nodes in Td but neither in Td+i nor in T'd is 
negligible, therefore hd ~ 0{N^{L — d)^). 

The number of nodes of Tl-i and Tl -2 is negligible. 
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Proposition 1. Let DB be a PRISM program representing a PCFG, and Q = 
(Gi, G 2 , . . . , Gt) be the observed data. We assume each table operation in OLDT 
search is done in time 0(1)- Then OLDT search for the goal Gt and each itera- 
tion in learn- gEM is done in time O(N^L^T). 

0{N^Lf'T) is also the time complexity of the Inside-Outside algorithm, hence 
our algorithm is as efficient as the Inside-Outside algorithm^ Similarly, we can 
show that, for HMM programs like ones in Sec.^H the search and the learning 
time is 0{N‘^LT), the same order as that of the Baum-Welch algorithm {N is 
the number of states) . 

6 Conclusion 

We have proposed an efficient EM learning algorithm for the parameterized logic 
programs which seamlessly unifies logical semantics and probabilistic semantics. 
It is shown our general algorithm works as efficiently as the specialized EM al- 
gorithms such as the Baum-Welch algorithm and the Inside-Outside algorithm. 
Furthermore, due to the generality of the language and the learning algorithm, 
our framework can be applied to the stochastic grammars with context depen- 
dencies such as the bigram model of production rules in which case the time 
complexity of the EM learning is polynomial (details are omitted) . The omitted 
details in this paper will be included in the full paper we are preparing. 
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Abstract. Model generation theorem proving (MGTP) is a class of de- 
duction procedures for first-order logic that were successfully used to 
solve hard combinatorial problems. For some applications the represen- 
tation of models in MGTP and its extension CMGTP is too redundant. 
Here we suggest to extend members of model candidates in such a way 
that a predicate p can have not only terms as arguments, but at certain 
places also subsets of totally ordered finite domains. The ensuing lan- 
guage and deduction system relies on constraints based on finite intervals 
in totally ordered sets and is called IV-MGTP. It is related to constraint 
programming and many-valued logic, but differs signihcantly from ei- 
ther. We show soundness and completeness of IV-MGTP. First results 
with our implementation show considerable potential of the method. 



1 Introduction 

Model generation theorem proving (MGTP) is a class of deduction procedures for 
first-order logic in conjunctive normal form (CNF) that have been successfully 
used to solve hard combinatorial problems The procedural semantics of first- 
order CNF formulas as defined by MGTP is based on bottom-up evaluation. 
MGTP operates on range-restricted non-Horn rules over positive literals, and it is 
proof confluent. Together, this ensures completeness even without backtracking. 
MGTP is closely related Q to hypertableaux CMGTP Q is an extension 
of MGTP that allows negated atoms in rules and approximates their declarative 
semantics with an additional inference rule. Very efficient implementations of 
(C)MGTP were realized 0. 

In MGTP (CMGTP), interpretations (called model candidates) are repre- 
sented as finite sets of ground atoms (literals). In many situations this turns out 
being too redundant: take, for example, variables /, J ranging over the domain 
dom = {!,..., 4}, and interpret <, J- naturally. A rule like dom( J), I + 

J < 4 ^ q{jy^ splits into three model extensions: g(l), ?(2), g(3), if p(l) is 
present in the current model candidate. Now assume we have the rule “(?(/), q{J), 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 285^^ 2000. 

@ Springer-Verlag Berlin Heidelberg 2000 
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I ^ J ^ U' saying that q is functional in its argument and, say, g(4) is derived. 
Then all three branches must be refuted separately. Note that the rules above 
do not take advantage of pattern matching (the arguments of the predicates are 
flat). 

Totally ordered, finite domains occur naturally in many problems. In such 
problems, situations like the one just sketched are common. Herc| we set out to 
enhance MGTP with mechanisms to deal with them efficiently. Informally, we 
suggest two extensions of MGTP: first, the arguments of predicates can contain 
certain finite domain constructors based on intervals. The first rule on the pre- 
vious page could be rephrased as “p{[I,I]) — > g([l,4— /])”, where [i,j] denotes 
the set {fee dom | i < k < j}. Second, to make full use of this extended lan- 
guage, elements of model candidates M are generalised as well. In the example, 
if p(l) S M, then the rule is triggered with {/<—!} and results in the single 
extension of M with g({l, 2, 3}), rather than in three extensions as before. The 
functionality of selected arguments will be built in, so the second rule above is not 
needed. One could even write a more general rule like “p([l,/]) ^ 9([1,4— /])”, 
which has two advantages: it is still useful, if p is undetermined in the current 
model candidate, and (a suitably extended version of) pattern matching can be 
used on the term [1, /]. Because intervals play a central role, we gave the name 
IV-MGTP to the present extension of MGTP. 

The paper is organised as follows: in Sectionjsome standard definitions are 
collected, while in Section^the formal syntax and semantics of IV-MGTP is de- 
fined. A deduction procedure for IV-MGTP programs is given in Section^ Like 
other extensions of model generation and logic programming, such as GMGTP 
general logic programs, or signed logic programs the IV-MGTP pro- 
cedure is not complete with respect to the standard semantics, but it turns 
out to be characterisable by extended interpretations ^3, which are suitably 
adapted to the present purpose, see SectionH Section J summarises first re- 
sults obtained with IV-MGTP, and Section ^discusses related work and gives 
a brief outlook to future research. The full version of this paper is available at 
ctD : / / itp . cs . cnaimers . se/puD/ users/ reiner/ iv-paper . ps . g: 



2 Standard Definitions 

Terms and Literals. Terms and atoms are defined as usual over a signature 
E consisting of constant symbols Cs, function symbols predicate 
symbols P^- Variables from a set TVar occurring in terms are called term 
variables to distinguish them from variables occurring in constraints. The set 
of variable free or ground terms is denoted Term^, the set of variable free or 
ground atoms with Atom%. A literal is either an atom or an expression 
where L is an atom. 

Rules and Programs. Clauses are written in rule notation and are expressions 
of the form C ^ D, where C and D are finite sequences of atoms or literals. 



^ A preliminary version of the present paper appeared in unpublished proceedings 
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The expression L G C denotes that L occurs in the sequence C. C is called the 
antecedent oiC ^ D and D its succedent. Using explicitly named atoms such 
a rule is written Li, . . . , Lfc — > Mi ; .. .'Mi. Write T for the empty antecedent 
and _L for the empty succedent. Sometimes it is convenient to refer to the clause 
representation of a rule C ^ D, which is ~^Li V • • • V ^Lk V Mi V • • • V M/. In 
that case the antecedent literals can be selected with C = ~^Li V • • • V and 
the succedent literals with D = Mi \/ ■■■ \/ Mi. 

As usual, ground literals, rules, clauses etc., are variable free expressions. 
A rule is range-restricted, if all variables occurring in its succedent occur al- 
ready in its antecedent. Therefore, a range-restricted rule with empty antecedent 
must be ground. The first occurrence (reading from left to right) of a variable 
in a rule is called free, all other occurrences are bound. In a range-restricted 
rule only bound variables occur in the succedent. 

An MGTP program P is a finite set of range-restricted rules, where only 
atoms occur in antecedents and succedents. If the restriction to atoms is lifted to 
literals, one obtains the language of CMGTP. To avoid technical complications, 
we assume that the signature E of the terms occurring in a program P contains 
at least one constant symbol, so that TermP^ and AtomP^ are non-empty. If a 
program P contains no constant symbol, we add artificially the constant to- 

Domains. A domain is a finite, totally ordered set TV, which is represented 
by a set of natural numbers of the form {1, . . . , n}. This implies that domains 
are homogeneous, that is, initial segments with identical length from different 
domains are indistinguishable. Constraint variables from a set CVar 

hold elements from a domain N, while domain variables U,V, . . . from a set 
DVar hold subsets of a domain N. 

Rules will contain constraint and domain variables in a way made precise 
later. We note for now that the notions of range-restrictedness and free/bound 
variable are defined exactly as for term variables. 

3 Syntax and Semantics of IV-MGTP 

3.1 Motivation 

We set out to enhance MGTP with finite domain constraints. First, we motivate 
our central definition from the point of view of signed formula logic (SFL) 
and constraint logic programming (CLP) over finite domains 

In SFL rules are defined over signed atoms, where a signed atom is of the 
form S:L, and where in turn S' is a non-empty subset of a domain N and L is 
an atom. Atoms L are interpreted IV- valued and a signed atom S:L is satisfied 
iff the interpretation of L takes on a value in S. 

If L = p{ti, . . . , U), then S:L is equivalent to the MGTP atomp(fi, . . . , tr, x), 
where: (i) x is constrained to values from S C N; (ii) p is functional at the 
r+ 1-st argument, that is, p(ti, . . and p(ti , . . .,tr,j) have the same value 

iff z = j; (iii) p is total at the r-|-l-st argument, that is, p{t\, . . . ,tr,x) is satisfied 
for at least one value of x. 
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A different notation for S:p{ti, . . ,,tr) inspired by finite domain CLP is to 
write . . . ,tr, x), x :: 5”. Lifting the restriction that constraints can only 

occur in one argument of an atom yields 

X\ .. S\ , . . . , Xtti . . Sjn , (1) 

where S\ C Ni,..., Sm Q A^m- The actual order of constrained and uncon- 
strained arguments is irrelevant. We chose to group them in order to sim- 
plify notation. The intended meaning of ^ is as in CLP: it is satisfiable iff 
p(ti, . . . , A, Cl, . . . , Cm) is satisfied by some interpretation I with I(cj) G Sj, 
1 < j < m. In contrast to CLP we do not allow the Xi to occur in the Sj , so we 
can just as well replace each Xi with Si in p(fi , . . .,tr, X \, . . . , Xm)- This gives 
the more compact and readable notation 

p[ti , . . . , A, *5*1 , . . . , *5m) 5 (2) 

for what we call from now a constrained atom. Further differences between 
IV-MGTP and CLP are discussed in Section 

3.2 The Language of IV-MGTP 

Constrained atoms 0 explicitly stipulate subsets of domains and thus are in 
solved or canonical form. The language of IV-MGTP needs to admit other 
forms of atoms, in order to be practically useful. 

For a start, an IV-MGTP atom p{. . .) may contain domain variables from 
DVar at the constraint places of p. Our domains are totally ordered; we take 
advantage from this by admitting interval and extraval notation to specify 
subsets of domains. In addition, the boundary values of intervals and extravals 
can be constraint variables from CVar. To summarise, an IV-MGTP atom is 
an expression p(ti , . . . , A, ^i, . . . , Km), where the Ki have one of the following 
forms: 

1. {zi, . . . , ir}, where ij G N for 1 < j < r (k^ is in solved form); 

2. ]zi,Z 2 [, where ij for j = 1,2 are from TV U CVar, the intended meaning is 
]'•!, i 2 [ = {i G N \ i < ii or i > ^ 2 }; 

3. [zi,Z 2 ], where ij for j = 1,2 are from TV U CVar, the intended meaning is 
[(•1, '• 2 ] = {z G TV I zi < z < Z 2 }; 

4. U GDVar. 

It is legal to write empty set constraints, such as “{}”. Note that an IV-MGTP 
atom whose constraints are all in solved form is a constrained atom. 

Further forms of constraints might be useful, but are not considered for now. 
One has to find a trade-off between implementability and usability. Our current 
applications only justify the forms defined so far. 

IV-MGTP rules are defined like MGTP rules, but are based on IV-MGTP 
atoms. Not only the term variables, but also constraint and domain variables 
of an IV-MGTP rule must be range-restricted, i.e., all constraint/domain 
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variables occurring in the succedent of the rule must occur in the antecedent 
already. 

By way of extension of the corresponding mechanism in MGTP Q, we allow 
an arbitrary ground decidable guard or condition cond over term and constraint 
variables to occur in the antecedent of an IV-MGTP rule. The term and con- 
straint variables occurring in cond must be bound. For example, a rule with 
antecedent p([/, </]) and condition cond= J — I < 1 is intended to be applica- 
ble to all constrained atoms of the form p{S) which constrain the value of p to 
contain at most two model elements. 

A finite set of IV-MGTP rules satisfying the conditions above is called an IV- 
MGTP program. Different arguments of constrained atoms can be associated 
with different domains, so predicate symbols must be declared. For each p G Pe 
with constrained arguments, an IV-MGTP program contains a declaration line 
of the form “declare p{t, . . . ,t, ji, . . . , jm)” ■ 

If the z-th place of p is t, then the z-th argument of p is a standard term; if the 
z-th place of p is a positive integer j, then the z-th argument of p is a constraint 
over the domain {1, . . ., j}. If a constraint declaration is “1”, then one should 
consider to omit it altogether, as “declare p(l)” is equivalent to “declare”. The 
free, that is, first occurrence of a constraint or domain variable in an expression 
determines also its domain. 

Each IV-MGTP atom p(ti , . . . ,tr, ki, . . . , Km) consists of two parts, the stan- 
dard term part p(ti , . . .,tr) and the constraint part (ki, . . . , Km)- Each of r 
and m can be 0. The latter, m = 0, is in particular the case for a predicate 
that has no declaration. Such a predicate is assumed to be implicitly declared 
as “declare p(t, . . . , t)” . By this convention, every MGTP program is also an 
IV-MGTP program. 

3.3 Formal Semantics of IV-MGTP 

Substitutions. Recall that there are three kinds of variables that occur in IV- 
MGTP programs: term variables TVar, constraint variables CVar, domain vari- 
ables DVar. An (IV-MGTP) ground substitution a maps term variables to 
ground terms, constraint variables over a domain N to N, and domain variables 
over a domain N to 2^ — {0}. 

Interpretations. Let IM'*’ denote the positive integers. Then any domain is con- 
tained in 1M“'' . To simplify things we assume in the following 1M“'' C Ce ■ With this 
in mind, assume “declare p(t, . . . , f, ji, . . . , jm)” , then any subset of ( TernnP^Y x 
X • • • X {1, . . .,jm} is a IV-MGTP pre-interpretation of p. In 
other words, any standard Herbrand interpretation (restricted to suitable do- 
mains for the constraint part) is also an IV-MGTP pre-interpretation. In an 
IV-MGTP interpretation I, only the constraint part is handled in a slightly 
non-standard way: the constrained arguments of p are functional, so the same 
must be true for I(p) . If p is declared as above, then for all {ti, . - - tU) G ( Term%)^ 
there is at most one {ii,...,im) € x ••• x {!,... ,jm} such that 

(tl, . . . , tri • 5 ^m) € ^{p) - 
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The constraint part of an IV-MGTP ground atom can without loss of gen- 
erality be assumed in solved form, because variable free intervals and extravals 
can be trivially converted to sets of domain values. In the following we assume 
that all ground constraints are automatically converted into solved form. 

Satisfaction. A IV-MGTP ground atom L = p{ti, . . . ,tr, Si, . . . , Sm) is satis- 
fied by an IV-MGTP interpretation I (in symbols I ^ L) iff there are ii G 
Si,...,im G Sm such that {t\, . . . ,tr,h, ■ ■ ■ ,im) G I(p). A set of IV-MGTP 
ground atoms M is satisfied iff I (= L for each L G M . Note that an atom of the 
form p{. . . , {}, . . .) is unsatisfiable. 

A ground IV-MGTP rule is satisfied by I iff at least one of the atoms in 
its antecedent or cond is not satisfied by I or at least one of the atoms in its 
succedent is satisfied by I. Obviously, C ^ D is satisfied iff C is satisfied or cond 
is not satisfied or D is satisfied. An IV-MGTP rule r is satisfied by I iff I ^ rcr 
for every ground substitution a. Finally, an IV-MGTP program P is satisfied by 

I iff I h r for all rGP. 

The sets Si in the constrained part of an IV-MGTP literal are independent 
of each other, that is, an IV-MGTP literal can only represent rectangles in 
domain spaces. We stress that in IV-MGTP we did not essentially change the 
notion of an Herbrand interpretation (we stipulated functionality and domain 
restrictions for constrained arguments). What we did change (in fact: generalise) 
is the notion of an atom. While in classical logic a maximal, consistent set of 
ground literals specifies exactly one interpretation, this particular relationship 
becomes one-many in the case of IV-MGTP. 

4 The IV-MGTP Deduction Process 

4.1 Model Candidates 

In the MGTP deduction process, a list of current model candidates is kept that 
represent Herbrand interpretations. In MGTP model candidates are identified 
with sets of ground atoms. The same holds in IV-MGTP, only that certain places 
of a predicate contain a ground constraint in solved form (that is: a subset of a 
domain) instead of a ground term. While in MGTP a model candidate containing 
ground atoms {L \, . . . , represents exactly one possible interpretation of the 
set of atoms {Li, . . . , L^}, in IV-MGTP one single model candidate represents 
many IV-MGTP interpretations which differ in the constraint parts. 

Thus, in the following high-level description of the IV-MGTP deduction pro- 
cess, model candidates can be conceived as sets of constrained atoms of the form 
0, where the St are subsets of the appropriate domain. If M is a model candi- 
date, p{ti , . . .,tr) the ground term part, and (^i , . . . , Sm) the constraint part of 
a constrained atom in M, then define M{p{ti , . . . , p)) = (^i, . . . , Sm)- 

Formally, a model candidate M is a partial function that maps ground 
instances of the term part of constrained atoms “declare p{t, . . . ,t, ji, . . . , jmf' 
into (2fo’ -dil — {0}) X • • • X (2fo’ -d'»»} — {0}). Note that M{p{ti , . . . , A)) can 
be undefined. 
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4.2 Conjunctive Matching 

Let r = C'^-D€P be an IV-MGTP rule, M a model candidate. We say 
that conjunctive matching (CJM) can be applied to (the antecedent) 

of r and M if there is a ground substitution a such that for each atom of the 
formp(ti,...,G,Ki,...,Km) G C: (i) . . . ,U)a) = {Si,...,Sm); (h) For 

all I < i < m: Si = kiu if ki is a domain variable and Si C ma otherwise; 
(iii) condcr in the antecedent of ra is satisfied. 

4.3 Inconsistency 

A model candidate M is inconsistent with a constrained ground atom of the 
form . ,,tr,Si,. . .,Sm) iff M{p{ti, . . . ,U)) = {S[,...,S'^) and Si D SI = 
0 for some i G {l,...,m}. For example, p(a, [1, 2], [3, 4]) is inconsistent with 
M(p(a)) = ({2},{2}). 

4.4 Subsumption 

The task of the subsumption check is to avoid deriving atoms that would not 
further constrain the current model candidate. Formally, we say that a con- 
strained ground atom p{ti, . . . ,tr, S[, . . . , is implied by model candidate 
M iff M{p{ti , . . . , tr)) = {Si,. . Sm) and C 5' for 1 < i < m. (Obviously, 
this is a special case of conjunctive matching.) 

Let D be the succedent of an IV-MGTP rule to which conjunctive matching 
can be applied in M with substitution <j, then Da is said to be subsumed by 
M iff there is a constrained atom L in Da such that L is implied by M . 

4.5 Model Candidate Update 

Besides rejection, subsumption, and extension of a model candidate, in IV- 
MGTP there is a fourth possibility not present in MGTP. 

Example 1. Let D = p({l, 2}) and assume M{p) = ({2, 3}). Neither is the single 
atom in D inconsistent with M nor is it subsumed by M. Yet the information 
contained in D is not identical to the information contained in M and it can be 
used to refine M to M{p) = ({2}). 

Another possibility is that M holds no restriction on p so far: M{p) = N, 
where N is the domain of the single argument of p. Again, M can be refined, 
here to M{p) = ({1,2}). 

In general we define model candidate update or the addition of information 
to model candidates as follows: let L = p{ti, . . . ,tr, S\, . . . , Sm) be a constrained 
ground atom consistent with model candidate M-,p'= p{ti, ... ,tr) is the ground 
term part of L. Then the update M + L oi M with L is: 

{ {Si, . . ., Sm) Q = p' and M {p') undefined 

{SinS[,...,SmnS'm)q=p' and M{p') = {S[,..., S'm) ■ 
M{q) otherwise 
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Example 2. To gain further insight into the process of model candidate update 
let us redo Example Jin plain MGTP. The constrained atom D — p({l,2}) 
corresponds to the disjunction D' — p(l);p(2) of classical atoms, while M = 
{p({2,3})} corresponds to two MGTP model candidates: M' = {p{2)}, M" = 
{p(3)}. Moreover, the functionality axiom “p(/), p( J), / yf J ^ T” is added. D' 
is subsumed by M', so M' is unchanged. On the other hand, M" is rejected (in 
the MGTP sense) by D' and functionality, so we are left with M' only. But M' 
contains exactly the information of M + p({l, 2}) = p({2}). 

We see that, in MGTP terms, model candidate update is really a combination 
of subsumption and rejection. 

4.6 IV-MGTP Procedure 

The following definition gives the procedural semantics of IV-MGTP programs. 
It is modeled after the high-level description of the standard MGTP proce- 
dure J. Let Mfh be the undefined model candidate, where Mih{p{ti, . . . , tj.)) 
is undefined for alHi, . . . , € TerwP^ and “declare p{t , . . . , t, ji, . . . , jm)” • 

For a given IV-MGTP program P, let At be a set of IV-MGTP model can- 
didates, inductively defined as follows: 

Initialisation M 0 G At. 

Update M G At is not rejected, GJM can be applied to the antecedent of 
C ^ D G P and M with substitution a, Da is not subsumed by M, and not 
all constrained atoms in Da are inconsistent with M. Let D'a ^ 1. consist 
of the atoms in Da consistent with M. 

Then M is extendible (with D'a), the elements of At' = Ul 6 Dv(-^ + ^) 
are called immediate successor of M, and At becomes (At — {M}) U At'. 
Rejection GJM can be applied to the antecedent oir = C^DGP and M 
with substitution a and all constrained atoms in Da are inconsistent with 
Af jThen M is rejected (by r). 

Those elements of a set At that are neither rejected nor extendible are the 

IV-MGTP models of P. 

Example 3. Gonsider the program consisting of rules = T — > p({l}); p({2}), 
i?2 = T ^ p([lj 2]), i?3 = T ^ p([2, 3]). Any of the rules can be trivially applied 
to the undefined model candidate, because the antecedents are empty. Update 
of M(h with Ri results in two new model candidates with Mi{p) = ({!}) and 
M^ip) = ({2 }). i?2 can be applied to neither of them, because its succedent is 
subsumed. If we apply first R 2 to M0 instead, then the result is M^{p) = ({1,2}) 
and extension with R\ is possible. It yields again M\ and M2. i?3 is rejected in 
Ml, and subsumed in M2, however, it can be used to update M3 to M2. 

5 Soundness and Completeness 

Theorem 1 (Soundness). If P is a satisfiable IV-MGTP program, then P has 
an IV-MGTP model. 

This is in particular the case when D = E. 



2 
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IV-MGTP cannot be complete with respect to the semantics that has been 
used up to now. The reason is essentially the same as for incompleteness of 
resolution and hypertableaux with unrestricted selection function It can 
be demonstrated with the simple example P = {T q —> _L}. 

The program P is unsatisfiable, yet deduction procedures based on selection 
of only antecedent (or only succedent) literals cannot detect this. Likewise, the 
incomplete treatment of negation in CMGTP comes up with the incorrect model 
{p} for P. This incompleteness also occurs in IV-MGTP. Assume p and q are 
defined “declare p(2)” and “declare g(2)”. The idea is to represent a positive 
literal p with p(2) and a negative literal ^p with p(l). Gonsider 

P' = {T ^ p{{2}), 9({1}) - p{{l}), q{{2}) - T} (3) 

which is unsatisfiable (recall that p and q are functional) , but has an IV-MGTP 
model, where M{p) = ({2}), and M{q) is undefined. 

The example shows that already the ground Horn case with one constrained 
argument causes problems. Exactly this case is handled in so-called signed for- 
mula logic programming (SFLP), where Lu suggested a possible solution: 
he conceived a non-standard semantics called extended interpretations for SFLP 
that characterises a certain procedural semantics. This procedural semantics, 
defined for the one-argument Horn case, happens to be quite similar to that of 
IV-MGTP (see Section ^Hfor a more detailed account of the relation between 
SFLP and IV-MGTP). 

There are more IV-MGTP models than satisfying interpretations as is exem- 
plified by 5 . So our solution is to admit additional interpretations that account 
for the remaining IV-MGTP models. 

The basic idea underlying extended interpretations (briefly: e-interpreta- 
tions) is to introduce the disjunctive information inherent to constraints into 
the interpretations themselves. Recall that IV-MGTP interpretations essentially 
are normal Herbrand interpretations (with some arguments functional and over 
a suitable domain). In contrast to this, model candidates contain IV-MGTP 
ground atoms with constraints. Extended interpretations are defined exactly 
as model candidates, i.e., partial functions I mapping ground instances of the 
term part of IV-MGTP atoms with predicate symbol p into (2^^’ -biI — {0}) x 
. . . X — {0}), Up is defined “declare p(t , . . .,t, ji, . . ., j^)”- In the fol- 

lowing we normally use M, M' as meta variables for model candidates and I, I' 
for e-interpretations, but it is sometimes convenient to use the same letter for 
both which we do without an explicit (but trivial) conversion function. 

An extended interpretation I does e-satisfy an IV-MGTP ground atom L = 
p{ti, . . . ,tr, S\, . . . , Sm) iff I(p(f^ ■ ■ ■ ) tr)) is defined, has the value {S'l , . . . , S'^)^ 
and S[ C Si for all 1 < i < Equivalently, using the terminology of model 
candidates we could have expressed e-satisfaction as “GJM can be applied to L 

® As in the ground case positive hypertableaux | and MGTP are virtually indistin- 
guishable this finding is not surprising. 

^ The concept of e-interpretation and e-satisfaction occurs already in where it w as 
used to simplify some definitions. Its relevancy for SFLP was first noticed in 
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and I”. E-satisfaction of rules and programs is defined exactly as before, only 
relative to e-interpretations. 

Our previous notation for updates (Section^3 can be generalised to cover 
extended interpretations: I -I- I' = I -I- Sp^AtomP^^' (p)- 

Example 4- The program P' in is unsatisfiable, but it is e-satisfiable by 
I(p) = ({2}), 1(g) = ({1,2}), because 1(g) neither satisfies g({l|) nor g({2}), 
hence both the second and third rule are satisfied as g occurs in the antecedent. 

Consider the single-rule programs P\ containing T — > p({l|);p({2}) and 
P 2 containing T ^ p([l,2]). They cannot be distinguished with IV-MGTP in- 
terpretations: both are satisfied exactly by Ii = |p(l)} and I 2 = |p(2)}. The 
e-interpretations I'i(p) = ({1}) and l^ip) = ({2}) corresponding to Ii and I 2 
satisfy Pi and P 2 as well, but there is a further e-interpretation V{p) = ({1, 2}) 
satisfying P 2 , but not Pi. 

The relationship between interpretations and e-interpretations of IV-MGTP 
programs is stated in the next lemma. We say an e-interpretation (or a model 
candidate) I is definite iff l{p{ti, . . p)) = {Si, . . Sm) implies IIS’!! = • • • = 

|5^| = 1. 

Lemma 1. Let I be an IV-MGTP interpretation that satisfies the IV-MGTP 
program P. Then the e-interpretation V defined as 

Ti'tnti- i P — / ■ ■ ■ fim) S I(p) 

{P[ ij ■ • ■ j r)l undefined otherwise 

e-satisfies P. If I' is a definite e-interpretation that e-satisfies P, then the in- 
terpretation I defined as follows satisfies P: 

{ti, ... ,tj.,ii, , ifYi) G I(p) iff I (p(^l 1 ■ ■ ■ fir)) — {*m}) 

Theorem 2 (Completeness). An IV-MGTP program P having an IV-MGTP 
model M is e-satisfiable by M (viewed as an e-interpretation). 

Corollary 1. If an IV-MGTP program P has a definite IV-MGTP model M' 
then P is satisfied by the IV-MGTP interpretation M (using the terminology of 
Lemma^^. 

Theorem 3 (E-Soundness). If an IV-MGTP program P is e-satisfiable then 
P has an IV-MGTP model. 

6 Results 

We developed an IV-MGTP prototype system in Java and made experiments on 
a Sun Ultra 5 under JDK 1.2. The results are compared with those on the same 
problems formulated and run with CMGTP also written in Java Q. We 
consider two types of finite domain constraint satisfaction problems: cryptarith- 
metic and channel routing. For these problems, many specialised solvers em- 
ploying heuristics were developed. Our experiments are not primarily intended 
to compare IV-MGTP with such solvers, but to show the effectiveness of the 
representation and its domain calculation in the IV-MGTP procedure. 
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6.1 Cryptarithmetic 

We demonstrate the effect of IV-MGTP with the well- 
known cryptarithmetic problem SEND + MORE = SEND 

MONEY. The problem is to find instances of the vari- -I- MORE 

ables { D, E, M, N, O, R, S, Y } satisfying the com- MONEY 
putation displayed on the right-hand side. 

To solve this problem we need, among others, the rule D + E = 10 xZ + Y, 
where Z ranges over {0,1}, while D,E, and Y range over {0,1,..., 9}. The 
domain of Y can be narrowed by the minimum and maximum values of the 
variables D, E, Z. IV-MGTP can implement such domain calculation using 
intervals/extravals, which enables to prune redundant branches by refutation of 
domains. 

GMGTP (or MGTP), however, lack the notion of a variable domain, so one 
has to represent possible values a variable may take with multiple literals. Thus, 
in GMGTP, constraint propagation cannot be implemented with domain calcula- 
tion. Tablejcompares IV-MGTP and GMGTP for the cryptarithmetic problem. 



Table 1. Experimental results for cryptarithmetic problem. 





IV-MGTP 


GMGTP 


models 


1 


1 


total branches 


12 


3308 


runtime(msec) 


391 


4793 



Both systems found the unique model, but differed in the numbers of failed 
branches. The comparison of total branches generated by GMGTP and IV- 
MGTP exhibits that IV-MGTP has a considerable pruning effect, and thus 
creates a much smaller proof tree than GMGTP. 

6.2 Channel Routing 

Ghannel routing problems in VLSI design can be represented as constraint satis- 
faction problems, in which connection requirements (what we call nets) between 
terminals must be solved under the condition that each net has a disjoint path 
from all others. For these problems, many specialised solvers employing heuris- 
tics were developed. Our experiments are not primarily intended to compare IV- 
MGTP with such solvers, but to show the effectiveness of the interval/extraval 
representation and its domain calculation in the IV-MGTP procedure. 

Here we consider a multi-layer channel which consists of multiple layers, each 
of which has multiple tracks. We assume in addition, to simplify the problem, 
that each routing path contains no dog-legs and contains only one track. By this 
assumption, the problem can be formalised to determine the layer and the track 
numbers for each net with the help of constraints that express the two binary 
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relations: not equal and above; not equal(Ni,N 2 ) means that the net N\ and N 2 
do not share the same track. above(Ni,N 2 ) means that if iVi and N 2 share the 
same layer, the track number of iVi must be larger than that of N 2 (trivially, the 
not equal relation includes the above relation) . For example, not equal constraints 
for nets Ni and N 2 are represented in IV-MGTP as follows: 

p(iVi, [L, L], [Ti, Ti]), p(iV 2 , [L, L], [T 21 , T 22 ]), ^ N 2 ^ p(N 2 , [L, F], ]Ti, Ti[) 

where the predicate p has two constraint domains: layer number L and track 
number Ti. We experimented with problems consisting of 6, 8, 10, and 12 net 
patterns on the 2 layers channel each of which has 3 tracks. The results are 
shown in Table^ 



Table 2. Experimental results for channel routing problems. 



Number of Nets = 6 





IV-MGTP 


GMGTP 


models 


250 


840 


branches 


286 


882 


runtime(msec) 


168 


95 


Number of Nets = 


= 8 




IV-MGTP 


GMGTP 


models 


1560 


10296 


branches 


1808 


10302 


runtime(msec) 


706 


470 



Number of Nets = 10 





IV-MGTP 


GMGTP 


models 


4998 


51922 


branches 


6238 


52000 


runtime(msec) 


2311 


3882 


Number of Nets = 


12 




IV-MGTP 


GMGTP 


models 


13482 


538056 


branches 


20092 


539982 


runtime(msec) 


7498 


31681 



IV-MGTP reduces the number of models considerably. For example, we found 
the following model in a 6-net problem: 

{p(l, [1, 1], [3,3]), p(2, [1, 1], [1, 1]), p(3, [1, 1], [2,2]), 
p(4, [2, 2], [2,3]), p{5, [2, 2], [1,2]), p(6, [1, 1], [2,3])} , 

which contains 8(=lxlxlx2x2x2) GMGTP models. The advantage of 
using IV-MGTP representation and interpretation is that the different feasible 
track numbers can be represented as interval constraints. In GMGTP the above 
IV-MGTP model is split into 8 different models. Obviously, as the number of 
nets increases, the reduction ratio of the number of models becomes larger. 

We conclude that IV-MGTP can effectively suppress unnecessary case split- 
ting by using interval constraints, and hence, reduce the total size of proofs. 



7 Related and Future Work 

7.1 Constraint Logic Programming 

IV-MGTP is reminiscent of finite domain GLP Q, but there are a number of 
fundamental differences. In contrast to MGTP, (G)LP systems proceed by top- 
down reasoning, they do not enforce range-restrictedness (which is pointless. 
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as they are not proof confluent), and are defined on Horn clauses; the MGTP 
procedure is proof confluent and strongly complete, if rules are selected fairly and 
thus requires no backtracking. Thus we have “committed choice” computation 
without sacrificing completeness. The philosophy of IV-MGTP is to provide 
a theorem prover with a certain capability to deal with totally ordered finite 
domain constraints; it has few operators to manipulate them and no optimisation 
component. A complete constraint solver is not implemented. In GLP, on the 
other hand, the constraint solver often carries the bulk of computation, and 
logical inference is less efficient. 

There is some similarity between IV-MGTP and Interval GLP Q. The latter 
is more general in that it can be used to approximate real- valued relations and to 
narrow real- valued intervals, whereas IV-MGTP is optimized to work with finite 
domains. Bottum-up computation in IV-MGTP allows natural propagation of 
inconsistent constraints, while GLP needs other mechanisms to avoid redundant 
search such as dependency-directed backtracking. In addition, IV-MGTP gives 
the user explicit control over case-splitting in succedents of rules. 

The committed choice constraint language GHR'^ Q accommodates bottom- 
up reasoning and non-Horn rules. It would be possible to write a meta-interpreter 
for IV-MGTP in GHR^. There are no experimental data in Q, so it is difficult 
to evaluate, however, GHR'^ is implemented on top of Prolog-based implementa- 
tions of GHR, and pattern matching on constraint constructors is not available. 
Moreover, there is no completeness result like Theorem ^ 

From a language design point of view, in GLP variables are declared, rather 
than predicates. A central feature of MGTP-like procedures, needed for strong 
completeness ^ as well as efficiency, is that only ground atoms are stored in 
model candidates. The variable-centred view of GLP is not an option. In IV- 
MGTP constraints are attached to predicates (not to variables which occur in 
predicates), so predicate arguments fulfil the task of variables. The semantics 
of GLP does not impose functionality on constrained arguments in interpreta- 
tions, for example, in GLP a query of the form “?— p{S), S'::!..!, p(T), T::2..2” 
succeeds, because variables as opposed to predicates are declared. 



7.2 Signed Formula Logic (Programming) 

The principal differences between (G)LP and MGTP deduction sketched in the 
previous subsection apply to the comparison with SFLP as well. It was pointed 
out in Section^Hthat IV-MGTP atoms can be seen as a generalisation of signed 
atoms in SFL. While partially or totally ordered domains are often considered 
in SFL, the syntax of signs/constraints is usually limited to forms {A, . . . , A} 
(the solved form in our setting) and | * (the order filter on N generated by 
i). Gonstraint variables are sometimes admitted Q, but usually missing in 
concrete implementations. On the semantic side, in SFLP e-interpretations are 
total functions, that is, I(p) is defined for all ground atoms p. In SFLP, for 
example, the query “?— {!,..., n}:p” succeeds (if N = {1, . . . , n} is the domain, 
see Section^Jfor SFL notation) . The equivalent IV-MGTP program consisting 
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of the single rule p({l, . . . , n}) ^ _L (where p is assumed “declare p{ny^) has the 
IV-MGTP model M 0 , that is, I(p) is undefined. 



7.3 IV-MGTP and CMGTP 

CMGTP Q is a special case of IV-MGTP: for each r-ary predicate p in GMGTP 
let p' be a corresponding r -|- 1-ary IV-MGTP predicate declared “p{t, ■ ■ - ,t, 2)” . 

Now replace each GMGTP literal of the form p{ti , . . ,,tr) with the IV- 
MGTP atom p{ti, ■ ■ - ,tr, {2}) and each literal of the form ~^p{ti, . . ,,tr) with 
p{ti, . . . ,tr, {!}). GMGTP contains an additional rule p {. . .), ~^p{. . > _L. This 
is not necessary in IV-MGTP, because of functionality. 



7.4 Paraconsistent Reasoning 

There is a close relationship between the functionality requirement for con- 
straints in IV-MGTP interpretations, the non-emptiness of e-interpretations, 
and paraconsistent reasoning: the functionality requirement for constraints in IV- 
MGTP interpretations I corresponds to the restriction to non-empty constraints 
in e-interpretations I': assume “declare p(2)” for p. Then I(p) is functional iff not 
both I hp({0) and I p{{j}) for i j iff p({i}) -kp({j}) ^ p(0) iff I'(p) (0). 

Gonsider the IV-MGTP program P = {T ^ p({l}), T ^ p({2})}. It is neither 
satisfiable nor e-satisfiable. In paraconsistent reasoning Q, however, one in- 
fers from it the atom p(0) indicating that inconsistent information is entailed 
about p. Lifting the non-emptiness restriction on e-interpretations still gives a 
well-defined, non-trivial semantics and captures paraconsistent reasoning Q. 

It is possible to generalise the IV-MGTP deduction procedure for paracon- 
sistent reasoning by a minor modification. See the full paper for details. 



7.5 Future Work 

GMGTP programs are complete even with respect to standard interpretations 
provided that antecedents of rules are consistent Q: for all literals L, L' occur- 
ring in the antecedent of any ground instance of a rule, {L, L'} is a consistent set. 
The straightforward generalisation to domains of size greater than two fails to 
guarantee completeness, but the matter should be investigated more thoroughly. 

The language of IV-MGTP constraints can be made richer, but the more com- 
plicated constraints are, the more computational burden is shifted to constraint 
solving and the specific advantages of MGTP might vanish; in any case, the 
trade-offs must be better understood. The speed of our implementation should 
be improved. The reduction of generated models (see Section^ shows the IV- 
MGTP paradigm to be quite effective, but it needs to be more efficient to play 
out its full strength. Experience with implementation of (G)MGTP shows that 
careful coding makes a difference in the order of several magnitudes 
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Abstract. We propose a general framework for combining mobile pro- 
cesses and declarative programming languages, e.g., functional, logic or 
functional-logic languages. In contrast to existing concurrent extensions 
of declarative languages, we distinguish clearly between the notion of pro- 
cesses and that of functions or predicates. Thus, our framework is generic 
and may be applied to extend several kinds of declarative languages. It 
also extends PA process algebra in order to deal with parameter pass- 
ing, mobile processes and interactive declarative programming. In our 
setting, declarative programs are dynamic and may be modified thanks 
to the actions performed by processes. 



1 Introduction 

Classical declarative languages, i.e., functional, logic and functional-logic lan- 
guages, aim to provide high-level descriptions of applications or systems. These 
languages have well-known nice features (e.g., abstraction, readability, compi- 
lation techniques, proof methods etc.) since functions and predicates are well 
mastered mathematical concepts which have been successfully used in describ- 
ing algorithms even before the invention of computers. However, these concepts, 
which constitute the basis of classical functional-logic languages, are not suf- 
ficient to capture the whole complexity of real-world applications [30] where 
interactivity, concurrency and distributivity are needed. 

On the other hand, processes have been used as a means for the description 
of interactive applications. Informally, a process can be described as the set of its 
possible runs, i.e., the set of possible action-sequences which can be performed 
by the process. Thus, it is immediate that processes are different from functions 
or predicates. 

Most existing concurrent extensions of declarative languages do not distin- 
guish clearly between processes and the concepts underlying the declarative lan- 
guage, but rather try to encode processes in terms of the latter [4, 5, 8-11, 13, 16, 
17,21,23-28]. Thus each of these approaches seems to be tailored for a specific 
language rendering the extension to a general framework not straightforward. 

Classically, declarative languages allow one to describe functions by means of 
equations (rewrite rules) or lambda abstractions and predicates by Horn clauses 
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(with constraints). As for processes, there are as many ways to define them as 
there are different programming styles (including temporal logic programming) . 
Nevertheless, process algebras have been well investigated, see e.g., [3], and pro- 
vide a clean framework for the description of concurrent processes. An extension, 
that allows the communication structure to vary, is the 7r-calculus [20]. It pro- 
vides a basis for modelling mobile computations. 

But similar to concurrent extensions of declarative languages, programming 
languages uniquely based on process calculi encode the notions of functions and 
predicates via processes, e.g., [22]. 

This paper aims at a new combination of mobile processes and declarative 
languages where we distinguish clearly between, on the one hand, concepts which 
are definable in classical declarative languages, such as functions, predicates 
or constraints and (mobile) processes on the other hand. Thus the merit of 
our contribution is to propose a new framework where each part of a mobile, 
concurrent, functional and/or logic application can be described by the most 
appropriate known theoretical concept, instead of encoding all these different 
concepts in a sole framework. Our resulting proposal extends both, declarative 
programming with mobile processes, and PA process algebra in order to deal with 
parameter passing, mobile processes and interactive declarative programming. 

Theoretically, our framework can be characterised as a new (modal) theory 
whose models are Kripke-structures. Practically, we provide a new full and rigor- 
ous combination of programming paradigms, providing the respective advantages 
of functional, logic, functional-logic, concurrent and mobile programming in ad- 
dition to the advantages proper to the combination, in the same way as it was 
already the case for the integration of functional and logic programming. 

The rest of the paper is organised as follows: The next section gives a broad 
outline of our framework. Section 3 discusses the definitions of actions. The 
definition of processes is given in Sect. 4 and some examples are presented in 
Sects. 5 and 6. In Sect. 7 we give the operational semantics. A comparison with 
some related work is subject of Sect. 8. Finally, Sect. 9 concludes. 



2 Overview of Our Proposal 

In our framework, an application is modelled via several components. Due to 
space limitations, we focus in this paper on applications with a single compo- 
nent; but the framework presented here can be extended easily to several com- 
ponents. Roughly speaking, a program or a component in our framework will 
consist of two parts C = {T,V). V is & set of process definitions and IF is a 
set of formulae describing a traditional declarative program, called a store in the 
sequel. The execution model of a component can be schematised as in Fig. 1. 
Processes (pi) communicate by modifying the common store T, i.e., by altering, 
in a non-monotonic way, the current theory described by the store, for example 
by simply redefining constants (e.g., adding a message in a queue) or by adding 
or deleting formulae in T . Hence, the execution of processes will cause the trans- 
formation of the store T . Every change of the store is the result of the execution 
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of an action. Thus actions constitute the basic entities for building processes. In 
general, processes are also able to modify the stores of other components and 
thus interact with the environment of their component. Orthogonally, the store 
can be used as usual for a functional-logic program, i.e., for goal solving or the 
evaluation of expressions. 




Counter 1 



I 42 I Increment ^ 

( Link ') ( Copy ) 



Fig. 1. execution model 



Fig. 2. a counter window 



A real-world instance of a system as depicted in Fig. 1 is for example the 
file-system on a UNix-workstation: while there are processes running which may 
modify the store, i.e., the file-system, it is always possible to investigate the 
current state by commands as Is or find. Following the same idea, there are 
some processes keeping the list of currently logged users up-to-date; this list can 
be consulted via the command who. This investigation may be done “on-line”, 
that is to say, the set of possible questions a user might ask is not known in 
advance; in fact, the user might ask any well-formed question. 

Another example is an application emitting flight tickets. Obviously, declar- 
ative languages are well-suited to describe the function calculating the price of 
a ticket. However, if we want to allow the modification of this function with- 
out stopping the entire application, then we need to extend classical declarative 
languages. 

To illustrate our extension further, we consider a (simplistic) application in- 
spired from [15], a system of multiple counters. The application starts by creating 
a window (as shown in Fig. 2) representing a counter which can be incremented 
manually. In the window of the counter, a copy-button and a link-button allow 
one to create new counter windows: the former creates an independent counter 
(with an associated new window) and initialises it with the current value of the 
counter being copied; the latter creates a new view (i.e., a new window) of the 
same counter. All links (or views) of a same counter should behave identically, 
e.g., they increase the counter at the same time. Additionally we may want to 
use the current value of the counters for some calculations, in the same way as 
we would like to use any other constant in a classical declarative language. A 
sample of our solution for this problem is subject of Sect. 5. 

This example illustrates some of the difficulties when modelling concurrent 
processes, such as dynamic creation of new constants (e.g., counters, windows 
and the corresponding channels) or resources shared by several processes. Ob- 
viously, we need to extend a pure declarative language to cope with this in- 
teractive application. This has also been noted in the literature on declarative 
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programming: “Some interactions appear most straightforward to express in an 
imperative style, and we should not hesitate to do so” [29] . 

3 Actions 

In our framework, an application may be composed of several components, each 
consisting of a store and a set of processes. These processes execute actions 
modifying the stores of different components. Classical examples of actions are 
for instance tell of ccp (see Sect. 8) which adds a constraint to a constraint store, 
or setq of Scheme which updates destructively the value of a constant. Other 
examples of actions concern interaction with the environment, as for instance 
the commands controlling external physical machines, e.g., opening a door or 
starting an engine. 

Actions are composed of a guard and a sequence of elementary actions. In- 
formally, an elementary action is a function(al), that when supplied with its 
arguments, returns a total recursive function from stores to stores. 

Definition 1. An action a is a pair consisting of a guard g and a sequence of 
pairs of a storename (expression) Si and an (parameterised) elementary action 

written: [g (si, ai); . . . ; (s„, a„)j. A guard is a formula whose validity (in 
the (current) store) is decidable. An elementary action s is a total recursive 
mapping whose type is of the following shape: types _of ^arguments {store 

store). 

Roughly speaking, executing an action means to test the validity of the guard 
in the (local) store, and, upon the validity of the guard, to execute (atomically) 
the sequence of the elementary actions, {si,ai), that is to say replace the store 
denoted by the storename (expression) s, say if, by the result of the application 
of the elementary action a to it, i.e., a(iF). Informally, a storename can be seen as 
a symbolic identifier for a store in the same way as the symbolic host-names stand 
for (numeric) IP-addresses. In the sequel, we will note a sequence 71 ; . . . ; 7n as 
7i. Thus, an action [g (si, ai); . . . ; (s„, a„)j will be represented by [g 
(si, 3i)J . 

Due to space limitations, we suppose in this paper that the set of elementary 
actions is given, and thus restrain ourselves to give below just some examples 
of useful elementary actions. In our full framework [12], actions are definable by 
the programmer. 

We call skip the elementary action which does not modify the store. Certainly 
the most common elementary action is assignment (:=). := takes two parameters: 
the name c of a constant (traditionally considered as a variable) and a (new) 
value V. Thus we introduce a new parameterised type Naine(t) to denote the type 
of the name of a symbol of type t. If c is of type Najne(t), we denote by c\ the 
associated symbol of type t. Hence, :=(c,v)(iF) represents the store obtained 
from iF by erasing all equations of the form c] == term and adding the new 
equation c\ == v. In the sequel, and by abuse of notation, we write c in place 
of c] whenever there is no ambiguity. 
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The elementary action tell (respectively, del) adds (respectively, removes) 
clauses to (respectively, from) the store. 

As all processes of a component share the store, broadcasting messages be- 
tween processes is realised naturally via the common store by executing appro- 
priate elementary actions. To simulate message passing, we can use elementary 
actions handling queues representing the buffers for (incoming) messages. To 
send a message, e.g., m, to a process, we need to know the name, e.g., q, of 
its queue for incoming messages {q is a constant of type Hame{List{messages))) . 
Executing the elementary action enq(g, m) will put our message in the queue of 
our (communication-) partner. To read a message from a queue, we access the 
queue, i.e., q, just as we usually access a constant. In order to erase a message 
from the queue (after having read it), we introduce the elementary action deq(g). 

Another important elementary action handles the creation of new symbols: 
new(s, t) introduces two new symbols in the store, namely s of type Naine(t) and 
st of type t. s stands for the name of (or a reference to) the symbol s|. In 
the multiple counters example, new allows the creation of new counters and the 
associated communication channels with the window-system. 



Example 1. The following is an example of an action, inspired from the program 
of the “Dining Philosophers” given in Sect. 6: 



stick (a;) A 
stick(a;-|-l mod n) 



{F, del(stick(a;))); 

(F, del(stick(a;-|-l mod n))); 
{F, tell(is_eating(a;))) 



This action says that whenever the sticks number x and x-Tl mod n are available 
on the table (i.e., (stick(a;) A stick(a;-|-l mod n)) holds in the store F), then the 
philosopher number x can get these sticks (i.e., remove them from the table by 
deleting the corresponding predicates via the elementary actions del(stick(a;)) 
and del(stick(a; -I- 1 mod n)) from the store F) and start eating (i.e., add the 
predicate is_eating(a;) to F by using the elementary action tell(is_eating(a;))). 



4 Processes 

Before giving the formulae defining processes, we introduce first the notion of 
process-terms. Such terms are constructed by means of basic processes as well 
as operators which combine processes into new ones. 

Basic processes are success, i.e., the process which terminates successfully, 
(guarded) actions a, or process calls p(ti, . . .,t„). As usual in process algebra 
(see, e.g., [3]), we provide some operators for combining processes: parallel (||) 
and sequential (;) composition, nondeterministic choice (-I-) and choice with 
priority (0). The last operator is not very common, but we found it necessary 
to model critical applications where nondeterminism is not acceptable [1]. The 
intended meaning of the process term pi 0 p 2 is: “execute the process p 2 only 
if the process pi cannot be executed”, i.e., the process pi has a higher priority 
than the process p 2 - 
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Definition 2. A process term p is a well-typed expression defined by the follow- 
ing grammar: 

p ::= success \ [5 ^ (si, 3i)J | | p;p \ p\\p \ p + p \ p®p 

Process abstractions are intended to give a description of the behaviour of 
processes. Some restrictions are required on the (recursive) definitions of process 
abstractions in order to avoid pathologic cases, especially processes with an 
infinite branching degree. A common solution to avoid such problems consists 
in requiring process abstractions to be guarded. 

Definition 3. A process abstraction p is defined by a sentence of the form 

p(xi, . . . , X„) 0fcl «i; Pi 

where (for each i) Ui is an action and pi is a process term. For a readable pre- 
sentation, we omit here some formal technical conditions on the use of variables. 

According to definition 3 a process abstraction is defined by a set (ordered by 
priority) of “formulae”, which consist of a (guarded) action and a process term. 

Example 2 . inc-dec is a process on a store C receiving via a queue named q 
messages for incrementation (znc) or decrementation (dec) of the value of a 
counter named val. 

inc-dec [head(q) == inc (C, val:=val-\-l); {C, deq{q))]] inc-dec 

0 \head{q) == dec {C, val:=val — l); (C, deq(q))]; inc-dec 

The elementary action new presented in the previous section allows to extend 
the signature of the store with new symbols for functions or predicates. As 
these symbols are created dynamically and can be passed, we can model mobile 
processes in the same way as in the 7r-calculus [20] , namely by passing the names 
of communication channels. 

As an example, consider a process, p\, which creates a new channel, q, of 
type t and communicates it to a process p2 in order to receive messages from 
P2 via channel q. The creation of q is performed by the action new(q, List(t)). 
There are several ways for pi to communicate the channel q to p2 (e.g., by 
sending q through a channel or by using parameter passing). Since channels in 
our setting are modelled as changing constants, passing q to p2 requires some 
caution. Indeed, passing the channel q to p2 does not mean passing the value of 
q but rather its name (or a reference to it) in order to enable p2 to send messages 
to Pi via q. 



5 Example of the Multiple Counters 

Our solution for the problem of the multiple counters presented in Sect. 2 sep- 
arates the counters from the window system. This is similar to real window 
systems, where applications may run on a machine connected via the network 
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to the machine controlling the monitor. Thus we have two stores: one for the 
processes modelling the counters, say C, and one for the window system, say X. 
In this paper, we focus on the component with store C. 

The store C describes a theory for counters. We model a counter c as a 
constant of type Cnt, i.e., a pair {val,wins), where c.val indicates the current 
value of the counter c and c.wins is a list of the window identifiers of the windows 
associated with c, i.e., the windows displaying the value of c. The only (high-level) 
events (occurring in a counter window) we consider are clicks on the different 
buttons. Thus we define the type Evts to be the set {me, copy, link}. In this 
paper, we assume that the translation of the low-level events, e.g., “click at 
position (x, y)” is handled by another process. For a counter c, the function bmp 
returns the bitmap to display for c. 

The store X of the window system is a description of a theory for windows 
and contains in the (changing) constant winlist descriptions for all the windows 
currently displayed on the screen. Each descriptor contains at least the identifier 
of the window, its position, the bitmap to be displayed and the event-queue 
where the events occurring in the window should be sent to. To simplify, we do 
not precise the data-structure of winlist further. 

Figure 3 shows the process abstractions for the processes located on the store 
C. The process abstraction controlling a counter-window is cnt_ctrl. It has three 
parameters: the name c of the associated counter, the identifier w of the win- 
dow and the name e of the event-queue to which the window system sends all 
the events occurring in the window w. cnt_ctrl takes the (high-level) events (oc- 
curring in the window w) one by one from the queue e and reacts accordingly. 
For instance an event representing a click on the copy-button will create a new 
counter, named c' , and a new event-queue, named e' , send a request for creating 
a new window to the queue newwins on the store X and launch a concurrent 
process for handling the new window for the counter named c'. An event cor- 
responding to a click on the increment-button will increment the counter c and 
trigger the redrawing of all windows associated to c by executing the elementary 
action refresh_wins on the store X. refresh_wins has two parameters: a list of win- 
dow identifiers I and a bitmap b. For each window identifier w in I, it updates 
the bitmap associated to w in the constant winlist. 

The creation of a new window proceeds in two steps: requests sent to the 
store X are eventually acknowledged by the attribution of a new window iden- 
tifier. These requests are pairs of a bitmap for the window and the name of the 
event-queue where events occurring in the window should be sent to. Hence, 
before starting a process controlling a new window, we have to wait for this ac- 
knowledgement. For this, we use another process abstraction, namely create_win. 



6 Example of the Dining Philosophers 



Coping with mutual exclusion is simple in our framework, since the execution of 
actions is (locally) atomic, see Sect. 7. Thus, we can easily program the problem 
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cnt_ctrl(c: Name(Cnt); e: flai[ie{List(Evts))', w: Wid) 

{C, c.val:=c.val+l)-, {C, deq(e)); 



head{e) == inc - 



(X, refresh_wins(c. Mims, bmp{c))} 



; cnt_ctrl(c, e, w) 



{C, new(c', Cnt))\ {C, c' .wins: = nil)-, (C, c' .val:=c.val)-, 
head{e) == copy => (C, new {e' , List(Evts)))-, (C, e':=nil)-, 

(X, enq{newwins, {bmp{c),e')))-, {C, deq(e)) 
create_win(c', e') || cnt_ctrl(c, e, mi) 

(C, new{e' , List{Evts)))-, {C, e': = nil)-, 



head{e) == link - 



{C, deq(e)); (X, enc\{newwins,{bmp{c),e'))) 



create_win(c, e') || cnt_ctrl(c, e, w) 
de_win(c: Name( Cnt); e: J 
head{newwids).evt == e ■ 



create_win(c : Name( Cnt); e: Naine(List{Evts))) <= 

{C, c. wins:=cons{head{newwids) ,wid,c. wins )) ; 
(C, deq(neMiMiids)) 

cnt_ctrl(c, e, head(c.wins)) 



Fig. 3. Process abstractions for processes located on the store C 



of the “Dining Philosophers” by using an action which atomically tests for the 
presence of the two sticks (or forks) and gets them, if they are present. 

We model the situation with two predicates: stick(a;) and is_eating(y). The 
former represents the fact that stick x is lying on the table, and the latter holds 
whenever philosopher y is eating. We can model the behaviour of a philosopher 
by the process abstractions of Fig. 4. 



thinks(x,n: Nat) 


sticklxl A del(stick(x))); 

. , ^ , , . => (F, del(stick(x-|-l mod n))); 

' ' [F, tell(is_eatmg(a;))) 


; eats(®,n) 




r 


(F, del(is_eating(®))) 1 






eats(a;, n: Nat) 


true {F, tell(stick( 2 ;))) 

{F, tell(stick(®-|-l mod n))) 


; thinks)®, n) 





Fig. 4. Process abstractions for the Dining Philosophers (located on store F) 



Note that we need neither low-level synchronisation (like semaphores), nor 
auxiliary constructions (as placing the table in a separate room or asymmetric 
philosophers) nor any special assumptions about the underlying logic program. 
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7 Operational Semantics 

To simplify the presentation, we consider in this paper only the operational 
semantics of a single component, since the semantics presented here can be easily 
extended to several components. Informally, a component in our framework is a 
pair C = (IF, V) where T stands for the store (with storename s) and V for the 
set of process abstractions. 

The operational semantics of a component has to take into account two 
different aspects, namely the execution of processes and actions, and interactive 
goal-solving or expression evaluation. Thus, we present the operational semantics 
in two steps. First, we describe the execution of processes by a transition system 
T. Then we combine these rules in an “orthogonal” way with rules describing 
the interactive use of the store, leading to a second transition system T which 
defines the operational semantics of a component. 

The operational semantics of a process is the set of sequences of actions 
that can be observed when executing a process. The execution of a process is 
described by the transition system T = (Q, — mZ)). The states of T, 
i.e., Q, are triples, e.g., (lF,p, m), consisting of a store IF, a process term p and a 
mail-box m , acting as a fifo-channel on which the component receives (sequences 
of) elementary actions to execute (emanating from other components). In the 
sequel, we represent the mail-boxes as lists, and write [e] for the (singleton) list 
cons{e, nil) and h :: I 2 for the concatenation of the lists h and ^ 2 - The initial 
state of T is built from the initial store IF^ and the initial process term p^, which 
are both specified by the programmer. The transition relation — > is defined by 
a set of inference rules shown in Fig. 5. 

According to Rule (Rl), execution of the process success is always possible 
and yields the special symbol ss. The latter witnesses successful termination. 

The execution of a closed action, i.e., an action without free variables, is 
described by Rule (R2), under the premise of the validity of the guard in the 
current store (IF h g) . Since an action may contain elementary actions on several 
stores, we have to distinguish between elementary actions meant for the local 
store (denoted by the (storename) constant self) and all the others. In the first 
case, we update the local store, in the second we send a message containing the 
sequence of elementary actions (together with their arguments) to the remote 
component which has to ensure the execution. 

Hence, Rule (R2) uses two auxiliary functions, namely exec and sel. sel filters 
the elementary actions for a given storename from a sequence of pairs of store- 
names and elementary actions, and exec describes the execution of a sequence 
of elementary actions. Their definitions are as follows: 

{ I if Z is empty, i.e., Z = nil, 

cons[a, sel{s, tail{l))) if head{l) = (s', a) and s = s', 
seZ(s, tail{l)) otherwise. 

ea;ec(ai; . . . ; a„, J^) = a„ (• • • ( Z 2 {ai{T )) ) • • • ) 




Combining Mobile Processes and Declarative Programming 309 




Fig. 5. Inference rules defining the transition relation — > of T 
We omitted the symmetric versions of the rules (R5), (R5') and (R6). 
The side-condition 3m": m' = m::m" applies to all rules. 



Note that the execution of an action is (locally) atomic, i.e., all the elementary 
actions (for a same store) of an action are executed in a single step. An example 
for the usefulness of the atomic execution of actions is the program for the dining 
philosophers (see Sect. 6) where a philosopher may take the two needed sticks 
in a single atomic step. 

According to Rule (R3), a call to a process abstraction corresponds to exe- 
cute an (instantiated) variant of the definition of the process abstraction. Such a 
variant is obtained by renaming in the defining “formulae” of the process abstrac- 
tion the symbols defined in elementary actions new by fresh ones. We denote this 
renaming by the operation rename. This is similar to the application of clauses 
in logic programming, where implicitly each variable is renamed by a fresh one, 
i.e., a new and unused variable. 

Rules (R4) to (R6) describe the standard semantics of the operators ;, || and 
3-. In the process-term pi 0 P 2 , the process p 2 will only be executed when (in 
the current store) an execution of pi is impossible (see Rule (R7')). In contrary. 
Pi can be executed independently from the executability of p 2 (see Rule (R7)). 

Intuitively, the modifications of the channel m model the reception of (se- 
quences of) elementary actions emanating from other components of the system. 
Due to space limitations we do not detail these communications between com- 
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ponents further. However, the execution of elementary actions from the channel 
m is described by the rule (R8): 



(R8) 



[(a 



[exec{{si)i,T) m' 



-3m'‘ 



m = m :: m 



Besides the execution of the processes modifying the store, described by the 
transitions system T, the operational semantics of a component C has another, 
orthogonal aspect, namely the classical operational semantics of the underlying 
declarative program used for interactive goal-solving. We suppose that the latter 
is described by a relation 

Therefore we can describe the operational semantics of a component C via 
a new transition system, T = (Q, i — >, where denotes the 

(possibly empty) initial goal the user wants to solve. The states of T are config- 
urations, i.e., tuples {iF,p, m,g), where T is the current store, p is the current 
process term, m is the mailbox and g is the current expression to evaluate (ac- 
cording to the operational semantics of the underlying declarative language) . 

Classically, configurations of a concurrent language are described only by the 
first two parts, say {T ,p), which are enough to express the execution of processes. 
As for declarative languages, a configuration classically uses the first and the 
fourth parts fiF , g) which allow to express the rules of the operational semantics 
^ of the declarative language. Combining these two operational semantics adds 
the possibility to run concurrent applications without loosing the characteristics 
of declarative languages. For instance, goals can be solved while the processes 
keep on running. 

The transition relation of T, i.e., i — >, is defined by the two inference rules: 



(G) 






{F,p, m, g) I — > {F,p, m', g') 



3m" 



m = m :: m 



(P) 



(■A,p, m) — > {F',p' ,m') 
{F,p, m, g) I — > {F',p', m', g^) 



Rule (G) concerns interactive goal-solving, i.e., the use of the operational seman- 
tics of the declarative language, as for instance goal solving (in logic languages) 
or evaluation of expressions (in functional languages) . In the example of the din- 
ing philosophers, we might ask for the eating philosophers by solving the goal 
is_eating(a;). Rule (P) describes the modifications of the store by the processes 
via the transition system T. When a process modifies the store, we have to restart 
the goal-solving at the initial goal (g^), as the modification may invalidate the 
already achieved derivation. Obviously, rule (P) has to be refined. For instance, 
if the execution of a process does not alter the definitions used so far in the 
evaluation of the goal, restarting the goal-solving is unnecessary. 



8 Related Work 

Due to lack of space we do not survey all the propositions in the area in depth, 
but focus on some of those which are close to our suggested framework. 

One of the main advantages of logic programming is its semantics (least 
Herbrand model). However, if we consider a Horn clause such as p{x) q,p{x), 
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the denotation of p is empty according to the classical semantics of logic programs 
(i.e., for any x, p{x) does not hold). But seen as a process, the semantics of p is the 
infinite sequence . Hence, we preferred to distinguish processes and predicates, 
which is not the case for most concurrent extensions of logic programming. 

Besides this fundamental difference, there are several similarities. In concur- 
rent constraint programming (ccp, [24]), agents communicate also via a common 
(constraint) store. However, the only actions on this store are telling a new con- 
straint and asking if the current store entails a constraint. While the original 
model is limited to a monotonic evolution of the store, there have been several 
suggestions for non-monotonic extensions, e.g., [4, 9, 10, 13, 25-27]. These exten- 
sion either provide new built-in actions [9,10,27] or use non-monotonic logics, 
as logic with defaults [25] or linear logic [4, 13,26]. 

The logic programming language Prolog provides two “predicates” that al- 
low one to modify the logic program by adding and deleting clauses, namely 
assert and retract [11]. Since these “extra-logical operators” have no declara- 
tive reading, they have been interpreted in [5, 8] as send and receive operations 
on a multiset of atoms, called “blackboard” . Our approach is more general, as 
our stores allow the modification of more than only a multiset of atoms. 

The notion of ports as a many-to-one communication medium has been in- 
troduced in AKL [17]. It is argued that the introduced port primitives have a 
“logical reading” and preserve the monotonicity of the constraint store. In our 
non-monotonic setting, we can provide the behaviour of ports via appropriate 
(elementary) actions, e.g., enq and deq. Recently, the idea of ports, has been ex- 
tended and integrated into the functional-logic language Curry in order to cope 
with distributed applications [16]. 

Pure functional programs can also be easily parallelised: as the evaluation 
of expressions has no side-effects, the function-arguments can be evaluated in 
parallel. But this implicit parallelism is to be distinguished from (by the pro- 
grammer) explicitly specified concurrency. Several concurrent extensions have 
been suggested for functional languages, most of them do not distinguish be- 
tween processes and functions [21,23]. 

Concurrent Haskell (CH) [21] introduces new primitives starting processes 
(e.g., f orklO) which can communicate and synchronise via mutable variables (of 
a new built-in type MVar). These primitives are meant as “raw iron from which 
more friendly abstractions can be built” [21]. This is different from our philoso- 
phy: we want to exhibit the high-level abstractions needed for easy programming 
and not the minimal set of low-level primitives. Also, our actions together with, 
e.g., “changing constants”, are a more flexible support for communication. CML 
[23] also provides new primitives, supporting a synchronisation mechanism based 
on “events” , a new abstract type representing “potential communication” . To 
effectively communicate, a process has to synchronise on an event. 

Facile [28] extends the functional language ML with “behaviour-expressions” 
and (synchronous communication) “channels” . As behaviour-expressions can be 
transformed into a value, called a process “script” , programming with processes 
in a functional style is supported. A script s can be executed by evaluating 
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spawn s which has the side-effect of spawning a new process. Thus, Facile allows 
functions and processes to use each other mutually. In our framework, the use of 
processes for the definition of functions or predicates is not necessary. However, 
the communication between processes in Facile is restricted to message passing 
through channels, which is a special case of the communication via stores. 

Our framework extends classical process algebras, e.g., CCS [19], CSP [6] 
or ACP [3] in several aspects. First, our processes (and actions) are parame- 
terised. Second, our actions have a precise semantics as transformations of a 
global store. Last but not least, our framework provides the possibility of (inter- 
active) declarative programming, i.e., evaluation of expression and goal solving, 
along with concurrent execution of processes. 

Our elementary action new together with the parameterised type Name(t) al- 
lows to model mobility in the same way as the 7r-calculus [20] . However, the com- 
munication mechanism of the 7r-calculus is synchronous and exclusively based 
on message passing (thus one-to-one), whereas our framework is based on asyn- 
chronous, broadcasting communication via a shared store. Thus, our proposal 
is more related to the asynchronous trend of the 7r-calculus. Our guards allow 
the atomic reception on several channels, whereas in the 7r-calculus processes 
can only wait on a single channel. Extensions of the (asynchronous) 7r-calculus 
without this restriction are the join-calculus [14] and Ct^ [7]. 

In the join-calculus [14] processes can be seen as communicating via a multiset 
of messages: sending a message corresponds to place it in the multiset, and 
the “joint reception” of several messages is blocking and removes the received 
messages from the multiset. Thus broadcast is not provided directly and has to 
be encoded as in any 7r-calculus-based language. 

Last but not least, promising approaches using linear logic as a basis to define 
frameworks for the description of the semantics of higher-level languages which 
integrate declarative programming with object-oriented or concurrent features 
have been proposed in the literature, see e.g., [2,7,18]. These approaches can 
be adapted to our framework in order to give an alternative semantics based on 
proof search in linear logic. 

9 Conclusion 

We have presented a generic framework for the combination of mobile processes 
and declarative programming languages. Our proposition differs from most re- 
lated frameworks in that it distinguishes syntactically and semantically between 
the notion of processes and that of functions or predicates. Thus our framework 
does not force programmers to encode some concepts by means of others, but 
allows to express everything by the most appropriate concept. 

Processes are parameterised and communicate asynchronously via the modi- 
fication of stores. Classical communication media, namely channels, are modelled 
as (changing) constants. This view of channels has both, a functional reading 
and a (constraint) logical reading. New channels (as well as new functions) can 
be created thanks to the (built-in) action new. This action, combined with the 
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parameterised type NELme(t), allows one to model mobility and thus generalises 
the notions introduced in the 7r-calculus to declarative languages. 

The complete formal definitions of this framework together with the extension 
to several components can be found in [12]. The implementation of a prototype 
is under progress. 
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Abstract. This paper presents a method for representing trees using 
constraint logic programming over finite domains. We describe a class 
of trees that is of particular interest to us and how we can represent 
the set of trees belonging to that class using constraints. The method 
enables the specification of a set of trees without having to generate all 
of the members of the set. This allows us to reason about sets of trees 
that would normally be too large to use. We present this research in the 
context of a system to generate expressive musical performances and, in 
particular, how this method can be used to represent musical structure. 



1 Introduction 

This paper describes how constraints can be used to represent a specific class of 
trees that have the following properties: 

Rooted - each tree has a node distinguished as the root node. 

Ordered - the children of each node are distinct and cannot be re-ordered 
without changing what the tree represents. 

Constant Depth - the leaf nodes of each tree are all the same distance from 
the root. 

Strict - at each depth, one of the nodes has at least two successors. 

The number of distinct trees in this class is large for each n, where n is 
the number of leaf nodes. If n > 10 the set of trees described can not easily be 
manipulated or used within a computer system. We present here an efficient way 
of representing this large set of trees, using constraint logic programming, that 
enables us to use this class of trees in our research. 

The structure of the paper is as follows. The next section explains why we are 
interested in representing sets of trees in the context of music. We then present 
some implementation details including our representation and the constraints 
used to specify the trees of interest. Some results are presented that illustrate 
the effectiveness of this method. Finally, we end with our conclusions. 

* Ben Curry is supported by UK EPSRC postgraduate studentship 97305827 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 315-^^| 2000. 
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2 Motivation: Grouping Structure 

This work forms part of our research into creating an expressive musical per- 
former that is capable of performing a piece of music alongside a human musician 
in an expressive manner. 

An expressive performance is one in which the performer introduces vari- 
ations in the timing and dynamics of the piece in order to emphasise certain 
aspects of it. Our hypothesis is that there is a direct correlation between these 
expressive gestures and the musical structure of the piece and we can use this 
link to generate expressive performances. 

The theory of musical structure we are using is the Generative Theory of 
Tonal Music (GTTM) by Lerdahl and Jackendoff ^^9. The theory is divided 
into four sections that deal with different aspects of the piece’s musical structure. 
We are particularly interested in the grouping structure which corresponds with 
how we segment a piece of music, as we are listening to it, into a hierarchy of 
groups. It is this hierarchy of groups that we seek to represent with our trees. 

The rules are divided into two types: well-formedness rules that specify what 
structures are possible; and preference rules that select, from the set of all pos- 
sible structures, those that correspond most closely to the score. 

The rules defining grouping structures are based on principles of change 
and difference. Figure 9 shows four places where a grouping boundary may be 
detected (denoted by a The first case is due to a relatively large leap in pitch 
between the third and fourth notes in comparison to the pitch leaps between the 
other notes. The second boundary occurs because there is a change in dynamics 
from piano to forte. The third and fourth boundaries are due to changes in 
articulation and duration respectively. 




Fig. 1. Points in the score where grouping rules may apply 



Figure n shows an example of a grouping structure for a small excerpt of 
music. We can see that the music has been segmented into five different groups, 
one for each collection of three notes. The musical rest between the third and 
fourth groups causes a higher level grouping boundary that makes two higher 
level groups which contain the five groups. These groups are then contained 
within one large group at the highest level. 

The grouping structure can be represented with a tree. FigureHshows a tree 
representation (inverted, to aid comparison) for the grouping structure shown 
in Fig. 9 The leaf nodes at the top of the tree correspond to the notes in the 
score, and the branches convey how the notes are grouped together. This is an 
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example of the class of tree we are trying to represent. From this point onwards 
the trees will be presented in the more traditional manner, i.e. the leaf nodes at 
the bottom and the root node at the top. 












Fig. 2. An example grouping structure 




Fig. 3. Tree representing the grouping structure shown in Fig.fl 



Although the GTTM grouping rules are presented formally, the preference 
rules introduce a large amount of ambiguity. For a particular piece of music, 
there are many possible grouping structures which would satisfy the preference 
rules. The purpose of the present research is to devise a way to represent this 
large set of possible structures in an efficient way so that they can be used by a 
computer system. 

Using our hypothesis of the link between musical structure and expressive 
performance, one of the core ideas of our research is to use rehearsal performances 
by the human musician to disambiguate the large set of possible grouping trees. 
The expressive timing used by the musician in these rehearsals provides clues 
as to how the musician views the structure of the piece. A consistent pattern 
of timing deviations across a number of performances will enable us to high- 
light points in the score where the musician agrees with the possible grouping 
boundaries. 



3 Using Constraints 

This section of the paper explains how we use constraint logic programming 
(Van Hentenryck, to represent sets of trees. Although constraints have 

been used in the areas of music composition (e.g. Henz^^^J and tree drawing 
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(e.g. Tsuchida| 



this research is concerned with an efficient representation 
of large numbers of tree structures, which is a problem distinct from these. 

Constraint logic programming over finite domains enables the specification 
of a problem in terms of variables with a range of possible values (known as the 
domain of the variable) and equations that specify the relationships between the 
variables. For example if (1), (2) and (3) hold then we can narrow the domains 
of X and y as shown in (4): 



X € {1..4} 


(1) 


ye{3..6} 


(2) 


x + y>^ 


(3) 


x£ {3..4}Ay e {5. .6} 


(4) 



The following sections outline the representation and the constraints we use 
to specify the class of trees. We begin by discussing the representation of the 
nodes and then present the five types of constraints used to ensure that the trees 
generated belong to our class. 

3.1 Representation 

We know that our class of trees will be monotonically decreasing in width from 
the leaf nodes up to the root and,^erefore, we can represent the set of trees by 
a triangular point lattice of nodeij Figure^ shows the point lattices for trees 
of width n = 3 and n = 4. 



• • 












n=3 



n=4 



Fig. 4. Point lattices for trees of width 3 and 4 



Each node has the following variables (illustrated in Fig.fl: 

1. id'. & unique identifier; 

2. uplink: a connection to the level above; 

^ An implementation detail means that there is always a path from the highest node 
of the point lattice to the leaf nodes, but this highest node should not be considered 
the root node. The root node may occur at any height in the point lattice and is 
identified as the highest node with more than one child. 
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3. Downlink values which represent all the nodes on the level below that are 
connected to this one. 

The id is specified as an (x,y) coordinate to simplify the implementation 
details. The uplink variable contains an integer that represents the a;-coordinate 
of the node on the level above to which this node is connected i.e. node {uplink, 
y + 1). The downlink values, specified by a lower {dl) and upper {du) bound, 
refer to a continuous range of nodes on the level below that may be connected 
to this one i.e. nodes {dl, y ~ 1). . . {du, y —1). 



uplink 




Fig. 5. A typical node 



The next sections present the constraints that are applied to the nodes in 
order to create the specific set of trees in which we are interested. They begin 
by specifying the domains of the variables and then constraining the nodes so 
that only those trees that belong to our class can be generated. 

3.2 Node Constraints 

The first task is to define the domains of the variables for each node. Due to the 
triangular shape of the point lattice, the uplink for each node is constrained to 
point either upwards, or up and to the left of the current node. We constrain 
the downlink for each node to span the nodes directly below, and below and to 
the right of the current node. 

The constraints (given in ^-0) define the domains of the uplink and down- 
link range (i.e. dl and du) for each nod^ The uplink lies in the range {0..a;} 
where x is the a:-coordinate of the current node. The zero in the range is used 
when the node is not connected to the level above. 



domain{[uplink]) = {0..a;} 


(5) 


domain{[dl,du]) = {0..n} 


(6) 


{dl = 0) © {dl > x) 


(7) 


du > dl 


(8) 



^ The © in H denotes exclusive-or. 
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The downlink specifiers dl and du are constrained in a similar way to lie in a 
range from {0..n} with the added constraints that du has to be greater than or 
equal to dl and that dl either equals zero or is greater than or equal to x. Figure 
^shows how these constraints relate to the direction of the connections to and 
from each node. 

Constraint Q handles the situation of a node which is not used in a tree. If 
the uplink of the node is zero then the downlinks of the node must also be zero. 

{{dl = 0) {du = 0)) A {{dl = 0) {uplink = 0)) (9) 




Fig. 6. Constraining the Uplinks and Downlinks 



3.3 Level Constraints 

To ensure that the connections between two levels do not cross, constraints 
and are applied to each pair of adjacent nodes. For a pair of nodes A and 
B, with A directly to the left of B, the uplinks must either point to the same 
node as the uplinkA or to the node to the right of it or, if it is unused, be equal 
to zero ^9’ 



{uplinks = uplinkA) V {uplinks = uplinkA + 1) V {uplinks = 0) (10) 

Once one of the uplinks on a particular level becomes equal to zero, all the 
uplinks to the right of it must also be zero ^9. This prevents the situation of 
an unconnected node in the midst of connected ones. 



{uplinkA = 0) {uplinks = 0) (11) 

FigureBshows examples of correct and incorrect mid-sections of a tree un- 
der these new constraints. The bottom example is incorrect because it violates 
constraints ^9 ^^3’ 
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1 








Fig. 7. A correct (top) and incorrect 



( bottom) mid-section of a tree 



3.4 Consistency Constraints 

If the current node refers to a node in the level above, the x-coordinate of this 
node must appear within its downlink range. Constraint 1^3 ensures that if this 
node points to a node on the level above, the downlink range of that node must 
include this one. Figure^shows how this constraint affects two nodes where the 
lower one is connected to the upper one. 



i^^above — UpHflkthis) A dlabove) t\ {Xthis — dUabove)) 



above 




Fig. 8. Ensuring connectivity between nodes 



3.5 Width Constraints 

We now constrain the trees to decrease in width as we travel from the leaf nodes 
to the root node. The width of a level is defined as the number of nodes that 
have a non-zero uplink on that level. Constraint ^3 deals with this situation 
with the precondition that the width of the current level is greater than 1. This 
precondition is necessary to allow situations such as the first four trees in Fig. 
^3 where we consider the root node to be at the point where branching begins. 
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{widthi > 1) => {widthj < widthi) (13) 

We want to ensure that the trees decrease in width to reduce the search space 
as much as possible. Figureflshows an example of a tree which does not decrease 
in width between two levels, we can remove this tree from our search space as 
it does not contribute anything new to the grouping structure as we move from 
level i to level j. 



Fig. 9. A section of a tree that does not decrease in width 



3.6 Edge Constraints 

The last step is to ensure that the uplink of the rightmost node on a level 
points inwards (the rightmost node in Fig.^is an example of this). We find the 
maximum x of the level above that has a non-zero uplink and then ensure that 
the uplink of the rightmost node points to it (l^3 and ^3)’ 



5 = {a; : id{x, y) has uplinkx ^ 0} 
uplink < max{S) 



(14) 

(15) 



3.7 Valid Trees 

The constraints given in ^Qto ^^define the set of trees which belong to our 
class. Figure ^Jshows an example set of width n = 4. The white nodes are ones 
that appear in the generated solutions but are not considered to be part of the 
tree since the root of the tree is the highest node with more than one child. 



3.8 Using the Constraint Representation 

The constraints which have been defined in the sections above describe a general 
class of trees. The next step is to introduce aspects of the grouping structure to 

® By ‘rightmost’ we mean the node on the current level with the maximum x- 
coordinate that has a non-zero uplink. 
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Fig. 10. All the trees of width four (n = 4) 



reduce this large set of trees to only those trees that correspond to the piece of 
music being analysed. 

Every point in the musical score where a grouping boundary could occur 
is identified, for each of these points we then measure the relative strength of 
this boundary against the surrounding ones. Every boundary point can then be 
used to determine the shape of the tree by ensuring that every pair of notes 
intersected by a boundary corresponds to a pair of nodes separated in the tree 
set. 

To separate the nodes in a tree, we need to ensure that the parents of the 
nodes are not the same, and if we have a measure of relative strength between 
boundaries, we can specify how far towards the root the nodes need to be sepa- 
rated. The algorithm below shows how this is implemented: 

Repel{idA, ids, strength) 
if {strength > 1) then 

parent{idA) I parent{idB) 

Repel {parent {id a) , parent {ids) , strength — 1) 

endif 

This recursive predicate takes two nodes and a strength argument and re- 
cursively ensures that the nodes are separated up to a height strength. Figure 
^Jshows an example tree where the tree is divided into two subtrees by a Repel 
constraint that is applied with strength = 1 between the second and third leaf 
nodes. 




Fig. 11. How Repel affects the tree 
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4 Results 

We generated all the trees up to width n = 7 and found a similarity with an 
entry in the Online Encyclopedia of Integer Sequences (Sloane,^^H- It matched 
a sequence discovered by the mathematician Arthur Cayley based upon 

this particular class of trees which has the recurrence shown in and 

This recurrence defines the number of trees that belong to our class that are 
of width n. 



a(0) = 1 


(16) 


a{n) = ^ (^a{n-k) 


(17) 



Using our representation, the approximate formula, derived experimentally, 
for the number of constraints to represent the set of all the trees of width n is 
given in 



Constraints 



lln^ 



24 



(18) 



The number of trees of width n grows rapidly (e.g. the number of trees of 
width 50 is 1.995 x 10^^). By contrast, the number of constraints it takes to 
represent the same number of trees is 1.1 x 10®. 

Figure^Jshows how the number of trees grows in comparison to the number 
of constraints as we increase the width of the tree. The number of trees increases 
at a greater than exponential rate whereas the number of constraints increases 
at a low-order polynomial rate. 



5 Conclusions 

This paper presents our research on representing a specific class of trees with 
constraint logic programming. Although the number of constraints needed to 
represent these large sets of trees is comparatively small, the computational 
time needed to solve the constraints is not. 

The representation currently restricts the trees to have leaf nodes at the same 
depth; however, it does allow the addition of quite simple constraints to change 
the class of trees represented. For example, to restrict the trees to strictly binary 
trees we need only add the constraint du = dl + 1. 

With the use of constraints we have delayed the generation of trees until we 
have added all the possible restrictions, this offers a great reduction in complexity 
and allows us to manipulate trees of greater width than would normally be 
possible. 

^ Where is the standard n choose k formula given by: 
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Fig. 12. A graph showing how the number of trees and number of constraints 

grows with the width of the tree 
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Dominance Constraints with Set Operators 
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Abstract. Dominance constraints are widely used in computational lin- 
guistics as a language for talking and reasoning about trees. In this paper, 
we extend dominance constraints by admitting set operators. We present 
a solver for dominance constraints with set operators, which is based on 
propagation and distribution rules, and prove its soundness and com- 
pleteness. From this solver, we derive an implementation in a constraint 
programming language with finite sets and prove its faithfullness. 



1 Introduction 

The dominance relation of a tree is the ancestor relation between its nodes. 
Logical descriptions of trees via dominance were investigated in computer science 
since the beginning of the sixties, for instance in the logics (W)SkS [15, 16]. In 
computational linguistics, the importance of dominance based tree descriptions 
for deterministic parsing was discovered at the beginning of the eighties [9] . Since 
then, tree descriptions based on dominance constraints have become increasingly 
popular [14, 1]. Meanwhile, they are used for tree-adjoining and D-tree grammars 
[17, 13, 3], for underspecified representation of scope ambiguities in semantics [12, 
4] and for underspecified descriptions of discourse structure [5]. 

A dominance constraint describes a finite tree by conjunctions of literals with 
variables for nodes. A dominance literal x<\*y requires x to denote one of the 
ancestors of the denotation of y. A labeling literal x:f{xi , . . . , Xn) expresses that 
the node denoted by x is labeled with symbol / and has the sequence of children 
referred to by a:i, . . . , Xn- Solving dominance constraints is an essential service 
required by applications in e.g. semantics and discourse. Even though satisfia- 
bility of dominance constraints is NP-complete [8], it appears that dominance 
constraints occurring in these applications can be solved rather efficiently [2,7]. 

For a typical application of dominance constraints in semantic underspecifi- 
cation of scope we consider the sentence: every yogi has a guru. This sentence is 
semantically ambiguous, even though its syntactic structure is uniquely deter- 
mined. The trees in Figure 1 specify both meanings: either there exists a common 
guru for every yogi, or every yogi has his own guru. Both trees (and thus mean- 
ings) can be represented in an underspecified manner through the dominance 
constraint in Figure 2. 

In this paper, we propose to extend dominance constraints by admitting 
set operators: union, intersection, and complementation can be applied to the 
relations of dominance <1* and inverse dominance >*. Set operators contribute 
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exists„j*~^ 

guru forall]i>\^ yogi 

yogi has^ 

Fig. 1. Sets of trees represent sets of meanings. 

®o:forall(xi, X2) A 
yo:exists(yi,y 2 ) A 
xi:yogi A X2<i*z A 
yi:guru A y2<\*z A 

2:has 

Fig. 2. A single tree description as underspecified representation of all meanings. 



foralC»v^ 
yogi X2 



> V2 



has' '2; 




a controlled form of disjunction and negation that is eminently well-suited for 
constraint propagation while less expressive than general Boolean connectives. 
Set operators allow to express proper dominance, disjointness, nondisjointness, 
nondominance, and unions thereof. Such a rich set of relations is important for 
specifying powerful constraint propagation rules for dominance constraints as 
we will argue in the paper. 

We first present a system of abstract saturation rules for propagation and 
distribution, which solve dominance constraints with set operators. We illustrate 
the power of the propagation rules and prove soundness, completeness, and ter- 
mination in nondeterministic polynomial time. We then derive a concrete imple- 
mentation in a constraint programming language with finite sets [11, 6] and prove 
its faithfulness to the abstract saturation rules. The resulting solver is not only 
well suited for formal reasoning but also improves in expressiveness on the sat- 
uration based solver for pure dominance constraints of [8] and produces smaller 
search trees than the earlier set based implementation of [2] because it requires 
less explicit solved forms. For omitted proofs, we globally refer to the extended 
version of this paper available from http://www.ps.uni-sb.de/Papers/. 



2 Dominance Constraints 

We first define tree structures and then dominance constraints with set operators 
which are interpreted in the class of tree structures. We assume a signature S 
of function symbols ranged over by each of which is equipped with an 

arity ar(/) > 0. Constants - function symbols of arity 0 - are ranged over by 
a, b. We assume that S contains at least one constant and one symbol of arity at 
least 2. We are interested in finite constructor trees that can be seen as ground 
terms over S such as f{g{a, b)) in Fig. 3. 

We define an (unlabeled) tree to be a finite directed graph {V, E). C is a finite 
sets of nodes ranged over by u, v, w, and E CV x V is a, finite set of edges. The 
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in-degree of each node is at most 1; each tree has exactly one root, i.e. a node 
with in-degree 0. We call the nodes with out-degree 0 the leaves of the tree. 



A (finite) constructor tree r is a triple {V, E, L) consist- / 

ing of a tree {V,E), and labelings L : V ^ E for nodes and 
L : if — > fV for edges, such that any node u €V has exactly 
one outgoing edge with label k for each 1 < fc < ar{a{n)), 
and no other outgoing edges. We draw constructor trees 
as in Fig. 3, by annotating nodes with their labels and ordering the edges by 
increasing labels from left to right. If r = (V, E, L), we write W = V, Et = E, 
= L. 



Fig. 3. f{g{a,b)) 



Definition 1. The tree structure AF^ of a finite constructor tree r over E is 
the first-order structure with domain Vr which provides the dominance relation 
and a labeling relation of arity ar(/) -|- 1 for each function symbol f G E. 
These relations are defined such that for all u,v,u\, . . . ,Un G W" 

u<\*'^v iff there is a path from u to v with egdes in Et-; 

u:f^{vi , . . . , Vn) iff Lt{u) = f, ar(/) = n, and L{u, Vi) = i for all 1 < i < n 

We consider the following set operators on binary relations: inversion union 
U, intersection fl, and complementation We write >*’' for the inverse of dom- 
inance equality ='^ for the intersection <*’’ n inequality for the 
complement of equality, proper dominance O’*" as dominance but not equality, 
for the inverse of proper dominance, and disjointness for n 

Most importantly, the following partition holds in all tree structures . 

Vr-^Vr = l±){=^,< + ^,[> + ^,-L^} 

Thus, all relations that set operators can generate from dominance <*’’ have the 
form U{r'^ \ r G i?} for some set of relation symbols E C {=, <+, >+, _L}. 

For defining the constraint language, we let x,y, z range over an infinite set of 
node variables. A dominance constraints with set operators (p has the following 
abstract syntax (that leaves set operators implicit). 

ip::=xRy \ x:f{xi, ... ,x„) | (p A (p' | false 

where i? C {=, <+, >+, _L} is a set of relation symbols and n = ar(f). Constraints 
are interpreted in the class of tree structures over E. For instance, a constraint 
X {=,E\ y expresses that the nodes denoted by x and y are either equal or lie 
in disjoint subtrees. In general, a set R of relation symbols is interpreted in AT” 
as the union Ulr"^ | r G i?}. 

We write Vars((^) for the set of variables occurring in (p. A solution of a 
constraint ip consists of a tree structure AT" and a variable assignment a : 
Vars((^) ^ Vr. We write (AT", a) \= ip ii all constraints of ip are satisfied by 
(AT”, a) in the usual Tarskian sense. For convenience we admit syntactic sugar 
and allow to write constraints of the form xSy where S' is a set expression: 



S ::= i? I = I <* I I = I yf I <+ I >+ I T I ^S I Si U S 2 I Si n S 2 I S-i 
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Propagation Rules: 



(Clash) x0y — > false 



(Dom.Refl) ^ x<\*x {x occurs in ip) 

(Dom. Trans) x<l*y A y<i*z x<\* z 

(Eq.Decom) x:f{xi,...,Xn)r\y:f{yi,...,yn)r\x=y ALi 

(Lab.Ineq) x:f{. ..) A y:g{. ..) x^y if / A 

(Lab.Disj) x:f{. . . ,Xi,... ,Xj,...) —>■ XiA-Xj where 1 < i < j < n 

(Lab. Dom) *:/(..., y, ... ) ^ x<\~^y 



(Inter) 

(Inv) 

(Disj) 

(NegDisj) 

(Child.up) 



xRiy A xR^y xRy if Rini ?2 C R 

xRy yR~^x 
xA-y A y<\* z xAlz 

x<\* z A y<\* z x^Axy 

x<\*y Ax-.f(xi,. . . ,Xn) A f\"^^^Xi^<\*y y=x 



Distribution Rules: 



(Distr. Child) x<A*y A x:f{xi, . . . , Xn) —> Xi<A*y V Xi-^<l*y {1 < i < n) 

(Distr. NegDisj) a;-iTy ^ x<A*y V x-^<l*y 



Fig. 4. Saturation rules D of the Base Solver 



Clearly, every set expression S can be translated to a set R of relation symbols 
denoting the same relation. In all tree structures, x ~^S y is equivalent to ^ x S y 
and X Si U S2 y to X Si y \/ X S2 y- Thus our formalism allows a controlled form 
of negation and disjunction without admitting full Boolean connectives. 



3 A Saturation Algorithm 

We now present a solver for dominance constraints with set operators. First, we 
give a base solver which saturates a constraint with respect to a set of propa- 
gation and distribution rules, and prove soundness, completeness, and termina- 
tion of saturation in nondeterministic polynomial time. Second, we add optional 
propagation rules, which enhance the propagation power of the base solver. 

The base solver is specified by the rule schemes in Figure 4. Let D be the 
(infinite) set of rules instantiating these schemes. Each rule is an implication 
between a constraint and a disjunction of constraints. We distinguish propagation 
rules ipi —>■ if2 which are deterministic and distribution rules ipi —>■ <p2'd which 
are nondeterministic. 

Proposition 1 (Soundness). The rules of D are valid in all tree structures. 

The inference system D can be interpreted as a saturation algorithm which 
decides the satisfiability of a constraint. A propagation rule (pi^p2 applies to 
a constraint ip if all atomic constraints vci pi belong to p but at least one of 
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the atomic constraints in does not. In this case, saturation proceeds with 
A (^ 2 - A distribution rule V applies to a constraint (p if both rules 

pi^P 2 and could be applied to p. In this case, one of these two rules 

is non-deterministically chosen and applied. A constraint is called D-saturated 
if none of the rules in D can be applied to it. 

Proposition 2 (Termination). The maximal number of iterated D-saturation 
steps on a constraint is polynomially hounded in the number of its variables. 

Proof. Let be a constraint with m variables. Each D-saturation step adds at 
least one new literal to p. Only a 0{mf) literals can be added since all of them 
have the form xRy where x,y € \/ars{p) and R has 16 possible values. 

Next, we illustrate prototypical inconsistencies and how 
D-saturation detects them. We start with the constraint 
x:f{xi,X 2 ) A xi<*z A X 2 <*z in Fig. 5 which is unsatis- 
fiable since siblings cannot have a common descendant. 

Indeed, the disjointness of the siblings x\Tx 2 can be 
derived from (Lab.Disj) whereas follows from (NegDisj) since x\ and X 2 

have the common descendant z. 

To illustrate the first distribution rule, we consider 
the unsatisfiable constraint x:f{xi) A x<*y A xi'.a A 
y:b in Fig. 6 where a ^ b. We can decide the position 
of y with respect to x by applying rule (Distr. Child) 
which either adds a;i<l*y or (1) If is 

added, propagation with (Child. up) yields x=y. As x and y carry distinct labels, 
rule (Lab.Ineq) adds x^y. Now, we can deduce x%y by intersecting equality and 
inequality (Inter). Thus, the (Clash) rule applies. (2) If x\<\*y is added then 
(Child. up) yields x\=y which again clashes because of distinct labels. 

The second distribution rules helps detect the in- 
consistency of x:f{z) A y:g{z) in Fig 7 where f^g. In a 
first step one can infer from (Lab.Dom) that a;<l“'"z and 
y<J~^z. As the (Inter) rule allows to weaken relations, we 
also have a;<l*z and y<*z, i.e. x^Ty by (NegDisj), so 
that (Distr. NegDisj) can deduce either x<*y or x^<*y. Consider the case x<*y, 
from j/O+z derive z^<l*y by (Inv, Inter), and (Child. up) infers y=x resulting in 
a clash due to the distinct labels. Similarly for the other case. 

Definition 2. A D-solved form is a D-saturated constraint without false. 




Fig. 7. (Distr. NegDisj) 




Fig. 6. (Distr. Child) 



X2 

' z 

Fig. 5. (Neg.Disj) 
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The intuition is that a D-solved form has a back- 
bone which is a dominance forest, i.e. a forest with f ^ xi • X 2 

child and dominance edges. For instance, Fig 8 shows . 

the dominance forest underlying xi:f{x 4 ) A X 4 <l*a ;5 A * ^5 '• xq 

X 4 <\*xq a X 2 <\*x^ a a; 5 _La ;6 which becomes D-solved Fig. 8. D-solved form 

when D-propagation. 

We would like to note that the set based solver for dominance constraints 
of [2] insists on more explicit solved forms: for each two variables, one of the 
relations {=, <l+, >+, _L} must be selected. For the dominance forest in Fig. 8, 
this leads to 63 explicit solutions instead of a single D-solved form. The situation 
is even worse for the formula a;i<l*a ;2 A a; 2 <l*a :3 A. . .A Xn-i<\* Xn- This constraint 
can be deterministically D-solved by D-propagation whereas the implementation 
of [2] computes a search tree of size 2”. 

Proposition 3 (Completeness). Every D-solved form has a solution. 

The proof is given in the Section 4. The idea for 
constructing a solution of a D-solved form is to turn its 
underlying dominance forest into a tree, by adding la- 
bels such that dominance children are placed at disjoint ^ 
positions whenever possible. For instance, a solution of 
the dominance forest in Fig. 8 is drawn in Fig. 9. Note Fig. 9. A solution, 
that this solution does also satisfy x^Exq which be- 
longs to the above constraint but not to its dominance forest. This solution is 
obtained from the dominance forest in Fig. 8 by adding a root node and node 
labels by which all dominance edges are turned into child edges. 

Theorem 1. Saturation by the inference rules in D decides the satisfiability of 
a dominance constraint with set operators in non- deterministic polynomial time. 

Proof. Let (p he & dominance constraint with set operators. Since all rules in 
D are sound (Proposition 1) and terminate (Proposition 2), ip is equivalent to 
the disjunction of all D-solved forms reachable from p by non-deterministic D- 
saturation. Completeness (Proposition 3) yields that p is satisfiable iff there 
exists a D-solved reachable from p. 

We can reduce the search space of D-saturation by adding optional propaga- 
tion rules O. Taking advantage of set operators, we can define rather powerful 
propagation rules. The schemes in Fig 10, for instance, exploit the complementa- 
tion set operators, and are indeed supported by the set based implementation of 
Section 6. For lack of space, we omit further optional rules that can be expressed 
by set operators and are also implemented by our solver. Instead, we illustrate O 
in the situation below which arises naturally when resolving scope ambiguities 
as in Figure 2. 

x:fi'j:i, '£ 2 ) y.gim. in) X 2 <^z A yi<'z A x<^y y. 
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(Child.down) x<\^y A x:f{xi, , x„) A XjC\*y 

(NegDom) xJ-y A y^.Lz *-'< 1 * 2 : 



Fig. 10. Some Optional Propagation Rules O 



We derive x<i'^y by (Lab. Ineq, Inter), a;i_La ;2 by (Lab.Disj), and X 2 ~^^y by (Dom. 
TranSjNegDisj). We combine the latter two using optional rule (NegDom) into 
X\^<\*y. Finally, optional rule (Child.down) yields X 2 <\*y whereby the situation 
is resolved. 



4 Completeness Proof 

We now prove Proposition 3 which states completeness in the sense that every 
D-solved form is satisfiable. We proceed in two steps. First, we identify simple 
D- solved forms and show that they are satisfiable (Proposition 4). Then we show 
how to extend every D-solved form into a simple D-solved form by adding further 
constraints (Proposition 5). 

Definition 3. A variable x is labeled in Lp ifx=y in (p and y.f{yi , . ■ ■ , y-a) in y 
for some variable y and term f{yi , . . . , y-a)- A variable y is a root variable for (p 
ify<\*z in <p for all z G \/ars{ip). We call a constraint <p simple if all its variables 
are labeled, and if there is a root variable for (p. 

Proposition 4. A simple D-solved form is satisfiable. 

Proof. By induction on the number of literals in a simple D-solved form (p. (p 
has a root variable 2 . Since all variables in (p are labeled there is a variable z' 
and a term f{zi , ... , Zn) such that z=z' A z':f{zi , ... , 2 „) G (p. We pose: 

V = {x G Vars((p) | x=z G y} and Vi = {x G Vars((p) | Zi<\*x G p>} 

for all 1 < z < n. To see that Vars((^) is covered by PUViU. . .UP„, let x G Vars((p) 
such that Zi<\*x ^ p> for all 1 < z < rz. Saturation with (Distr. Child) derives 
either Zi<\*x or Zi~^<\*x-, but Zi<\*x ^ Lp hy assumption, therefore Zi~^<\*x G y 
for all 1 < z < rz. (Child. up) infers z=x G <p, i.e. x G V. For a set IF C Vars((^) 
we define ip\w to be the conjunction of all literals ip G with Vars(z/>) C IF. 

(p\=P,y' holds where tp' =def P\v ^ z:f{zi , . . . , z„) A (^1 Vi A . . . A (^1 v;, 

ip \= ip' follows from ip' C ip. To show ip' \= ip 'we prove that each literal in ip is 
entailed by Lp' 

1. Case x:g{xi , . . . , Xm) G (p for some variable x and term g{xi , . . . , Xm)' If a; G 
Vi, i.e. Zi<i*x G (p for some 1 < i < n then x:g{xi , . . . , Xm) G y\Vi since <p is 
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saturated under (Lab.Dom, Dom. Trans). Otherwise x &V , i.e. z=x S (p, and 
thus z=x e ip\v- Since p is clash free and saturated under (Lab. Ineq, Clash), 
f=g and n=m must hold. Saturation with respect to (Eq.Decom) implies 
Zi=Xi G (fi for all 1 < z < n and hence Zi=Xi G 'P\Vi- All together, the 
right hand side p' contains z=x A z:f{zi, . . . , Zn) A l\2=iZi=Xi which entails 
x\g{xi, . . . , Xm) as required. 

2. Case xRy G p for some variables x, y and relation set R C {=, <+, >+, _L}. 
Since x,y G V U Vi U . . . U we distinguish 4 possibilities: 

(a) X G Vi, y G Vj, where 1 < i ^ j < n. Here, xJ-y G phy saturation under 
(Lab.Disj, Inv, Disj). Clash- freeness and saturation under (Inter, Clash) 
yield G R. Finally, p' entails z^^-Zj and thus xl.y which in turn entails 
xRy. 

(b) When x,y gV (resp. Vi), by definition xRy G p\v (resp. p\Vi) 

(c) X G V and y G Vi. Here, x<i'^y G p hy saturation under (Lab.Dom, 

Dom. Trans). Thus G Rhy saturation under (Inter, Clash) and clash- 

freeness of p. But p' entails z<^ Zi and thus x<G^y which in turn entails 
xRy. 

(d) The case x gV and y € Vi is symmetric to the previous one. 

Next note that all ip\Vi are simple D-solved forms. By induction hypothesis there 
exist solutions (Af^% Oi) ^ (p\Vi for all 1 < z < rz. Thus a) is a 

solution of (p if a\Vi = cXi and a{x) = a{z) is the root node of /(ri, . . . , r„) for 
all X gV. □ 

An extension of a constraint is a constraint of the form p f\ p' for some 
p' . Given a constraint p we define a partial ordering on its variables such 
that X <,^y holds if and only if a;<l*y in p but not y<l*a; in p.li x \s unlabeled 
then we define the set con,^(a:) of variables connected to x in p as follows: 

con,^(a;) = {y | y is minimal with x y} 

Intuitively, a variable y is connected to x if it is a “direct dominance child” of 
X. So for example, con^j(x) = {y} and con,^j(y) = {z} for: 

Pi := x<\* X A a;<l*y A x<i*z A y<l*2. 

Definition 4. We call V C \/ars{p) a (^-disjointness set if for any two distinct 
variables yi,y 2 G V, yi^Ty 2 not in p. 

The idea is that all variables in a (^-disjointness set can safely be placed at 
disjoint positions in at least one of the trees solving p. 

Lemma 1. Let p he D-saturated, x G Vars((^). IfV is a maximal p-disjointness 
set in con,^{x) then for all y G con,^(a;) there exists z G V such that y=z in p. 
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Proof. If not in (p for all z G V then {y} U F is a disjointness set; thus 

y G V hy maximality of V. Otherwise, there exists z G V such that y^-Lz in ip. 
Saturation of p with respect to rules (Distr.NegDisj, Inter) yields y<*z in p or 
z<\*y in p. In both cases, it follows that z=y in p since 2 and y are both 
minimal elements in the set con,^(a;). 

Lemma 2 (Extension by Labeling). Every D-solved form p with an unla- 
beled variable x can be extended to a D-solved form with strictly fewer unlabeled 
variables, and in which x is labeled. 

Proof. Let ,Xn} be a maximal (p-disjointness set included in con,^(a;). 

Let / be a function symbol of arity n in E, which exists w.l.o.g. Otherwise, / 
can be encoded from a constant and a symbol of arity > 2 whose existence in E 
we assumed. We define the following extension ext(<p) of p: 

ext{p) =def p /\ x:f{xi, ... ,Xn) 

^{xRz A zR~^x I e R, Xi<i*z in p, 1 < i < n} A (1) 
/\{yRz \EGR, Xi<\*y in p, Xj<J*z in p, 1 < zyfj < n} (2) 

Note that x is labeled in ext((p) since x=x G p hy saturation under (Dom.Refl). 
We have to verify that ext((p) is D-solved, i.e. that none of the D-rules can be 
applied to ext((^). We give the proof only for two of the more complex cases. 

1. (Distr. Child) cannot be applied to x:f{xi, . . . , Xn)' suppose x<i*y in p and 
consider the case y<\*x not in p. Thus x <,p y and there exists 2 G con^(x) 
with z<\*y in p. Lemma 1 and the maximality of the (^-disjointness set 
{a;i, . . . ,Xn} yield Xj=z in p for some 1 < j < n. Thus, Xj<\*y in p by 
(Dom. Trans) and (Distr. Child) cannot be applied with Xj. For all such 
1 < i ^ j < n can derive XiEy by (Lab. Dom, Disj, Inv), thus Xi~^<\*y by 
(Inter) and (Distr. Child) cannot be applied with Xi either. 

2. (Inter) applies when Rid R^ff R, yR\Z in ext((^), and yR^z in ext((^). We 
prove yRz in ext(<^) for the case where yR\z in p and yR 2 Z is contributed 
to ext((^) by (2). Thus, E G R 2 and there exists 1 < zyfj < n such that 
Xi<\*y in p and Xj<\* z in p. It is sufficient to prove T G since then 
E G R\d R 2 E R which implies yRz in p. We assume E ^ R\ and de- 
rive a contradiction. If T ^ then R\ C {=,<]+,[>+}. Thus, weakening 
yR\z in p with (Inter) yields y^Ez in p. Next, we can apply (Distr.NegDisj) 
which proves either y<\* z in p or y^<\* z in p. 

(a) If y<\* z in p then xi<\* z in p follows from (Dom. Trans) and Xi->Exj 

in p from (NegDisj). This contradicts our assumption that {a;i, . . . , x„} 
is a (^-disjointness set. 

(b) If y^<\* z in p then we have y^<\* z in p and y^Ez in p from which 
on can derive y\>* z in p with (Inter) and z<i*y in p with (Inv). From 
(Dom. Trans) we derive Xj<l*y in p. Since we already know Xj<l*y in p 
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B false I Xi=X 2 \ I £ D \ i £ S \ i S (D O A) 
C:--B I SinS2=0 I S3CS1US2 I C1AC2 I CiorC2 



Fig. 11. Finite Domain and Finite Set Constraints 



we can apply (NegDisj) which shows Xi~^Axj in (p. But again, this con- 
tradicts that {xi, . . . , Xn} is a (^-disjointness set. □ 

Proposition 5. Every D-solved form can he extended to a simple D- solved form. 

Proof. Let ip be D-solved. W.l.o.g., ip has a root variable, else we choose a fresh 
variable x and consider instead the D-solved extension ip A /\{xRy A yR~^x \ 
< 1 + £ R, y £ Vars((^)}. By Lemma 2, we can successively label all its variables. 

□ 



5 Constraint Programming with Finite Sets 

Current constraint programming technology provides no support for our D- 
saturation algorithm. Instead, improving on [2], we reformulate the task of find- 
ing solutions of a tree description as a constraint satisfaction problem solvable by 
constraint programming [11,6]. In this section, we define our target language. 
Its propagation rules are given in Fig 12 and are used in proving correctness 
of implementation. Distribution rules, however, are typically problem dependent 
and we assume that they can be programmatically stipulated by the application. 
Thus, the concrete solver of Section 6 specifies its distribution rules in Figure 13. 

Let Z\ = { 1 ... /i} be a finite set of integers for some large practical limit 
fi such as 134217726. We assume a set of integer variables with values in A and 
ranged over by I and a set of set variables with values in 2^ and ranged over by 
S. Integer and finite set variables are also both denoted by X. 

The abstract syntax of our language is given in Fig 11. We distinguish be- 
tween basic constraints B, directly representable in the constraint store, and 
non-basic constraints C acting as propagators and amplifying the store. The 
declarative semantics of these constraints is obvious (given that Ci or C 2 is inter- 
preted as disjunction). We write (3 \= C ii (3 is an assignment of integer variables 
to integers and set variables to sets which renders C true (where set operators 
and Boolean connectives have the usual meaning). 

We use the following abbreviations: we write /yff for / £ Z\ \ {z}, || Si 

for 51 n 52=0, S=D for A{z G 5 I z G D} A {z ^ 5 I z e Z\ \ D}, 5i C 52 for 
5i C 52U5aA53=0, and 5 = 5il±l52 for 5i || 52A5 C 5iU52A5i C SSSi C 5 

The propagation rules for inference in this language are summarized in 
Fig 12. The expression Ci orC 2 operates as a disjunctive propagator which does 
not invoke any case distinction. The propagation rules for disjunctive propaga- 
tors use the saturation relation induced by which in turn is defined by 
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Equality: Xi=X 2 AB[Xj] B[Xk] {j,k} = {1,2} (eq.subst) 

Finite domain integer constraints: 



I € Di A I € D 2 




I € Dif]D 2 


(fd.conj) 


/G 0 




false 


(fd. clash) 


Finite sets constraints: 


ie S S 




false 


(fs. clash) 


Si n S2=0 Ai G Sj 




i^Sk [j,k} = {1,2} 


(fs. disjoint) 


S 3 Si U S 2 A i ^ Si A i ^ S 2 




i^Ss 


(fs. subset. neg) 


S3 C Si U S2 A i e S3 A i 0 Sj 




ieSk {j,k} = {1,2} 


(fs. subset. pos) 


Disjunctive propagators: 


BAC false 




BAC' false 


(commit) 


B A (CorC) 


B 


A (C or C) C 



Fig. 12. Propagation Rules 



recursion through Clearly, all propagation rules are valid formulas when 
seen as implications or as implications between implications in case of (commit) . 



6 Reduction to Finite Set Constraints 



We now reduce dominance constraints with set operators to finite set constraints 
of the language introduced above. This reduction yields a concrete implementa- 
tion of the abstract dominance constraint solver when realized in a constraint 
programming system such as [11,6]. 

The underlying idea is to represent a literal xRyhy a, membership expression 
y&R{x) where R{x) is a set variable denoting a finite set of nodes in a tree. 
This idea is fairly general in that it does not depend on the particular relations 
interpreting the relation symbols. Our encoding consists of 3 parts: 



M 



A Ai(a;) A f^ 2 {x,y) 

aiGVars((^) ai,yGVars((^) 



BM 



Ai ( • ) introduces a node representation per variable, A 2 ( • ) axiomatizes the tree- 
ness of the relations between these nodes, and B|(^] encodes the specific restric- 
tions imposed by Lp. 

Representation. When observed from a specific node Upx / Eq^ 

X, the nodes of a solution tree (hence the variables ^ DowUx 

that they interpret) are partitioned into 4 regions: x ^ 
itself, all nodes above, all nodes below, and all nodes to the side. The main idea 
is to introduce corresponding set variables. 

Let MAX be the maximum constructor arity used in ip. For each formal vari- 
able a; in we choose a distinct integer ix to represent it, and introduce 7 -I- 
MAX constraint set variables written Eqx, Upx, DowUx, Sidcx, Equpx, EqdowUx, 
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Parentx, Down\. for 1 < z < MAX, and one constraint integer variable Lahelx- 
First we state that x = x: 



ix € ( 3 ) 

Eqx,Upx,Downx,Sidex encode the set of variables that are respectively equal, 
above, below, and to the side (i.e. disjoint) of x. Thus, posing X = {lx \ x G 
Vars((^)} for the set of integers encoding Vars((^), we have: 

2 = Eqx l±l DowUx W Upx W Sidcx 

We can improve propagation by introducing EqdowUx and Equpx as intermediate 
results. This improvement is required by (Dom. Trans): 

2 = EqdowUx ttl Upx W Sidcx (4) EqdowUx = Eqx W DowUx (6) 

2 = Equpx ty DowUx ty Sidcx (5) Equpx = Eqx l±l Upx (7) 

Dowrix encodes the set of variables in the subtree rooted at a;’s zth child (empty 
if there is no such child): 

DowUx = ^{Dowri^ I 1 < z < max} (8) 

We define Ai(x) as the conjunction of the constraints introduced above: 

Ai(a:) = (3)A(4)A(5)A(6)A(7) 



Wellformedness. Posing Rel = {=, >■*■, T|. In a tree, the relationship 

that obtains between the nodes denoted by x and y must be one in Rel. We 
introduce an integer variable Cxy, called a choice variable, to explicitly represent 
it and contribute a well-formedness clause Aala; r y] for each r G Rel. Freely 
indentifying the symbols in Rel with the integers 1,2, 3, 4, we write: 

A 2 (x,y) = Caiy G Rel A/\{A 3 |a;ry] I r G Rel} ( 9 ) 

Aalxry] = D\x r y\ 2 Cxy = r ov Cxy ^ r 2D\x y\ (10) 

For all r G Rel, it remains to define D|a;ry] and D|a;^ry] encoding the relations 
X r y and x y resp. by set constraints on the representations of x and y. 



D|x=y] 

D|a;^=yl 
D|a;<l+ y] 
D|a;^<l+ yl 
D|a;Ty] 
D|a;^Ty] 



Eqx = Eqy A Upx = Upy A DowUx = DowUy A Sidcx = Sidcy 
AEqdowUx = EqdowUy A Equpx = Equpy 
A Parentx = Parenty A Lahelx = Lahely A Down\. = Downy 
Eqx II Eqy 

Eqdowny C Downx A Equpx Q Upy A Sidex C Sidey 

Eqx II Upy A Downx || Eqy 

Eqdownx C Sidey A Eqdowny C Sidex 
Eqx II Sidey A Sidex || Eqy 
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G {=, < + } Cxiv ^ Cxiv ^ {=,<i'^} for x:f{xi, . . . ,Xn) in ip 

Cxy 7^ -L Cxy G { = , <1”*"} V Cxy ^ 



Fig. 13. Problem specific distribution rules 



Problem Specific Constraints. The third part B|(^] of the translation forms 
the additional problem-specific constraints that further restrict the admissibil- 
ity of wellformed solutions and only accept those that are models of ip. The 
translation is given by clauses (11,12,13). 

= B|(^]AB|(p'l (11) 

A pleasant consequence of the introduction of choice variables Cxy is that any 
dominance constraint x Ry can be translated as a restriction on the possible 
values of Cxy For example, x<\*y can be encoded as Cxy G {1, 2}. More generally: 

BlxRyj = Cxy&R (12) 

Finally the labelling constraint x : f{y\ ... y„) requires a more complex treat- 
ment. For each constructor / we choose a distinct integer t/ to encode it. 

Bla; : f{yi ■ ■ ■ yn)j = Labdx = if Downi = 0 

Aj“” Parenty^ = Eqx A Downi. = EqdowUy^ A Upy^ = Equpx (13) 

Definition of the Concrete Solver. For each problem ip we define a search 
strategy specified by the distribution rules of Figure 13. These rules correspond 
precisely to (Distr. Child, Distr.NegDisj) of algorithm-D and are to be applied 
in the same non-deterministic fashion. Posing = we define our 

concrete solver as the non-deterministic saturation induced by and write 
Pi p 2 to mean that (^2 is in a ~^® saturation of :^i. While the abstract 
solver left this point open, in order to avoid unnecessary choices, we further 
require that a step be taken only if no step is possible. 

7 Proving Correctness of Implementation 

We now prove that |(^] combined with the search strategy defined above yields 
a sound and complete solver for p. Completeness is demonstrated by showing 
that the concrete solver obtained by |:^] provides at least as much propagation 
as specified by the rules of algorithm D, i.e. whenever xRy is in a — >® saturation 
of p then Cxy € i? is in a ~^® saturation of |:^]. 

Theorem 2. |(^] is satisfiable iff p is satisfiable. 

This follows from Propositions 6 and 7 below. 
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Proposition 6. If (p is satisfiable then |(^] is satisfiable. 

We show how to construct a model f) of |(^] from a model , a) of ip. We define 
the variable assignment j3 as follows: (}{ Upx) = {i'y\ Oi{y) <l+ a(a;)} and similarly 
for Eqx, DowUx, Sidex, EqdowUx, Equpx, (3{Parentx) = {iy \ 3fc a{y)k = a(a;)}, 
!3{Down'f) = {Ly I a{y) [>* a{x)k}, j3{Labelx) = iLx{a(x)) and j3{Cxy) = R ii 
a(x) R a{y) in . We have that if (A4'^,a) ^ ip then (3 ^ |(^]. 

Proposition 7. If |(^] is satisfiable, then ip is satisfiable. 

We prove this by reading a D-solved form off a model (3 of |(^] . 

ip' = ip f\ X R' y where R = f3{Cxy) 

x,y R'DR 



ip' is a D-solved form containing ip: all relationships between variables are fully 
resolved and all their generalizations have been added. The only possibility is 
that D-rules might derive a contradiction. However, ii ip' -^f false then |(^'] 
false (Lemma 4) which would contradict the existence of a solution (3. Therefore 
ip' is a 0-sol ved form and ip is satisfiable. 

We distinguish propagation and distribution rules; in algorithm D they are 
written and and in our concrete solver and ~^d. We write ip" ^ ip' 
for ip" is stronger than ip' and define it as the smallest relation that holds of 
atomic constraints and such that false ^ false and x Ry =4 x R' y iS R C R'. 

Proposition 8 (Stronger Propagation). For each rule ip ^p ip' of algorithm 
D, there exists ip" =4 p' such that |(^] 

The proof technique follows this pattern: each ip' is of the form x Ry and we 
choose ip" = xR'y where R' C R. Assume |(^] as a premise. Show that |:/3] AC 
false. Notice that a clause C or C is introduced by |:^] as required by (10). Thus 
C follows by (commit) . Then show that |:^] A C For want of space, 

we include here only the proof for rule (NegDisj). 

Lemma 3. \x <1* y] ~^® iy G EqdowUx (proof omitted) 

Proposition 9. \x <]* z I\y <1* z\ ~^® |a; y] 

Proof. From the premises {x <1* z} and |y <1* z], i.e. C'xz € {=, and Cyz G 
{=, O®}, we must show |a; y] i.e. Cxy^E. By Lemma 3 we obtain G 
Eqdownx and Lz G Eqdowny. Since T = EqdowUy l±) Upy l±) Sidcy, we have Lz ^ 
Sidcy. Now consider the non-basic constraint Eqdownx Q Sidcy which occurs in 
D|xT y]: from Lz G Eqdownx it infers Lz G Sidcy which contradicts Lz ^ Sidcy. 
Therefore, the well-formedness clause D\x3Ly\l\Cxy = T or T AD|a;^Ty] 
infers its right alternative by rule (commit). Hence Cxyf^E □ 

Lemma 4. (1) if ip ip', then there exists ip" =4 ip' such that |:^] 

(2) if ip ipi and ip\ ipi, then there exists ip'i =4 Pi such that |:^] 
and |(^'J \p 2 l ■ 
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(1) follows from Proposition 8, and (2) from (1) and the fact that the concrete 
distribution rules precisely correspond to those of algorithm D. 

Proposition 10 (Simulation). The concrete solver simulates the abstract 
solver: if (p (p' then there exists (p" =4 t' such that |(^] \p>"\ ■ 

Follows from Lemma 4. 

Theorem 3. (1) every ~^® saturation of |(^] corresponds to a D-solved form of 
<p and (2) for every D-solved form of (p there is a corresponding ~^® saturation 

of • 

(1) from Proposition 10. (2) Consider a ~^® saturation of |(^]. As in Propo- 
sition 7, we can construct a D-solved form (p' of ip by reading off the current 
domains of the choice variables Cxy If ip' was not D-solved, then — >® could 
infer a new fact, but then by Proposition 10 so could ~^® and it would not be a 
saturation. 

8 Conclusion 

In this paper, we extended dominance constraints by admitting set operators. 
Set operators introduce a controlled form of disjunction and negation that is 
less expressive than general Boolean connectives and remains especially well- 
suited for constraint propagation. On the basis of this extension we presented 
two solvers: one abstract, one concrete. 

The design of the abstract solver is carefully informed by the needs of practi- 
cal applications: it stipulates inference rules required for efficiently solving dom- 
inance constraints occurring in these applications. The rules take full advantage 
of the extra expressivity afforded by set operators. We proved the abstract solver 
sound and complete and that its distribution strategy improves over [2] and may 
avoid an exponential number of choice points. This improvement accrues from 
admitting less explicit solved forms while preserving soundness. 

Elaborating on the technique first presented in [2], the concrete solver real- 
izes the desired constraint propagation by reduction to constraint programming 
using set constraints. We proved that the concrete solver faithfully simulates the 
abstract one, and thereby shed new light on the source of its observed practi- 
cal effectiveness. The concrete solver has been implemented in the concurrent 
constraint programming language Oz [10], performs efficiently in practical appli- 
cations to semantic underspecification, and produces smaller search trees than 
the solver of [2]. 
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Abstract. We propose a general scheme for the cooperation of different 
constraint solvers. A uniform interface for constraint solvers allows to 
formally specify information exchange between them and it enables the 
development of an open and very flexible combination mechanism. This 
mechanism allows the definition of a wide range of different cooperation 
strategies according to the current requirements such that our overall 
system forms a general framework for cooperating constraint solvers. 



1 Introduction 

Often it is desirable and advantageous to combine several constraint solving 
techniques because this combination makes it possible to solve problems that 
none of the single solvers can handle alone. 

Example 1. Let an electric circuit be given with a resistor Ri of 0.1 Ml? connected 
in parallel with a variable resistor R 2 of between 0.1M17 and 0.4M17, a capacitor 
K is in series connection with the two resistors. Also, there is a kit of electrical 
components in which capacitors of 2.5fiF, 5fiF, lOfiF, 20fiF, and 50fiF are 
available. 

We want to know which capacitor to use in our circuit such that the time 
until the voltage of the capacitor reaches 99% of the final voltage is between 
0.5s and Is, i.e. the duration until the capacitor is loaded is between 0.5s 
and Is. Thus, the input constraint conjunction is Ri = 10^ A R 2 = [10^,4 • 10®] 
A (1/R) = (1/Ri) + (I/R 2 ) A Vk = V X (1 - ea;p(-t/(R x K))) A Vk = 0.99 x V A 
t = [0.5, 1] A K e {10-®, 2.5 • 10-®, 5 • 10-®, 10"®, 2 • 10"®, 5 • 10"®}. 

This constraint conjunction can be solved using different cooperating con- 
straint solvers. A solver for rational interval arithmetic infers from the constraint 
conjunction Ri = 10® A R 2 = [10®, 4 • 10®] A (1/R) = (1/Ri) + (I/R 2 ) the new con- 
straint R = [5 • 10"^, 8 • 10'^]. Let’s assume that, since the interval solver is able to 
handle constraints of rational arithmetic, it also computes from Vk = V x (1 — E) 
A Vk = 0.99 X V, where E = ea;p(— t/(R x K)), the new constraint E = 0.01. This 
constraint is given to a constraint solver which is able to handle functions, 
like exp, In, sin, and cos, to infer from the constraint conjunction E = 0.01 A 
E = exp{F), where F = — t/(R x K), the constraint F = /n(O.Ol). Now, the interval 
solver is able to compute the constraint 1.3572 • 10“ ® < K < 4.3429 • 10 ® from 
the constraints F = ^n(O.Ol), F=— t/(RxK), R = [5 • 10"^, 8 • 10^], and 

t = [0.5,1]. The last step is done by a finite domain constraint solver which 
uses the constraints K G {10“®, 2.5 • 10“®, 5 • 10“®, 10“®, 2 • 10“®, 5 • 10“®} and 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 342^^ 2000. 

@ Springer-Verlag Berlin Heidelberg 2000 
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1.3572 -10 ® < K < 4.3429 -10 ® to choose the capacitor which we are searching 
for from the kit: K = 2.5 • 10“® holds. □ 

In this paper, we define a combination mechanism for constraint solvers that 
supports openness and flexibility. Both properties result from the definition of a 
uniform interface for the solvers. The combination is open in the sense that when- 
ever a new constraint system with associated constraint solver is developed, it 
can be easily incorporated into the whole system independently of its constraint 
domain and the language in which the constraint solver is implemented. It is 
flexible because the definition of different strategies for the cooperation of the 
single solvers is possible in a simple way. 

We start with basic definitions concerning constraint systems and constraint 
solvers in Sect. J Section J is dedicated to the description of the mechanism 
for the combination of different constraint solvers. Section shows the over- 
all architecture. The syntax of a language which enables the specification of 
mixed constraints of different constraint systems is described in Sect. ^3 Sec- 
tion^Jdefines our uniform interface for constraint solvers. In Sect.^H we show 
the general way of defining cooperation strategies for constraint solvers in our 
framework. In Sect.H we discuss our approach and we compare it with other 
related work. 

2 Constraint Systems and Constraint Solvers 

Let S' be a set of sorts. denotes the set of variables of sort s G S. X = 
is a many sorted set of variables (U denotes the disjoint union). 

A (many sorted) signature E = (S, F, R; ar) is defined by a set S of sorts, 
a set F of function symbols, and a set R of predicate symbols. S, F, and R 
are mutually disjoint. The function or : F U i? — > S* is called arity function 
of the signature E. For every f G F, ar{f) ^ e holds. In the following, we will 
also denote S, F, R, and ar by Ss, F^, Re, and ars, respectively. We write 
/ : Si X . . . X s„ ^ s (and r : si x . . . x Sm) to denote that f G F with 

ar(/) = Si . . . SnS (and r G R with ar(r) = si . . . Sm, resp.). The set T{F, A)'* 
of terms over F of sort s G S with variables from X is defined as usual. 

A E-structure V = ({F® | s G S}, {/® | / G F}, {r® | r G R}) consists 
of 1. an S-sorted family of nonempty carrier sets F®, 2. a family of functions 
/®, and 3. a family of predicates r®. Given f G F with ar{f) = si . . . s„s, 
is an n-ary function such that : F®i x . . . x F®" ^ F®. Given r G R with 
ar(r) = s\ . . . Sm, r® is an m-ary predicate such that r® C F®i x ... x F®”*. 

Definition 1 (Constraint System, Constraint, Constraint Domain). A 

constraint system is a tuple C. = (A, F), where E = {SetFetRe^clte) is a 
signature and V is a E-structure. For every s G Se, Re contains at least a 
predicate symbol =s,e with the usual equality predicate =®. 

A constraint over E is a string of the form r t\ . . .t^ where r G 
and ti gF{Fe,XY' . The set of constraints over E is denoted by Cons{E). 
(F, Cons{E)) is called a constraint domain. □ 
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The terms over F^: and the constraints in Cons{S) can be considered as 
particular expressions of a first order language. In the following, constraints are 
typically denoted by c and c^. 

For every finite set Y C X, let Y denote an arbitrary enumeration, i.e. a se- 
quence, of the variables of F . Let ip he a. formula of first order predicate logic, and 
let {xi, . . . , Xn} be the set of free variables of ip. The universal closure Wip and the 
existential closure 3ip of formula ip are defined as follows: \/ip = Vxi . . .Va;„ : ip 
and 3ip = 3a;i . . . 3xn : ip, resp. 3_yip denotes the existential closure of formula 
Ip except for the variables of Y. 

A conjunction C = AiG{i n} constraints ci, . . . , c„ is called satisfiable 
in if N 3C holds. It is called valid in V ifV h VC holds, unsatisfiable in V 
if 3C holds, and invalid in if VC holds, respectively. 

Let T> = ({I?® I s G <5},{/® I / G F},{r® | r G R}) be a A-structure, 
and let C = AiG{i n} C ^ conjunction of constraints ci, . . . , c„ over E. Let 
var{C) denote the set of variables which occur in C. A solution of C in is 
a valuation a : V ^ UsgS^* ^ finite set V of variables, var{C) C V, such 
that {T>, a) \= VC holds. Solving a conjunction C of constraints means finding 
out whether there is a solution for C or not. 

A constraint solver consists of a collection of tests and operations, e.g. con- 
straint satisfaction, constraint ent ailment, constraint projection, and simplifi- 
cation (see I), which can be used to solve and to transform constraints of 
a constraint system. A solver works on a constraint store. A constraint store 
C G C Store consists of a disjunction of constraint conjunctions; in particular, 
C has the property that it is satisfiable in the corresponding domain T>. 

3 Combination of Constraint Solvers 

3.1 The Architecture 

FigureOshows the architecture of our overall system for cooperating constraint 
solvers. It consists of two levels: At object level different constraint solvers CS,y, 
V G L, L — {1, . . . , A? infer about objects of their constraint domains. To every 
individual solver CS,y a constraint store is assigned. A constraint store 
contains the already propagated constraints of constraint system C- Propagating 
a constraint c G Cons{E,P) means to add c to the constraint store C'^ if the 
conjunction of c and is satisfiable. In this case the propagation is successful, 
otherwise it fails. At meta level the meta constraint solver handles both the 
constraint solvers and constraints as objects. It coordinates the work of the 
different object level solvers, i.e. it realizes the cooperation between the solvers 
under a certain strategy (see Sect.^^^J. The meta solver manages the constraint 
pool which contains the constraints which have not been propagated so far. 

Initially, the constraint pool contains the constraints which we want to solve. 
The meta constraint solver takes constraints from the constraint pool and passes 
them to the constraint solvers of the corresponding constraint domains (step 1). 
Each of the individual constraint solvers is able to handle a subset of the given 
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Fig. 1. Architecture of the overall system 



set of constraints of the constraint pool independently of the other solvers, the 
individual solvers propagate the received constraints to their stores (step 2). 
The meta constraint solver manages the exchange of information between the 
individual solvers. It forces them to extract information from their constraint 
stores. This information which has again the form of constraints is added by the 
meta constraint solver to the constraint pool (step 3). The procedure of steps 1-3 
is repeated until the pool contains either the constraint false or the constraint 
true only, i.e. the given constraints are solved. If the constraint pool contains 
false only, then the initially given conjunction of constraints is unsatisfiable. 
If the pool contains true only, then the system could not find a contradiction. 
Solutions can be retrieved from the current constraint stores. Using the described 
mechanisms, each individual solver deals with more information than only that 
of its associated constraints of the initially given constraint conjunction. 



3.2 Syntax 

Assume that for every v G L, L = {1,...,!}, a constraint system fi, = {Si,, T>i,) 
with associated constraint solver CSi, is given. We want to solve a conjunction 
(ci A. . .Ac„) of constraints Ci, i G {I, . . . ,n}, where every Ci may contain function 
symbols and predicate symbols of different constraint systems. It is necessary 
to detect overloaded symbols by analysis and to convert every conjunction of 
constraints into a conjunction such that every constraint is defined by function 
symbols and predicate symbols of exactly one constraint system. This is done 
by a function Simplify which is provided by the meta constraint solver. 

Example 2. Given two constraint systems Q = {Si, T>i) with Si = {Si, Fi, Rp, ari), 
i G {1, 2 }, where =iG Ri, {x, — , /} C Fi, and =26 R2, exp G F2, the following 
transformation is performed: 
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Simplify{ Vk = V x (1 — exp{—t/{R x K))) ) = 

Vk =1 V X (1 - E) A E =2 exp{F) A F =i -t/(R x K). □ 



3.3 A Uniform Interface for Constraint Solvers. 

To enable a cooperation of constraint solvers to solve a given problem, the solvers 
need to exchange information as described in Sect. ^3 We want to enable the 
constraint solvers to communicate with each other such that a very tight coop- 
eration is possible. 

Often, in existing systems of cooperation approaches, information exchange 
is not explicitly expressed, but it is talked about ’application of constraint solvers 
to a disjunction of conjunctions of constraints’. At this, sometimes the form of 
the result of applying a constraint solver is fixed in others neither the form of 
the results nor the involved variables or the constraint systems which can work 
with these results are described Thus, to provide a general framework for 
cooperating solvers, we split the handling of constraints into two parts and define 
our uniform interface for a constraint solver CSi, by the following functions, 
G L (the set of constraint stores of a constraint system is denoted by 
CStore,f)\ 

1. tell. C ons{^^if^ X C Storejy ^ \truechangedj trucredundant^ falsc^ X C StorCi/ 

2. (a) proj: V{X) x C Storey — > CStorCi, 

2.(b) proj''^^: V{X) x CStore„ CStorCfj, 

3 The function tell is due to constraint satisfaction, i.e. an operation which 
is usually offered by constraint solvers. Function tell adds a constraint c S 
Cons{Sif) to a constraint store C € CStorCi, if the conjunction of c and C 
is satisfiable. If c can be inferred by C, i.e. if 1= V(C — > c) holds, then the re- 
sult is trucredundant, and C does not change. If c cannot be inferred by C but the 
conjunction of c and C is satisfiable, i.e. if {T>i, V(C — > c)) A (fDy N 3(C A c)) 
holds, then we get truCchanged, and the constraint store becomes C A c. If the 
conjunction of C and c is unsatisfiable, i.e. T>y 3{C A c) holds, then the result is 
false, and C does not change. To enable the use of incomplete constraint solvers 
we allow to define tell in such a way that tell{c, C) = {truCchangedi U A c) holds 
if the satisfaction algorithm cannot find out whether Vy \= 3(C A c) holds or not. 
(A more appropriate definition of tell for incomplete solvers which, for example, 
allows to delay particular constraints is left out because of space limitations.) 

3(a) The function proj is due to the operation constraint projection of con- 
straint solvers. Usually, the aim of projecting a constraint store C G CStorCy 
wrt a sequence Y (with Y G V{X)) of variables which occur in C is to find 
a disjunction C of conjunctions of constraints which is equivalent to 3_yC 
and where the variables which do occur in C but not in Y are eliminated: 
Vy 1= V(3_yC < — !• C"). However, since sometimes it is not possible to compute 
C' or it is not possible to compute it efficiently, we define our interface function 
proj as follows: A constraint store C is projected wrt a set F C A of variables. 
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The result is a disjunction C of conjunctions of constraints induced by 

P, NV(3_yC^C'). 

H(b) The projection of a constraint store C'^ , v G L, generates a disjunction 
of conjunctions of constraints of Cons{Si,). Since we want to use projections 
for information exchange between the different constraint solvers, we need a 
projection of a constraint store C' wrt a constraint system ^ £ L. Thus, we 
use the function proj\ V{X) x CStorev CStore^ of a constraint solver CS^ 
and a conversion function conv'^^^\ C Storey — > CStore^ to define the function 
proj’'^^: V{X) X CStore^ CStore^ which projects a constraint store C'^ wrt 
a constraint system and a subset of the set of common variables of the sorts 
of and Se^- The result of the projection of C'^ wrt C/x is a disjunction of 
conjunction of constraints of Cons(S^): 

proj'^^^{Y,C'^) = conv’'^^{proj{Y,C’')), where 
P,v€L,C’' £ CStore^.Y C X*,s G Se, n Se^- 
proj''^f^{Y,C’') = V^g{i,....«}(A5g{i,...a} C 7 .^)> where for every 
7 G u}, S G {1, . . . , t^} holds: G {true, false} U C ons{X ^) . 

Thus, each single constraint solver can be regarded as black box constraint 
solver equipped with a projection function which allows the projection of the 
constraint store wrt a set of variables. These black box solvers are extended by 
functions for converting a projection wrt another constraint system. 

Example 3. The simplest case is the projection of valuations. Consider the finite 
domain constraint solver CS^ of our example. Let Xex = {R, Ri, R27 V, Vk, K, E, F, t} 
hold, i.e. Xex is the set of variables of our example. The projection functions 
proj^^^^, p G {1, 2}, are defined as follows: 

proj^^f^{Y,C) = conv^^^{proj{Y,C)), where 

{ ViG{i,...,n}(^ =3 vak) if T = {a;}, x G Xex, and vak G R, i G 

{1, . . . , n}, are the possible values that x 
can take such that V 3 1= 3{ai{C)) holds, 
where (Ji{x) = vak, 
true otherwise. 

conv^^f^(C) = I V,G{i.....n}(^ if C” = y,G{i.....n}(a^ =3 vak), X G Xex, 

I true otherwise. □ 

To prevent a loss of information at the communication of the solvers, the 
operation projection must be monotonous, i.e. in the following, for every v, p G L, 
Property His required: 
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Property 1 (Monotonicity of the Operation Projection). 

If C is the projection of the constraint store wrt a constraint system and 
a set of variables Y , i.e. proj''^^{Y, C'') = C, and 

is the new constraint store after the successful propagation of some con- 
straint c G Cons{E^) to the store C', i.e. tell{c^C'') = {result, C'') and 
if C is the projection of C'^ wrt and Y , i.e. proj'^^^fY, C'') = C , 
then C is redundant wrt C", i.e. T>^ N V(C" — > C). 

At this, result G \truec,hange.ditruej.^dundant\ •> Y C Ai , S G Pi 

Note 1. To avoid a possible increase of the computation cost because of a high 
number of projected constraints in the pool, the projection functions and the 
conversion functions must be defined cautiously. 

In the following, we require the functions tell, proj, and proj'^^^, v, p, G L, 
to be computable. 



3.4 Operational Semantics 

We define the notion of an overall configuration in a bottom-up manner. Two 
basic relations which lift the application of the functions tell and proj to the 
level of overall configirrations provide the basis for a stepwise definition of the 
operational semantics in the following sections. 

3.4.1 Preliminaries. In the following, we mark each constraint store C’' , 
V G L,hy & tag t^, t^, G {0, 1, 2, 3}, i.e. we write C''[ti]. This tag indicates various 
changes of a constraint store after its last projection (to be explained later). 

The conjunction Ai/gl constraint stores C''[ti], v G L, corre- 

sponds to the block of constraint stores of the individual solvers in Fig^ A 
constraint store contains the already propagated constraints. If ci, . . . , c„ have 
been successfully propagated to store C'' of the solver CSv and the associated 
constraint system fi, = {Ev,Vi,), then Vv N \/{C'' — > AiG{i n} holds. 

A configuration Q = 'P Q {/\v^l^''[^A) corresponds to the architecture of 
the overall system (FigJ. It consists of the constraint pool V which is a set of 
constraints which we want to solve and the conjunction Ai/gi of constraint 

stores. An overall configuration Ti. consists of a formal disjunction 
VjG{i,...,m}^f = ■ ■ -VC/m of configurations Gi,- ■ .,Gm, m > 0. S' is the set 

of overall configurations. In this work, formulas of the form Ti. = Gfilfi, with 
hi' — t/iV . . .i/Qm, m > 0, appear, where m = 0 means that hi — G holds, i.e. 
hi' is an empty formal disjunction. Formal disjunction V is commutative. 

The initial overall configuration hio consists of one configuration 
hio = 00 = © (Ai/gl ^0 "where for every v G L, U = 0, and V = 

{ci, . . ., Cn} is the constraint pool (if (ci A . . . A c„) is the constraint conjunction 
which we want to solve), and the constraint stores Cq[ 0] are empty: Cq[0] = 
{true). 
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Un = {false} © C^[0]) or H = V«;6{i,...,A}({^™e} © (A^gi C''k[Q\)), 

A G W, then the overall configuration Ti. is in normal form. 

Example 4- Consider the input constraint conjunction of Example^ Given the 
constraint systems with = {S^, F^, R^] ar^), v S {1,2,3}, 

where =j,e {+, — , x, /, [ ]} C Fi, exp G F 2 , and (g, <} C i? 3 , after applying 
the function Simplify the following conjunction is to be handled: 

=1 10^ A R 2 =1 [10^4 • 10^] A (1/R) =1 (1/Ri) + (I/R 2 ) A Vk =1 V X (1 - E) A 
E =2 ea;p(F) A F =1 -t/(R x K) A Vk =1 0.99 x V A t =1 [0.5, 1] A 

K G {10-®, 2.5 • 10-®, 5 • 10-®, 10-®, 2 • 10-®, 5 • 10-®}. 

We assign the names ci , . . . , cg to the constraints in the above given or- 
der. Qo = |ci, . . . , Cg} © (Co[0] A Co[0] A C'q[ 0]) is the initial overall configura- 
tion, where G {1, 2, 3}: Cq[ 0] = (true). □ 

3.4.2 Basic Relations. In the following, we define two basic relations for 
the formal description of the communication between the solvers. As we will 
see in the following sections, these relations allow a fine grain description of 
the cooperation of the solvers according to the current requirements, i.e. a tight 
cooperation of constraint solvers. 

1. The relation prop C Cons(E^) x S x E lifts the application of the 

function tell to the level of overall configurations. prop{c, 0,1-1) holds, if the 
propagation of a constraint c of the constraint pool of the configuration 0 to the 
appropriate constraint store of 0 yields the overall configuration R. 

prop{c, 0, H) holds, where 0 ^VQ (A^^gl 

if c G F, c G Cons{Ejy)\{true, false}, v G L, 1,^ G (0, 1, 2, 3}, and one of the 
following cases holds: 

1. n = {V\{e}) © ((A;.gl\{^} a C"^[1]) if 

tell{c, C'') = {truechanged, C"), U G (0, 1, 2}, 

2. H = {V\{e}) U {true} © ((A^gl\{.} C^[tg]) A C’^IQ) if 
telll^C, C ) — (trueredundantT C ), 

A = 2 if tj, G {0, 2}, and t^ = 1 if = 1, 

3. n= (n{4) U {false} © ((A^gl\{.} A C'^[3]) if 

tell{c,C’') = {false, C’'), U G {0,1,2}, 

4. n= (F\{c}) © (A^gi if U = 3. 

According to the definition of the operation tell we distinguish the cases 
^-0. The tag tj/, v G L, oi the constraint store C''[ti,\ indicates changes 
of the store after its last projection: = 0 denotes that no propagation of 

constraints to was done, t^ = \ reports that a nonredundant constraint was 
successfully propagated, t,y = 2 notices that only redundant constraints have 
been propagated, and = 3 indicates a failing propagation. If the propagation 
of a constraint failed, i.e. ti, = 3, then the constraint pool contains false and 
further constraint propagations are irrelevant (case Q). Figure 2.1. shows the 
changes of a tag ti, in dependence of the relation prop. 
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tVr ... t't'UCredundant 




Fig. 2.1. Changes of tag ti, by prop 




Fig. 2. 2. Changes of tag by putjproj 



prop{c,n,n') holds, where H = 
if Vj e {1, . . . , m}: prop{c, 



The validity of the relation prop for some constraint c and two overall con- 
figurations H = VjG{i m}Qj ~ VjG{i m}^i validity of 

prop for every j G m} for c and the configurations Qj and TL'^ . 

2. The relation put_projC L xV{L xV{V{X))) xSxS lifts the application of the 
function proj to the level of overall configurations. put_proj{v^ ProjSet^G ^Ti.) 
holds (case (a)), if the overall configuration H is reached from the configuration 
G by projection of the constraint store {tv = 1) of ^ wrt every C,^ and every 
set of XSetfj_^v, where ProjSet = adding these 

projections to the constraint pool of G- {XSet^^v, M € L\{h'}, contains sets of 
variables of the common sorts of and Xv The constraint store C' is projected 
wrt each of these sets and C/^.) For better understanding see Example^ 

If of G has not changed by a constraint propagation before {t^ G {0, 2}), 
or the change of is not relevant for further derivation {t^ = 3) (case (b)), 
then V, ProjSet and G are in relation to H (according to putjproj), where no 
projection is added to the pool of G- This use of the tags t^, v G L, (see Fig.s 
2.1. and 2.2.) prevents unnecessary projections. 

putjproj{v,[j^^^,^^^^{{p,XSetf,^v)},G,'H), with v,pGL, 

XSet^,v e V{V{X^)), sGSs^r^ Ss,, and 

(a) t/=7^0((A.eAMCat.])AC^[l]), 

^ U U«G{i.....«„}{ca.4 © ((A.gl\{.} ^ ^^[0])), 

where ^"))) = 

VaG{l,...,m} (AeG{l,...,ric} Ca,s)) Or 

{h) G = VQ ((A.gAI^^I ^ 2, 3}, and 

W = ^0((A.eA{A 
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As for the relation prop the validity of putjproj for two overall configurations 
7i and Ti! is due to the validity of putjproj for their configurations. 

put 4 >roj{v, ProjSet,H,H'), where Ti. = 

if Vj € {1, . . . , m}: putjproj{v, ProjSet, Qj,'H' j). 



Example 5. Consider our example, when in the last step CS 3 produces the con- 
straint K =3 2.5T0“®, i.e. the constraint store C”^ of CS 3 ’contains’ the valuation 
cr(K) = 2.5-10“®. We want to project C"'® wrt Ci and C 2 for information exchange. 
Let Q = V Q (C^[0] A C^[0] A C"'®[1]) be the current configuration. The relation 
put_proj{3,ProjSet,g,n) with ProjSet = {(1, {{K}, {t}}), (2, {{K},{R}})} de- 
scribes that the overall configuration Ti. is reached from configuration Q by pro- 
jecting the constraint store C"® wrt constraint system and each of the sets 
{K} and {t} and wrt system ^2 and each of the sets {K} and {R} and adding the 
projections to the pool. The set ProjSet fixes pairs of a constraint system and 
a set of sets of variables for a directed projection. 

put_proj{3, ProjSet, g,n), where ProjSet = {(1, {{K}, {t}}), (2, {{K}, {R}})}, 

= (AzG{{K}.{t}}(P™J^^A^,C'"A)) A (Azg{{k}.{r}}(p™J^^A^,C'"A)) 

= prof-Hm, C"^)/\prof-\{t}, O A (Aze{{K},{R}} {prof^HZ, C"®))) 

= K =1 2.5 • 10“® A true A K =2 2.5 • 10“® A true 
7^ = p U {K =1 2.5 • 10“®, K =2 2.5 • 10“®, true} © (C^p] A C^[tj\ A C"'®[0]). □ 

3.4.3 Defining Strategies for Cooperating Constraint Solvers. Now, 
we want to use the above defined basic relations for a stepwise definition of 
the operational semantics. The coordination of the individual constraint solvers 
which is specified by the operational semantics is controlled by the meta con- 
straint solver. To enable a tight cooperation of the different solvers to reach an 
efficient computation behaviour, we need to take into account various influences 
on such a combined system. 

Example 6 . Consider the input constraint conjunction of ExampleO Constraint 
C 5 = (E =2 exp{¥)) is handled by the constraint solver CS 2 which is able to infer 
about functions, like exp, In, sin, and cos; constraint cg = (K S {10“®, 2.5 • 10“®, 
5 • 10“®, 10“®, 2 • 10“®, 5 • 10“®}) is handled by the finite domain constraint solver 
CS 3 , all other constraints are constraints for which the constraint solver CSi 
for rational interval arithmetic is responsible. Figure H shows the information 
exchange between the constraint solvers during the process of solving the con- 
straint conjunction as done in Example H Constraints which label arrows be- 
tween constraint solvers express that they are projections from one solver which 
are propagated to the other solver. 

FigureHshows one possible order of application of the constraint solvers on 
the given constraint conjunction. The computation effort depends on the order of 
application of the solvers. An arbitrary order of solver application does not need 
to yield the constraint K =3 2.5 • 10“® as fast. For example, using CS 2 to find a 
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Fig. 3. Information exchange of cooperating solvers according to Example J 



valuation for F requires a computation of a valuation for E by C'S'i before. This 
leads to the question of how to describe an appropriate coordination strategy. □ 

There are many influences, like properties of the particular constraint solvers 
as well as properties of the underlying hardware architecture, for instance, par- 
allel processors, on the choice of an appropriate cooperation strategy to optimize 
the computation effort. This yields the necessity to define different coordination 
strategies for cooperating solvers. If the single solvers for the cooperation are 
chosen, the interfaces of the solvers are fixed, and the external influences are 
known, then we can start to design a cooperation strategy. In the following, we 
illustrate the way of defining strategies in general, we do not go into detail wrt 
particular influences. 

In general, in one derivation step one or more configurations Qj, 
j € m}, are rewritten by a formal disjunction of configurations 

(for i G {1, ■ . ■ , m + 1}, denotes a (possibly empty) formal disjunction): 

V V . . . V V y ...\J Hm<J Qm V Um+l 

Hi V HQi<j ...y Hj y HGjy . . . v v nOmy nm+i 

Thus, first, we define a derivation relation for configurations and, based on this, 
we define a derivation relation for overall configurations. The following three 
steps build a general frame for the definition of strategies for cooperating solvers: 

1 . Definition of a derivation relation for configurations {production level) . 

2. Defining a derivation relation for overall configurations {application level). 

3. Definition of a reduction system for the derivation of overall configurations. 
In the following, showing four examples of strategy definitions, we instantiate 
the general frame by specifying the steps 1, 2, and 3. 

1. Definition of a derivation relation for configurations: For simplification, 
in our example strategies constraint stores are projected wrt all other constraint 
systems and wrt each of the variables of the common sorts of the two concerned 
constraint systems. To summarize this we define the relation project: 

project{v,TL,TC) holds ii put_proj{v, ProjSet,H,'H') holds, where 
ProjSet = with XSet^,^^ = 
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Let us consider the simplest possibility to define a derivation step for a con- 
figuration Q — "/^©(ArGL Exactly one constraint c S Cons{E^) is chosen 

(nondeterministically) from the constraint pool V of Q and it is propagated to 
building C'^ and the new configuration Ti. This is followed by a projection 
of by means of project (i.e. a projection wrt all other constraint systems 
and every variable of the common sorts of and (j^). 

holds if G — V Q (ArGL ^^*^[0]) is not in normal form, 

3H' G S: prop{c, Q, H') A project{v, Ti' , Ti), 
where c G T^, c G Cons{E,y)\{true, false}, v G L. 

If, in a number of such steps, constraints ci, . . . , c„ from the pool are prop- 
agated one after the other, such that they are all constraints of exactly one 
constraint system, then each projection is redundant wrt the following projec- 
tions because of Property J Avoiding such redundant projections leads to the 
definition of the relation v G L: 

G^^fTi holds if ^ = 7^ © (ArGL C'’^[0]) is not in normal form and 

37 ^ 2 , ■ ..,Tin+i G S: .^yprop{ci,Tii,Tii+i)A project{v,Tin+i,Ti), 

where v G L, c\, . . . ,Cn GT’ , ci, . . . , c„ G C ons{E,f)\{true, false}, n > 1. 



Example 1. Recall our example to see the difference between and 
Consider the situation, when CS '3 gets the constraint cg = (K G {10“®,2.5 • 
10“®, 5 • 10“®, 10“^, 2 • 10“^, 5 • 10“^}) from the input constraint conjunction and 
afterwards the constraint cio = (1.3572 • 10“® < K < 4.3429 • 10“®) from CS\, 
both to be propagated to the current constraint store (7® of CS-i- 

Using EEffy ^ gj.g^ g|.gp jg which yields C'^, which is 

projected. The second step adds cio to C'^ which yields C"^. Using 
we avoid the projections of C'^ which are redundant wrt the later following 
projections of C"^ because of Property^ Thus, moreover, the handling of the 
redundant projections of C'^ by CSi and CS 2 is avoided. □ 

If we want to fix the order of the constraint systems constraints of which are 
propagated next, then we simply give an order < on constraint systems and we 

use the relation which is defined as follows: 

G^^Ti holds if G^+n, v G L, and 

there is no p G L, p v, p < v, s.t. 3Ti' G E: G^^+Ti' . 

Similarly, we can define an order of constraints to be propagated which en- 
ables to regard choice heuristics, for example to delay particular constraints, as 
for naive solving nonlinear constraints []]. 

Hitherto, constraints of exactly one constraint system fi,, v G L, are prop- 
agated and afterwards the associated constraint store is projected while all 
other individual constraint solvers than CSi, are idle. However, since each of the 
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Fig. 4. Information exchange handling the input constraint conjunction using 

sub 

^par 



individual constraint solvers is able to handle a subset of the constraint pool 
independently of the other constraint solvers, the solvers may work in parallel: 

G ^^par'H holds liG = 'Hi = V Q (AreL is not in normal form and 

30.2, ■ ■ • , ’Hn+m+l G “ : (Ain+m+1 = 'H)A 

AiG{i,...,n} prop{ci,Hi,Hi+i) A Ai^(zLP^oject{A,'Hn+v,'Hn+v+i), where 
V\{true, false} = UiG{i,....n}{ci}> n>l, and L = {h, . ..Irn}- 

This definition describes the sequential execution of propagations followed by 
projections. However, propagations of constraints of different constraint systems 
are independent as well as projections of constraint stores of different constraint 
systems do. Thus, they can be performed in arbitrary order, in special in parallel 
and the behaviour defined by the relation ^^par can be regarded (and if we 
have a parallel computer system it can as well be performed) as follows: The 
constraint pool V of the configuration Q — VQ {Av^l subsets 

Vv of constraints, v & L, with Vc G Vv- c G Cons{S„). These subsets are passed 
to their associated solvers which, in parallel, propagate all constraints of their 
received subsets. Afterwards they project their constraint stores. The resulting 
overall configuration is built by composition of the results of the single solvers. 

The advantages of the derivation relation ^^par are, first, that the individual 
constraint solvers can work in parallel, and second, that redundant projections 
are avoided as well as by relation 

Example 8. Parallel work of all constraint solvers of our example handling the 
input constraint conjunction yields the trace and the information exchange of 
FigO To allow a comparison to the trace in ExampleHonly the incoming con- 
straints which are propagated to the associated stores of the solvers by tell and 
the outgoing constraints, i.e. projections of the constraint stores are given. Only 
the relevant projections are shown and changes of constraint stores are left out. 

The cooperating solvers find the capacitor which we are searching for in 
parallel after 3 ^^par steps while Example^uggested to need at least 4 steps. □ 

Our framework allows to define many other possible strategies for the deriva- 
tion of configurations by varying the use of the basic relations. Moreover, in our 
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four example strategies a constraint store is projected wrt each other constraint 
system and wrt each single variable of the common sorts of two constraint sys- 
tems (fixed by the auxiliary predicate project). This causes overhead; designing 
specialized systems of cooperating solvers, this overhead can be avoided by a 
more appropriate application of putjproj in the definition of the strategy. 

2. Defining a derivation relation of overall configurations: The most simple 
case is to define a derivation step for overall configurations on the base of the 
derivation of exactly one (nondeterministically chosen) configuration: 

QVH Tf'VTf holds, where H = QiV . . . \/Gm, m > 0, if ~^2 H' , and 

if U 1 . 6 L t'^en — >seq, if ~^ 2 = then 

if Ui/GL ^^1 = ^seq+, if ~^2= ^par then = >par- 

Other possibilities are, for example, to allow a derivation step for several 
configurations in parallel or concurrently. 

We add further, specific rules at application level, i.e. simplification rules 

— >0 for overall configurations: 

1. ^0 (A.gl C’'[U])'^H —>0 K U G {0, 1, 2, 3}, 
if false G V and H — Gi'd ■ ■ ■ VGm, m > 0, 

2 . VQ{A,^p^C-[U])^o{false}Q{A 

i/^L ^ ^ ‘^1 

if false G V and 3c G V : c A false, 

3. {false} © (A.ei —0 {false} © ^0 [«]), U G {0, 1, 2, 3}, 

if G L: Cf^ltp] A C^[0], tp G {0,1, 2, 3}. 

3. Definition of a reduction system for the derivation of overall configurations: 



Definition 2. We define the reduction systems {^,^^seq), (“)=^se 9 +); 
(S', and (S, =^par); where S is the set of overall configurations and 

( rseq= ^seq U >o); ( r seq+= ^ seq+ U >o)> ( ’'^eq+~ 

and ( r par— ^par U ^o)- ^ 

The defined reduction systems are used for the derivation of an initial overall 
configuration to normal form. For example, using the reduction system (S, =^seq 
), in every derivation step, one constraint of the constraint pool of a configura- 
tion is propagated to its associated constraint store, followed by a projection of 
the newly built constraint store wrt all other constraint systems. 

The A conjunctions Ai/Gi^^^P]> ^ ^ of th® current constraint 

stores of a normal form Vkg{i ® (Ai/Gi contain constraints 

which describe the set of solutions. The initially given constraint conjunction 
has no solution if the derivation yields the normal form {false} ©(A cm)- 
Solving constraint conjunctions using cooperating constraint solvers accord- 
ing to our framework no solutions are lost wrt the intersection of the solution sets 
of a computation of the single constraint solvers if Vi^, p G L: prof'^^ is sound, 
i.e. a projection of a constraint store C' wrt to a constraint system and a set 
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of variables V, is valid in under all assignments a : V/_i H —!■ UseS^nS^. 
where o is obtained by restricting a solution a,, \Vu ^ UsGS„ of C'^ (wrt V^) 
to the variables of the common sorts of and V^, V C X. Because of 
the information exchange between the cooperating solvers they are able to solve 
constraint conjunctions which single constraint solvers are not able to handle. 

4 Conclusion and Related Work 

We have presented a general scheme for cooperating constraint solvers. A uni- 
form interface for the solvers allows to formally specify the information exchange 
between them. Because of the modularity of our definitions of the basic rela- 
tions and of the derivation relations at production level as well as at application 
level, we are able to define a wide range of derivation strategies for cooperating 
solvers. To analyse the particular influences of the choice of a strategy on the 
computation effort is one task of future research. Since our approach allows the 
integration of constraint solvers of very different constraint systems, it is pos- 
sible to integrate different host languages into the system by treating them as 
constraint solvers. In Q we have shown the integration of the functional logic 
language Curry. This new point of view on the host language of such a system 
and the possibility to define tight cooperation strategies according to the current 
requirements allow to specify a wide range of systems of cooperating solvers such 
that our overall system forms a general framework for cooperating solvers. 

Cooperating solvers have been investigated from different points of view. 
Hong B addresses the issue of confluence for a system of cooperating solvers. The 
strategy of this system can be described using our sequential strategy =^seq- The 
cooperative schemes for solving systems of constraints over real numbers 
introduced by Rueher resp. Rueher and Solnon describe concurrent work of the 
individual solvers. Such concurrent strategies can be described in our framework 
by strategies similar to =^seq+- The environment for executing constraint solver 
combinations of Monfroy ^ provides three fixed cooperation primitives, where 
two of them correspond to our strategies and =^par- However, our 

approach allows a finer grained definition of strategies according to the current 
requirements. As far as for these approaches the form of constraints exchanged 
between the solvers is given, we are able to express that as well by means of 
our interface function proj. The main idea behind the combination approach 
in Q, which is an extension of the CLP scheme of Jaffar and Lassez Q, is a 
mechanism which controls variable equality sharing. We think that our approach 
is more general wrt information exchange, because in our system this is done 
by projections, where variable equality sharing is only one instance of it. The 
investigation of different cooperation strategies is left out in Q. 
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Abstract. We provide here an extension of a general framework in- 
troduced in 



OUiHKJJ 



that allows to explain several local consis- 
tency algorithms in a systematic way. In this framework we proceed in 
two steps. First, we introduce a generic iteration algorithm on partial 
orderings and prove its correctness. Then we instantiate this algorithm 
with specific partial orderings and functions to obtain specific local con- 
sistency algorithms. In particular, using the notion of subsumption, we 
show that the algorithms AC4, HAC-4, AC-5 and our extension HAC-5 of 
AC-5 are instances of a single generic algorithm. 



1 Introduction 

Constraint programming consists of formulating and solving constraint satisfac- 
tion problems. One of the most important techniques developed in this area is 
local consistency that aims at pruning the search space while maintaining equiv- 
alence. Our work stems from the framework devised in there 

the author introduces an algorithm, the Generic Iteration algorithm (Gl), able 
to explain most of the usual local consistency algorithms in term of fixpoints of 
functions. In this paper, we develop the GI algorithm into a new one, the Generic 
Iteration Algorithm with Subsumed Functions, briefly GISF; our new algorithm 
can account for more local consistency algorithms than GI does, namely arc and 
hyper arc consistency ones. In fact the (hyper) arc consistency algorithms that 
we study in this paper all share a common feature: they are split in two parts; 
a first pruning takes place, then a new program - not interleaved with the pre- 
vious one - performs a “local” action of pruning. Since the two programs are 
not interleaved, the GI algorithm cannot account for those kinds of (hyper) arc 
consistency algorithms; while our GISF algorithm can do it. Moreover the GI al- 
gorithm is an instance of our GISF algorithm. This article is organized as follows: 
we introduce our GISF algorithm and the general framework in Section H We 
show how constraint satisfaction problems can be encoded in that framework in 
Section^ Afterwards, we show how GISF can account for some arc and hyper 
arc consistency algorithms; namely HAC-4 and AC-4, cf. Subsection and ^3 
AC-5 and our generalization of it HAC-5, cf. Subsection ^3and^3 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 358^^ 2000. 

@ Springer-Verlag Berlin Heidelberg 2000 
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2 The Generic Iteration Algorithm with Subsumed 
Functions 

The GI algorithm of can only iterate functions that belong to 

a unique set F. Now, our algorithm GISF feeds the set G of functions to iterate 
with functions from two possibly different sets, F and H\ both sets F[ and F 
contain functions defined on the same set D. Further, we initialize G with the 
set FI while the operator update can only select functions to iterate from the 
other set F. 

Generic Iteration Algorithm with Subsumed Functions (GISF) 

1. d:=_L; 

2. G :=H- 

3. while G yf 0 do 

4. choose g & G; 

5. G:=G-{g}; 

6. G := GUupdate{G,F,g,d); 

7. d:=g{d) 

8. od 

Our update operator has to satisfy the following three conditions: 

A. if g{d) yf d, then the following functions have to be in update{G, F, g, d): all 
f G F — G such that f{d) = d and f{g{d)) yf g(d); 

B. g{d) = d implies update{G, F, g, d) = 0; 

C. if g{g{d)) y^ 5 (d), then g is in update{G,F,g,d). 

Remark 1. Suppose that g is idempotent; that is, for every d G D, g{g{d)) = g{d). 
In this case, g does not need to be added to update{G, F, g, d) according to the 
third condition C. 

The sets F and H are not arbitrary but related as in the following definition. 

Definition 1. Let f and g two functions on a set D; g subsumes / iff g{d) = d 
implies f{d) = d. Let F and H be two sets of functions defined on the same set 
D; we say that the set H subsumes the set F iff each function of F is subsumed 
by a function of H ; thus we write subs{F, H). 

Remark 2. Observe that subs{H, H) is always valid; this means that subs is 
a reflexive relation. In general, it might not be trivial to check whether the 
subsumption relation holds between two functions / and g defined on the same 
set. However, suppose that (T), C) is a partial ordering with bottom and that 
/ is an inflationary function. If /(d) C g{d) for every d G D, then indeed g 
subsumes /. 

Now it is clear that our algorithm generalizes the GI one: in fact, it is enough 
to set F = H in GISF and exploit the fact that subs is a reflexive relation, cf. 
Remark^ 
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Proposition 1. The GI algorithm is an instance of the GISF algorithm. 

I; we shall use it to prove 



The following result was already in ^ 
the correctness of GISF. 



IlMMiii MIllHiMI 



Lemma 1 (Stabilization, rt.ntaar ‘^.ntaac ). Consider a partial ordering 
(D, C) with bottom _L and a set K of monotonic functions on D; suppose that 
an iteration of the functions from K starting from _L eventually stabilizes at a 
common fixpoint d of the functions from K . Then d is the least common fixpoint 
of all functions from K . 



Theorem 1. (GISF) Let {D, C) be a partial ordering with the least element _L; 
suppose that H and F are two sets of functions on D; if sub s{F,H) holds and 
K is F[ U F, then the following statements are valid. 

i. Every terminating execution of the GISF algorithm computes in d a common 
fixpoint of the functions in K. 

ii. Suppose that all functions of K are monotonic. Then every terminating ex- 
ecution of the GISF algorithm computes in d the least common fixpoint of all 
the functions of K. 

Hi. Suppose that K is finite and all of its functions are inflationary; further sup- 
pose that the strict partial order on D satisfies the ascending chain condition 
(ACC), namely that there are not infinite ascending chains. Then every ex- 
ecution of the GISF algorithm terminates. 



Proof. First we prove claim i by showing that the predicate I := V / G H — 
G f{d) = d is an invariant of the while loop. Suppose that the predicate I is 
true before we enter the while loop (observe that, when we enter the loop for 
the first time, the predicate is trivially true because H — G is the empty set). 
After the execution of the loop, we have to inspect the functions which could 
be deleted from G; that is the function g. If g{d) = d, then g{g{d)) = g{d) and 
so we could safely add g to Ft — G. Suppose now that g{d) yf d; because of 
condition C, g could be added to Ft — G only if g{g{d)) = g{d). Our argument 
shows that the predicate / is trivially true after an execution of the while loop; 
therefore it is an invariant of the loop. This means that, upon the termination 
of the algorithm, the following condition holds: (G = 0) A I. Hence, for every g 
in Ft, g(d) = d; since all functions from F are subsumed by functions from Ft, 
then d is a fixpoint of all functions of id U F = K. 

Claim ii follows from i and the Stabilization Lemmajapplied to K. 

Finally we prove Hi. Let us consider the strict orderings (!),□) and (IN, <), 
where □ is the reverse of C and IN is the set of natural numbers. We can define 
the following lexicographic order <iex on the set d) x IN: 

(d, n) <iex (d', n') iff d □ d' or n < n'. 

By hypothesis, all functions in K are inflationary, so at each iteration of the 
while loop the cardinality of K strictly decreases with respect to < . By assump- 
tion, the strict order C satisfies the ACC, hence the are not infinite descending 
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chains in the lexicographic order <iex] the latter fact implies that the algorithm 
terminates. □ 



Note 1. If the set D is finite, then any relation of (strict) partial order on D 
is finite; further there is a finite number of different functions on D. Hence, 
if the set D is finite, the conditions in the last point of the previous theorem 
respectively on the order and on the set of functions K are trivially satisfied. 

3 GISF for Constraint Satisfaction Problems 

Our aim is to apply the GISF algorithm to solve constraint satisfaction prob- 
lems; therefore we need to relate the last ones to the notions so far introduced. 
In the following, first we provide the definitions of constraints and constraint 
satisfaction problems that we shall need; then we make explicit the connections 
with the results from the previous section. 

Consider a finite sequence X ofn > 0 different variables, say a;i, . . . , Xn, with 
associated domains Di , . . . , £)„; from now onwards, we shall always denote the 
Cartesian product Di x • • • x Dn with D. 

Definition 2. A scheme s on n > 0 is a strictly growing sequence of different 
integers from 1, . . . , n. 

Let s be the scheme {ii,...,irn) on n; we denote the Cartesian product 
Di-^ X • • • X Di^ with D [s]. For instance, if Di = {0}, D 2 = {2, 6}, D 3 = {4} and 
s is the scheme (1,3), then D [s] is the set {(0,4)}. Further, we shall denote the 
elements of D [s] with d [s] , where d is a tuple of Di x • • • x . 

Definition 3. Let X be a sequence of n > 0 different variables with domains 
Di, . . . , Dn, the set D the Cartesian product D\ x • • • x Dn and s a scheme on 
n; a constraint on s is a subset of D [s]; we shall write C(s) or simply C when 
no confusion can arise. A constraint satisfaction problem on X, briefly CSP, is 
a triple (X,D,C) where C is a set of constraints (on schemes on n) and D is 
DiX ■■■ X Dn- 



Yet we have not introduced any orderings; the following definition will fill 
our gap. 



Definition 4. Given a CSP, the domain order relating C associated with it is 
the reverse of the set inclusion relation on the power set of D; namely, for every 
subset A := Ai X ■ ■ ■ X An and B := B\ x ■ ■ ■ x Bn of D := D\ x ■ ■ ■ x Dn, we 
write Ac B iff AC B. 



We could have given a more general notion of domain order, allowing it to be any 
relation of partial order on p{D) with D as bottom; but the definition we give is 
sufficient for our purposes. Even a broader generalization can be found in 
where the author replaces p{D) with a family of subsets based on D closed with 
respect to n. 
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Observe that, by definition of G, we have the following equivalence: 

A\Z B \E, for every z = 1, . . . , n, we have that AiABi. 

Notice also that D is the top of {p{D), C); therefore it is the bottom of {p{D), C). 



Remark 3. From now onwards we shall always be dealing with functions / such 
that / : p{D) — > p{D)] the order C on p{D) is specified as above. Notice that a 
function f : p(D) — > p(D) is inflationary with respect to G iff, for every subset 
B of D, we have that f{B) C B. 

We can now specialize GISF to the case in which the ordering is (p{D), C); we 
call this instantiation of the GISF algorithm GISF on compound domains, briefly 
CGISF. The update operator has still to satisfy the conditions A, B and C given 
for GISF. Hence the previous results and remarks are applicable to CGISF as well; 
we get immediately the following result for free as a corollary of Theorem^ 

Corollary 1. (CGISF) Consider a CSP {X,D,C) with the associated domain 
order and two sets of functions H and F on D such that subs{F, FI) holds. 
Moreover, suppose that all functions in K := FI U F are monotonic. Then the 
following statements are valid. 

i. Every terminating execution of the CGISF algorithm computes the least com- 
mon fixpoint of all the functions from K . 

Hi. Suppose that K is finite and all of its functions are inflationary; further, 
suppose that the strict domain order satisfies the ACC. Then every execution 
of the CGISF algorithm terminates, computing the least common fixpoint of 
all the functions from K . 



Finally we introduce the notion of local consistency that we shall study in 
the rest of the paper, cf. also 



Definitions. Consider a constraint satisfaction problem CSP := (X,D,C). 
The problem CSP is hyper arc consistent iff, for all of its constraints C{s), the 
following condition is satisfied: for all i G s and a G Di, there exists d G D [s] 
such that d G C{s) and a = d[i]. 



If a CSP has only binary constraints C{i,j), instead of hyper arc consistency 
we simply speak of arc consistency. 



4 Arc and Hyper Arc Consistency Algorithms 

In the next subsections, we shall instantiate the CGISF algorithm with ad hoc 
designed functions in order to enforce arc and hyper arc consistency on con- 
straint satisfaction problems. First we consider the algorithms HAC-4 for hyper 
arc consistency and AC-4 for binary arc consistency and prove that CGISF can 
be instantiated to them, cf. Subsection ^3 and^H respectively; then we do the 
same with the algorithms AC-5 and HAC-5 in Subsection ^3 ^3 
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4.1 The Algorithm HAC-4 for Hyper Arc Consistency 

We show here that the HAC-4 algorithm of is an instance of the CGISF 

algorithm. The HAC-4 algorithm enforces hyper arc consistency by construct- 
ing the greatest hyper arc consistent problem included in the input constraint 
satisfaction problem. First we describe the original algorithm HAC-4; afterwards 
we devise some functions and show how CGISF can be instantiated to HAC-4 by 
means of those functions. 

Table 1. Algorithm HAC-4 for hyper arc consistency 



1. input: List’, 

2. while List ^ 0 do 

3. choose (i, a) € List; 

4. List ■.= List — {{i, a)} 

5. for C(s) and i G s do 

6. for dG S{C,a,i) do 

7. for j £ s, b — d [j] do 

8. S{C,b,j)-.= S{C,bJ)-{d}; 

9. if S{C,b,j) = 0 then 

10. List ListU {(j,b)}; 

11. D[j]:=D[j]-{b} 

12. fi 

13. od 

14. od 

15. od 

16. od 

17. od 



Before HAC-4 starts, an initial pruning and a construction of structures take 
place: the pairs (z, a) of elements a £ Di that do not have any supports in some 
constraints of the problem are removed from their domain Di and stored in the 
set of deleted elements called List. The HAC-4 algorithm starts by choosing an 
element (z, a) from List; chosen a tuple d that belongs to a constraint of the 
problem and that supports a, HAC-4 removes d and propagates the effects of 
its elimination on its components different from a. Since we want to instantiate 
CGISF to HAC-4, we need to introduce the necessary functions on p{D). In the 
following, we devise two classes of such functions. Let B any subset of D. 

a. For every Di, a £ Di and constraint C(s) such that z G s, we define a function 
7 t(z, a, C){B) := B' where B' := B[ x ... x B'^ and, for every k = 1, . . . , rz, 
we have 



{ Bi — {a} if k = i and we have that 

y d{d £ B[s] and d[i] = a ^ d ^ C'(s)), 

Bk 



otherwise. 
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Basically, 7r(i, a, s) removes the element a from the domain Bi iff a has no 
supports in C{s). 

b. For all constraints C(s) of the problem and d G C'(s), we define a function 
7r(i, d, C){B) := B' where B' := B[ x ... x B!^ and, for every k = 1, . . . ,n, 
we have 



( Bi — {d[i]} if k = i and V d' {d' G B [s] and d' [i] = d[i] ^ d' ^ C), 
B'k ■= < 

[ Bk otherwise. 

Intuitively, the function 7r(i, d, C) removes the element a := d [i] from its 
domain Bi iff d, the unique support for a, has been removed from B [s] . 

Remark 4- Observe that, for every constraint C{s) of the problem and i G s, the 
function 7r(i, d, (^(s)) is subsumed by 7r(i, d [i] , ^(s)); in fact 

Tr{i, d \i] , C(s)) C 7 t(z, d, C{s)). 

We shall initialize G with the functions 7 t(z, a, C) and F with the functions 
7r(i, d, C). 

Note 2. The functions a, C{s)) and 7 t(z, d, C(s*)) are idempotent, inflation- 
ary and monotonic with respect to the domain order C. 

Hence, due to Remarkjand NoteO our update operator needs only to satisfy 
conditions A and B given in Section J We define it as follows. 

— If n{i, a, C{s)){B) = B, then update{G, F, 7t(z, a, G{s)),B) is the empty set. 
Otherwise update{G, F, n{i, a, G{s),B)) is the set of functions n{j, d, 0(s*)) 
from F — G that satisfy the following conditions: 

11. d [f] = a, j G s and j yf i; 

ill. for all d' G B [s*] such that a = d' [i] we have that d' ^ G{s*). 

— Similarly, if n{i,d,G{s)){B) = B, then update{G , F, Tr{i, d, G{s)) , B) is the 
empty set. If it is not the case, then the set update{G, F,Tr{i,d,G{s)) only 
contains the functions Tr{j,d* ,G{s*)) of F — G that satisfy the following 
conditions: 

12. i G s*, j i and d* [i] = d [i] ; 

H2. for all d' G B [s*] such that d [i] = d' [i] we have that d' ^ G(s*). 

It is immediate to check that that update operator fulfills conditions A and B. 
Moreover, after executing CGISF with all the functions of FI, the set G only 
contains functions of F. 

Theorem 2. Consider a CSP {X, D, C) with the associated domain order and 
the sets of functions FI and F defined above; then we have the following results. 
(Partial correctness) Every terminating execution of the CGISF algorithm com- 
putes the greatest arc consistent problem contained in the given one. 

(Total correctness) Suppose that D is finite; then every execution of the CGISF 
algorithm terminates. 
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Proof. Indeed a fixpoint of the functions from H is a, hyper arc consistent prob- 
lem contained in the given one; as subs{F, H) holds, a fixpoint of the functions 
from Hu F is a hyper arc consistent problem {X, D' ,C) such that D' is a subset 
of D. Now it is enough to observe that if D is finite so is i? U F and the strict 
partial order on D satisfies the ACC, cf. NoteH Our statements immediately 
follow from Proposition Hand CorollaryH □ 

In the next theorem, we prove that the CGISF algorithm can be instantiated 
to the HAC-4 algorithm by means of the functions 7r(j, d, C). 

Theorem 3. (CGISF for HAC-4) Each iteration of the HAC-4 algorithm is equiv- 
alent to one or more iterations of the CGISF algorithm. 

Proof. First we execute the CGISF algorithm with the functions 7r(i, a, C(s)) of 
H; this way we prune the search space and propagate the effects of the removal of 
each a that has no supports from its domain Di by means of the update operator. 
In parallel, for each Di and a removed from Di, the pairs (i, a) are stored in List 
before starting the HAC-4 algorithm. The structures S{C{s*),a,i), where C{s*) 
is a constraint of the problem, contain all the tuples d such that d G C(s*) and 
d \i] = a. Let (i, a) be the pair that we pick out from List (line 3. of HAC-4), C(s*) 
a constraint of the problem on s* with i G s* (line 5. of HAC-4) and d a tuple 
of C{s*) that supports a (line 6. of HAC-4). For each j ^ i and j G s* , for each 
b = d [j] (line 7. of HAC-4), the HAC-4 algorithm deletes d from S{C{s*),b, j) (line 
8. of HAC-4) because a does not belong to Di any more. In parallel we choose 
the function 7r(j, d, C(s*)) in CGISF; the CGISF algorithm removes d, C{s*)) 
from the set G of functions to inspect. Observe that the function that we select 
is available in F — G, because of our choice of the update operator. In the if-then 
sub-program HAC-4 eliminates b from Dj and adds (j, b) to List iff b does not 
have any more support in G(s*) after the removal of d; so does the function 
7 t(_), d, G(s*)), which removes b from Dj iff it has no more supports in G(s*) and 
propagates the effects of the removal of b by means of the update operator. □ 



4.2 AC-4 for Binary Constraint Satisfaction Problems 

In case of normalized binary CSP’s, the AC-4 algorithm of 
instance of CGISF. In order to obtain a compact notation, we shall also assume to 
have at our disposal the transposed constraint G^ := C{j,i) of each constraint 
G = C{i,j) of the given problem, where (6, a) G G^ iff (a, 6) G C. First we 
describe the original algorithm AC-4. In order to execute the AC-4 algorithm a 
series of structures need to be created. The algorithm in TableOinitializes those 
structures, performing two different actions: 

1. it stores in List the pairs (*,a) such that a G Di has no support in Dj, 
deletes a from its domain Di and, by means of the condition M [i, a] = 1, 
records that a has been deleted; 

2. it adds (j, b) to S [i, a] if (a, b) G C(i,j) so that, if a happens to be deleted, 
then we know that we have to check whether b has still supports in Dj . 
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Table 2. Algorithm to initialize data structures 
List ~ 0; 

for C{i,j) constraint of the problem do 
for a £ Di do 

S [i, a] := 0; 

M [i, a] := 0; 

Total \— 0; 

for b £ Dj do 

if (a, b) £ C{i,j) then 

Total Total + 1; 

■S'[i,6] :=S[i,6]u{(i, a)} 
fi 
od 

if Total — 0 then 

Di := Di - {a}; 

List := List U {{i, a)}; 

M [i, a] := 1; 

fi 

Counter [{i, j), a] — Total 

od 

od 



Table 3. Elimination of inconsistencies from the domains in AC-4 



while List ^ 0 do 

choose and remove (i, a) from List-, 
for {j, b) £ S \i, a] do 

Counter [(j, i), b] := Counter [(j, i), fo] — 1; 
if Counter [{j, i),b] =0 and M [j, 6] = 0 then 
:= - { 6 }; 

List -.= List U {{j, ti)}; 

M[j,b\ -1 



do 



od 



The algorithm in Table ^ inspects each b that supports a which has been 
removed; if a happens to have been the unique support of b and b has not been 
deleted yet, then b is removed from its domain Dj and (j, b) is added to List. 

We show how CGISF can be instantiated to AC-4 in the following. Notice that 
the functions that we are about to use are the ones devised in Subsection 
however we prefer to rewrite them for normalized binary CSP’s in order to make 
explicit the link with AC-4. 
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a. For every Di, a G Di and constraint C(z, j), we define a new function 7r(a, i, j) 
such that n{a,i,j){B) := B' , where B' is defined as the set B[ x ... x B'^ 
and, for every k = 1, . . . , n, we have 



Basically, 7r(a, z, j) removes the element a from the domain Bi iff a has no 
support in Bj, where j ^ i. 

b. For every (a, 5) € C{i,j), we define a function 7r(a, z, 6, j)(i?) := B' where 
B' := B'l X ... X B'^ and, for every fc = 1, . . . , rz, we have 



Intuitively, the function 7r(a, z, b, j) removes the element a from its domain 
-Bi iff a G Bi and b, which is the unique support of a in Bj U {5}, does not 
belong to Bj. 

Remark 5. Observe that, again, for every z = 1, . . . , zz and a G Di, the functions 
7r(a, z, b,j) are all subsumed by 7r(a, i,j). Hence the set H contains all functions 
7r(a, i,j); while F is the set of functions 7r(a, z, b,j). 

If n{a,i,j){B) = B, then update{G,F,n{a,i,j),B) is the empty set. Other- 
wise the set update{G, F, 7r(a, z, j), B) is given by the functions 7 t(6, k, a, i) from 
F — G that satisfy the following conditions: 

i. k ^ i and (a, b) G G{i, k), 
zz. if a' G Bi then (o', c) ^ C(z, k). 

Similarly, if 7r(a, z, c, j){B) = B, the set update{G, F, 7r(a, z, c, j), b) is the emtpy 
set; otherwise it is given by the functions 7 t(6, k, a, i) from F — G that satisfy 
the previous conditions z and zz. The update operator above defined satisfies 
conditions A and B; C is satisfied because those functions are idempotent, 
cf. Remark J We claim that the CGISF algorithm can be instantiated to the 
AC-4 algorithm. In order to prove our claim we just need to prove the following 
proposition and then exploit the result in Theorem^ 

Proposition 2. Given a CSP, consider an iteration of the CGISF algorithm in 
which only functions from FI are chosen. Then the output CSP is the same as 
the one generated by means of the algorithm in ToWefl 

Proof. The algorithm in TableHinitializes data structures: for each Di, a G Di 
and constraint G{i,j), the algorithm checks whether a has a support in Dj. If 
and only if a has no supports in Dj, then a is removed from Di and Di is set 




Bi — {a} if fc = z and we have that 

V5(5gB, ^ (a, 5)^ C(z,j)), 



otherwise, 




Bi — {a} ii k = i, Qi G Bi, b ^ Bj and we have that 
Vc(c G Bj ^ (a,c) i G{i,j)), 



otherwise, 
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to Di — {a}. In parallel, we execute CGISF with the functions of H; the function 
7r(a, i, j) removes a from Di iff a has no support in Dj] again Di is set to Di — {a\. 
The algorithm in Table J propagates the effects of the elimination of a on the 
elements b G Dk of which a was a support by adding (z, a) to S [k, b] and List. 
The CGISF algorithm removes the function 7r(a, i,j) from G; moreover it adds to 
G all the functions 7 t(5, k, a, i) that are indexed by b such that (a, b) G G{i, k). 
After we execute CGISF with all the functions of H, we leave only functions from 
F in G, and never introduce the functions of FI again. □ 

We get our claim as a corollary of Theorem Hand PropositionH 

Corollary 2. Each iteration of the AC-4 algorithm is equivalent to one or more 
iterations of the CGISF algorithm. 



4.3 The Algorithm HAC-5 for Hyper Arc Consistency 

The AC-5 algorithm for enforcing arc consistency on binary constraint problems 
was presented in However the procedure that the authors proposed 

there can be slightly modified in order to enforce hyper arc consistency. In this 
subsection, first we define two kinds of functions, namely 7t(s, i) and 7t(s, z, j, b); 
then we explain how they can account for the two-step behaviour of the AC-5 
algorithm but to achieve hyper arc consistency. All those functions are defined 
on subsets B of D Di x ■■■ x given a constraint G{s) of the problem, 
z, j G s, and an element b G Dj, we define the following two classes of functions. 

1. 7t(s, z)(H) := B' , where B'i = Bi — Ai{i) if Ai(z) is the set 

{a G Bi ■. yd{d G B[s] f\ d[i] = a ^ d ^ C'(s))} 

while B'f^ = Bk whenever k ^ i. Basically 7t(s, z) removes the elements of Bi 
that do not have supports in the constraint C(s) of the problem. 

2. 7t(s, z, j, 6)(H) := B' , where, if 5 ^ Bj, B[ = Bi — A 2 {i) and A 2 {i) is the 
subset of Bi of elements a that satisfy the following condition: 

3d G G(s) s.t. d [z] = a, d [j] = 6 A Vd' {d' € i? [s] A d' [z] = a d' ^ C'(s)), 

while B'f. = Bk b G Bj or Bk yf Bi. Intuitively, Tr{s,i,j,b) removes the 
elements of Bi that do not have more supports in C(s) after the removal of 
b from Dj, for i,j G s. 

The set FI contains the functions 7t(s, z), while F only contains the functions 
TT{s,i, j,b). Moreover every function 7t(s, z) subsumes all functions T:{s,i,j,b) 
such that b G Dj] in fact we have the following relation: 

7t(s,z)C Pi 7r(s,z,j, &). 

jGs,bGDj 
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When we execute CGISF, we can first select and delete all functions 7t(s, i); 
when each 7t(s, i) is processed, the operator update adds the suitable functions 
7t(s, i,j, b) to G. When there are no more functions of H to inspect, we execute 
CGISF with the functions 7t(s, i,j, b). 

Note 3. The functions 7t(s, z) and 7t(s, z,j, &) are idempotent, inflationary and 
monotone with respect to the domain order C. 

Because of the previous note and Remark J our update operator needs to 
satisfy only conditions A and B. Hence we define update as follows: 

— if 7t(s, z)(-B) yf B, then update{G, F,n{s,i), B) is the subset of F — G of 
functions 7r(t, fc, z, a) such that a G Ai(z), where Ai(z) is defined as above; 
otherwise it is the empty set; 

— if 7t(s, j, z, a){B) ^ B, then update{G, F, n{s,j, i, a),D) is the subset of F — G 

of functions n{t, k,j, b) such that b G where A 2 (j) is defined as above; 

otherwise it is the empty set. 



Theorem 4. Consider a CSP {X, D, C) with the associated domain order and 
the set of functions FI and F defined above; then we have the following. 

(Partial correctness) Every terminating execution of the CGISF algorithm com- 
putes the greatest arc consistent problem contained in the given one. 

(Total correctness) Suppose that D is finite; then every execution of the CGISF 
algorithm terminates. 

Proof. Indeed a flxpoint of the functions from H is a, hyper arc consistent prob- 
lem contained in the given one; as szz6s(F, H) holds, a flxpoint of the functions 
from H U F is a hyper arc consistent problem that is also a subset of the input 
CSP. Now it is enough to observe that if D is finite then so is F U F and the 
strict partial order on D satisfies the ACC, cf. Note^ Our statements follow 
immediately from Proposition^and Corollary^ □ 



Remark 6. Observe that, as in the case of HAC-4, after CGISF inspects all the 
functions 7t(s, z) of H, G contains only functions 7t(s, z, j, b) of F. 



4.4 AC-5 for Binary Constraint Satisfaction Problems 

As in the case of AC-4, we claim that the AC-5 algorithm of can be 

seen as an instance of our CGISF algorithm when we work with normalized 
binary CSP’s. In order to avoid a cumbersome notation, we shall also assume to 
have at our disposal the transposed constraint G^ := C{j,i) of each constraint 
G = C{i,j) of the given problem, where (6, a) G C^ iff (a, 5) G C. In this 
subsection, first we describe the original algorithm AC-5. Then we prove our 
claim by showing ho w CGISF c an be instantiated to AC-5. 

The algorithm by is reproduced in Tabled it is split into two steps, 

as we explain in the following. 
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1. For any constraint C{i,j) of the given CSP, the procedure arc-cons creates 
the subset A{i) of Di of elements a that are not supported by any element of 
Dj in C{i,j); then, for each a £ A(i), all triples {{k,i),a) such that C{k,i) 
is a constraint of the problem are added to Q and the elements of the set 
A{i) are deleted from Di. 

2. In the second step, a triple {{i,j),b) is selected and deleted from Q; if Di 
and Dj are not empty and b has been removed from Dj, then the procedure 
loc-arc-cons updates the set A(i) C Di adding all elements a that are no 
(more) supported in C{i,j) by any element of Dj (after b has been removed 
from Dj)\ then, for each a £ A(i), all triples {{k,i),a) such that C{k,i) is 
a constraint of the problem are added to Q and the elements of A{i) are 
removed from Di. 



Table 4. The arc-consistency algorithm AC-5 



Q:=[] 

for (i,j) £ arc{G) do 

arc-cons(i, j, A{i))\ 

for k ^ i, and a £ A{i) do Q ~ Q U {((k, i), a)} od; 

Di := Di — A{i) 

od 

while Q 7 ^ [ ] do 

choose {{i,j),b) £ (Q,i,j,b); 

local-arc-consii, j, b, A{i))-, 

for k ^ i, and a £ A(i) do Q ~ QVJ {((fc, i), a)} od; 

Di := Di — A(i) 

od 

As pointed out in AC-5 is a generic algorithm which can be instan- 

tiated to AC-4 by slightly changing the definition of the sets A(i)-, in the latter 
case, the functions that we use for AC-4 are adopted. In case the definition of 
A{i) is chosen as stated above, we need new functions to express AC-5. Basically, 
we use the functions of the previous subsection and refine them for normalized 
binary CSP’s. We shall call those functions 7r(i,j) and n{i,j,b), because s is 
either i,j or j, i; we shall use them to account for the two-step behaviour of the 
algorithm in Tabled For each constraint C{i,j) and element b £ Dj we define 
the functions as follows: 

1. Tr{i,j){B) := B' , where B'i = Bi — Ai{i) if Ai{i) is the set 

{a £ Bi : \/b {b £ Bj ^ (a,b) ^ C{i, j))} 
while = Bk whenever k i; 

2. n{i,j, b){B) := B' , where B'^ = Bi — A 2 {i) if 6 ^ Bj and A 2 {i) is 

{a£ Bi : (a,b) £ C(i,j) A Vc(c G Bj => (a,c) ^ C(i,j)j 
while Bj. = Bk otherwise. 
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The set H contains the functions 7 t(z,j), while F only contains the functions 
TT{i,j,b). Moreover every function 7r(z,j) subsumes all functions 7r(z,j, &) such 
that b € Dj. 

The first part of the AC-5 algorithm is encoded in the actions of inspecting 
and deleting all functions Tr{i,j) from G in our algorithm; when each 7r(i, j) is 
processed, the operator update propagates the effects of the (possible) reduction 
of Di by adding the suitable functions 7r(i, j, b) to G. Besides we want to instan- 
tiate CGISF to the second part of the AC-5 algorithm by means of the functions 
7r(i, j, b) of F. Therefore we define update as follows: 

— if Tr{i,j){B) yf B, then update{G,F,Tr{i,j),B) is the subset of F — G of 
functions 7r(fc, z, a) such that a C ^i(z); otherwise it is the empty set; 

— if n{j, i, a){B) ^ B, then update{G, F, n{j, i, a),D) is the subset of F — G of 
functions 7r(fc, j, b) of F — G such that b G ^ 2 (j); otherwise it is the empty 
set. 

It is immediate to check that the update operator satisfies conditions A and 
B; the third condition C trivially holds because the considered functions are 
idempotent and what we observe in Remark J Now we can show that CGISF 
can be instantiated to AC-5. 

Theorem 5. Each iteration of the AC-5 algorithm is equivalent to one or more 
iterations of the CGISF algorithm. 

Proof. After one execution of the first for loop of AC-5, all the elements a of Di 
that have no supports in a domain Dj are removed from Dp, then the triples 
{{k, i),a) are added to the set Q of elements to inspect in the second for loop; 
namely all ((fc, z),a) such that a has been removed from Di and G{k,i) is a 
constraint of the problem. In parallel, CGISF selects 7 t(z,j) and removes from 
Di the elements that are not supported in G{i,j) by any element of Dj] after- 
wards, the effect of that removal are propagated by update which adds G all 
the functions 7r(fc, z, a) such that a has been removed from Di and G{k,i) is a 
constraint of the given CSP. Let us analyze the second part of AC-5 and see how 
CGISF can be instantiated to it by means of the functions 7r(j, z, a). If the triple 
((_), z), a) is chosen from Q, then we execute CGISF with 7r(a, i,j)- The procedure 
local-arc-cons removes from Di all the elements a that have lost their unique 
support in Dj after the removal of 5; by executing CGISF with 7 t(z,j, 5) we per- 
form the same action. When the AC-5 algorithm adds all the triples ((fc, z),a) 
indexed by a removed from Di to Q, the update operator performs the same 
action with the associated functions. □ 



5 Conclusions 



In this article we refined the general framework for local consistency introduced 






that explains various local consistency algorithms in a uni- 
form way. In our algorithm GISF, we used two sets of functions instead of only 
one; the relation of subsumption between those two sets was introduced and 
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proved to be sufficient to guarantee the (partial) correctness of the algorithm 
itself. Thanks to GISF, we could clarify the two-step behaviour of the algorithms 



HAC-5 of and AC-5 of 



: the functions of one set 



AC-4 of B 

perform a “global” action, loosely speaking; instead the functions of the other 
set work more “locally”, precisely as it happens in those algorithms. The use of a 
more general yet unique framework helped also to make explicit the underlying 
differences between the algorithms AC-4 and AC-5; in fact the sets of functions 
needed to express them by means of the CISF algorithm are different. Moreover 
we extended the AC-5 algorithm to a hyper consistency algorithm. 

Lately, we demonstrated that the PC-4 algorithm is an instance of CISF, too; 
in fact the PC-4 algorithm is split in two parts like the arc consistency algorithms 
that we discussed in this paper. In the future, we would like to investigate further 
properties of functions, like subsumption or commutativity in in order 

to derive new constraint propagation algorithms or optimize some of the existing 
ones. Finally a richer structure than a partial ordering could also be studied in 
order to guarantee the termination of CISF; which is not a meaningless task, 
because the termination of CISF is not ensured if the variable domains are infinite 
and the order does not satisfy the ACC, as it happens in fuzzy and probabilistic 
constraint satisfaction problems. 
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Abstract. We study an algorithm for the SAT problem which is based 
on the Davis and Putnam procedure. The main idea is to increase the 
application of the unit clause rule during the search. When there is no 
unit clause in the set of clauses, our method tries to produce one occuring 
in the current subset of binary clauses. A literal deduction algorithm is 
implemented and applied at each branching node of the search tree. This 
method AVAL is a combination of the Davis and Putnam principle and 
of the mono-litera| deduction procedure. Its efficiency comes from the 
average complexity of the literal deduction procedure which is linear in 
the number of variables. The method is called “AVAL” (avalanch) because 
of its behaviour on hard random SAT problems. When solving these 
instances, an avalanche of mono-literals is deduced after the hrst success 
of literal production and from that point, the search effort is reduced to 
unit propagations, thus completing the remaining part of enumeration 
in polynomial time. 

Keywords: Satishability, deduction, enumeration... 



1 Introduction 

Some progresses have been realized in solving SAT problem. In particular, ap- 
plication of local search methods ^3 to hard satisfiable SAT instances gives 
satisfying results. However, they can not deal with unsatisfiable instances. 

To solve such instances, one usually uses systematic methods based on the 
Davis and Putnam procedure Q (DP). DP efficiency comes from the property of 
unit clause propagation. This method, and its well known improvements (SATO 
I , C-SAT E], POSIT B Q, SATZ ^3'") their limits when applied to 
SAT random instances located in the transition phase. 

This paper introduces the method AVAL based on DP procedure to improve 
search efficiency and uses it as a base method to study the behaviour of enumer- 
ation methods on hard SAT instances. The improvement consists in maximizing 
the use of unit clause propagation during the search. To do that, a literal produc- 
tion algorithm (LP) is implemented. This procedure is called when there is no 
explicit mono-literal in the set of clauses, to produce new ones from the subset 
of binary clauses and to use them as new propagations. Such propagations are 
not done by the classical method of Davis and Putnam. The AVAL method is a 

^ A mono-literal means a unit clause. 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 373-^3 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 
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combination of DP and of the literal production procedure. Its efficiency comes 
from the average complexity of the literal production process which is linear in 
the number of variables. 

The literal production procedure deduces literals occuring in the subset of 
binary clauses. Such literals are more likely to be logical consequence of the cur- 
rent set of clauses than any others. The LP procedure is called at each branching 
node when the classic unit clause rule of DP does not apply. This minimizes the 
number of branching nodes (choice nodes) and provides a robust algorithm which 
is less sensitive to heuristics. This algorithm can be used in practice to analyze 
the limits of systematic methods in solving hard SAT instances. 

The paper is organized as following: In section 2, we study the literal produc- 
tion algorithm. Section 3 describes the avalanche method (AVAL), the heuristics 
and the pre-processing used. Section 4 shows experimental results on a large 
variety of problems: hard random instances and problems of both challenges DI- 
MACS and Beijing. A comparison of AVAL with other algorithms among the 
most powerful ones like POSIT Q and SATZ ^3 is done, section 5 concludes. 

2 Literal Production 

Let’s give some dehnitions we shall use. Let V = {xi...Xn\ be a set of boolean 
variables, a literal I is a variable Xi or its negation aq. A monotone literal is a 
literal occuring exclusively either in its positive or negative form. A clause is 
a disjunction of literals Ci = C V l^--- V 1^- A unit clause (a mono-literal) is a 
clause of one literal. The conjunctive normal form of a propositional formula 
C is a conjunction of clauses C = Ci A C 2 ... A Cm- We can consider C as a set 
of clauses C = {ci...,Cm}- The SAT decision problem is dehned as follows: is 
there an assignment of the variables so that the formula C is satished, i.e all the 
clauses of the set C are satished? 

If I is logically implied by the set of clauses C, then we write C \= 1. When 
a system of clauses C is unsatishable, we note it by C |= □, where □ denotes 
the empty clause. The fc-SAT problem is the problem SAT where all clauses 
have exactly k literals. 3-SAT is known to be the simplest form of fc-SAT which 
remains NP-Complete. 

The Davis and Putnam procedure is a real improvement of the Quine method 
thanks to both unit clause and monotone literal rules (cf proposition J. 
Methods like C-SAT Q and SATZ do more unit propagations. In the same 
spirit, our work consist in revealing, at lower cost, unit clauses that DP does not 
consider in exploiting them in order to reduce the size of the search tree. The 
main property used in DP is the following. 

Proposition 1. Let S be a SAT problem and x be a mono-Uteral or a monotone 
literal then S is satisfiable if and only if S A {a;} is satisfiable. 

If there is no mono-literal in the current set of clauses at a given node of the 
search tree, our algorithm tries to produce one. For efficiency reasons we restrict 
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the production process to literals occuring in binary clauses. These literals are 
more likely to be produced. 

Let I be the current instantiation and Cj be the set of the clauses C simplified 
by the instantiation I. If ^ is a literal occuring in a binary clause of Cj, then 
producing I from Cj { Cj \= 1 ) is equivalent to proving the unsatisfiability of 
Cl A {^^}. Two cases are possible: 

1. If (7/ A {^ 1 } ^ □ then I is produced by Cj and considered as a mono-literal. 
Thus, / = / U{/} 

2. If Cl A □ then I is not produced by Cj, and this failure deduction 

highlights several literals which can not be deduced by Cj. It will be useless 
to consider them as candidates for production. 

The efficiency of the literal production is due to this elimination of useless vari- 
ables. Formally: 

Proposition 2. Let Bj be the set of binary clauses of Cj and Vbi be its set 
of literals. Let I G Vbi, if Cj U ^ aie{i..n} such that Cj U ^ □ then 
e Vb,, Cj U {oi} ^ □. 

Proof Let I G Vb/, suppose that Cj U ^ o,ie{i..n} and Cj U ^ □. If 
there exists such that Cj U {aj} ^ □, then, Cj U U {aj} ^ □. But 

Cl U U {^Oj} ^ □, hence Cj U ^ □. This make a contradiction with 
the hypothesis. □ 

The literals ..,^a„} can not be logical consequences of Cj. Thus, con- 

sidering them for production is irrelevant. The previous proposition gives the 
literal production algorithm (LP) described in figure ^ In the following, we 
show the mechanism algorithm. 

Example 1 . Let the set of clauses C = {a;i V ~^X2 V ^0:3, X\ V x^^ ~^X2 V 0:3}. The 
literals Vbi = {xi^x^t^x^^x^} appears in the binary clauses. 

We try to produce x^. C A {^3^3} H ~^X2,X\. So, C A {^X2} ^ □ then X2 
can’t be deduced by C and C andidate[x2\ = False. Now, literals candidate to 
production are {xi,~'X2\. 

We try to produce a;i. C A {^a;i} H *2, x^, □. So, C ^ X\. X\ is produced by 

C. 

Remark 1 . In the algorithm of figure^ Candidate[x] = True expresses the fact 
that a; is a candidate to production. 

The LP algorithm deduces literals among those appearing in binary clauses. 
Its termination, correctness, completeness and complexity are studied in the 
following propositions. 

Proposition 3. Let C be the current set of clauses, and I a literal occuring in 
a binary clause. If LP produces I ( LP(C) ^ 1 ) then C = CU {^}. 

Proof. Let I be a literal produced by LP. Then, (C U \= □. 

But C = (C A /) V (C A {^l}. Thus, C = C U {/} and LP correctness is 
proved. □ 
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Procedure LP(C : set of clauses ; I : instantiation) 
Return : a literal I if C \= I 

0 if G Vbj such that C \~ I 



Begin 

For All I G Vbi do Candidate [Z] = True 
For All Z G VsjSuch that Candidate [Z] = True Do Begin 
C andidatein = False 
7' = 7U{-nZ} 

While Cji 7^ 0 and 3x G Vc;, ,2; is a unit clause and □ ^ Cj/ Do 
Begin 

7' = 7' U {x} 

Candidate [-ia;]=False 
End 

If □ G Cj! Then Return Z 
End 

Return 0 
End 



Algorithm 1: Literal Production Algorithm (LP) 



Proposition 4. 7/(7/ is the current set of clauses, and Bj the subset of binary 
clauses, then the algorithm terminates and its complexity in worst case is in 

0{\VbA X IPcrl). 

Proof When, LP tries to deduce I ((7/ ^ Z ?), it propagates in the worst case 
Vci unit clauses. If I is not deductible ((7/ ^ Z), the LP procedure tries to deduce 
an other literal among those of Vbi ■ The worst case is when all the propagated 
literals occuring in the failure of producing Z ((7/ \= I 7) are not in Vbi- In this 
case LP tries Vbi literals. Thus its complexity in the worst case is in order of 

0{\Vb,\ X \Vci\). □ 

The C-SAT method | does some local deduction on selected variables, but 
does not take advantage of the literals that are not potential candidates for 
production (see proposition^ despite Boufkhad remarked these irrelevant lit- 
erals in his thesis In ^ (POSIT) Freeman uses a kind of literal production 
on selected variables but does not suppress the irrelevant literals. Elimination 
of these useless literals allows to obtain a literal production algorithm whose 
average time complexity is linear in practice (see algorithm J . 

3 The Avalanch Method (AVAL) 

The combination of the literal production algorithm (LP) and the DP procedure 
yields the enumeration method AVAL. 

The difference between DP and AVAL is that AVAL calls the procedure LP 
to produce a mono-literal when no explicit unit clause exists in the current set of 
clauses. This prevents for visiting some nodes that DP visits. When LP succeeds, 
the returned literal is considered as a mono-literal. In case of failure we choose 
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via heuristics the next literal, thus creating a new choice point in the search 
tree. Exploiting the literals produced by LP, leads to minimizing the number of 
choice points in the search tree (for a given heuristic) . The algorithm^sketches 
the AVAL method. The first call to AVAL is made with the parameter values : 
/ = 0 and C = C 0 . 



Procedure AVAL(C : Set of Clause ; I : Instantiation) 
Return : True if C is satisfiable by I 
False otherwise 



Begin 

If C = 0 Then Return True 

If C contains an empty clause Then Return False 

If C contains an unit clause I Then Return AVAL (Cpj, 7 U {/}) 

q=LP() 

If g 7 ^ 0 Then Return AVAL (C{q}, 7 U {g}) 

Choose by heuristic a literal p £ C 
If AVAL(C{p},7U{p}) 

Then Return True 

Else Return AVAL 7 U 

End 



Algorithm 2: AVAL Method 



3.1 Heuristics 

Heuristics are used when there is no mono-literal in the current set of clauses 
and when LP does not produce one. We use the MOM heuristic (Maximum 
Occurrence in minimum size clauses) (Freeman Q) which chooses the variable 
with the greatest number of occurrences in the minimum size clauses and the UP 
(Unit Propagation) heuristic which takes advantage of unit propagation. These 
heuristics allow to produce new binary clauses which favor the production of 
mono-literals when calling LP. Let us summarize them. 

Mom Heuristic: If Hs a literal then w{l) = ^ weight. MOM 

heuristic chooses the variable which maximizes the function used by Freeman in 
Q: H{x) = 1024.w(a;).w(-'j;) -I- w{x) + w(^x). 



UP Heuristic: UP heuristic (see Q and ^3) exploits unit propagation more 
than MOM heuristic does and gives more binary clauses which help LP to pro- 
duce literals as soon as possible during the search. Let Cj be the current set of 
clauses, x a variable of (7/, Cj = CiAx and C" = Ci A ~'X. After unit propa- 
gation on both C'j and C'j , UP chooses the variable which shortens a maximum 
number of clauses in C'j and C" . We use this heuristic to select the variables for 
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the first choice points of the search tree where the procedure LP usually fails to 
produce literals. 

3.2 Pre-processing 

Before starting the search, we do some pre-processings which consists in adding 
resolvants to the set of clauses. This usually reduces the search space. We use 
the same technique as the one of Chu Min Lee in Only resolvants of size 
less than 3 are considered and can to be used to produce other resolvants. The 
resolvants technique consists in the following rules: Two binary clauses can create 
only unary one. A binary and a ternary clauses can create only a binary one. 
Two ternary clauses produce a resolvant of size less or equal to 3. The process 
is maintained until saturation. This pre-processing allows a gain of nearly 10% 
for the hard random problems. 

4 Experiments 

We hrst compare our method AVAL with the classic Davis and Putnam Method. 
We study the behaviour of AVAL during search and compare it with two known 
algorithms (SATZ ^3 and POSIT Q) on different problems: instances of both 
challenges DIMACS and Beijing, and random 3-SAT instances. Random prob- 
lems are generated as follows: Let c be the number of clauses and v be the 
number of variables, we generate randomly c clauses among the 2 ^( 3 ) possible 
ones. Many research works showed that there is transition phase for the random 
fc-SAT problems : there is a critical value of the ratio ^ before which problems 
are few constrained (have many models) and after which problems are very con- 
strained (have no models). The hard problems are in the neighborhood of this 
critical value. The existence of the threshold for 3-SAT was proven by Friedgut ^ 
but the critical value is still not known. We only know bounds (3.03 < - < 4.64), 
(Dubois and al |). For 2-SAT, the value is equal to one (Chvatal Goerdt 

D)' 

The results are measured on a PC Pentium 200 with 64 Mo of RAM. The 
code of the program is written in C and includes 1300 lines. All CPU times are 
given in seconds. 

4.1 Comparison between DP and AVAL 

We compared the AVAL and DP methods augmented by the MOM and UP 
heuristics on hard random SAT instances. The samples of each test are 50 ran- 
domly generated instances with a ratio (^ = 4.25). Tables ^ and H show the 
results obtained. 

We can see that AVAL surpasses DP in both the number of search nodes and 
the CPU time. This conhrms the efhciency of the LP procedure in producing 
literals and the advantage in combining it with DP. The gain increases as the 
number of variable grows giving a promising way to solve large scale problems. 
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We can also see the benefit of using UP heuristic to define the variable assignment 
order. For this reason we use it in AVAL to compare the method with both SATZ 
and POSIT methods which out perform C-SAT Q. 

Using the LP procedure in an enumerative method leads to minimizing the 
number of branchings. Indeed, LP efficiently produces literals, thus avoiding 
some choice points in the search tree. This optimizes in some way, the number 
of branching for the enumerative method with respect to the heuristic used for 
the variable ordering. 



Table 1. Comparison between DP and AVAL (Nodes) 



INumber ot Variables 


140 


160 


180 


200 


220 


240 


DP + MOM 


756 


1165 


3193 


6736 


18997 


51733 


AVAL + MOM 


69 


98 


245 


474 


1212 


2672 


DP + UP + MOM 


654 


1047 


2709 


5271 


15373 


33000 


AVAL + UP + MOM 


58 


82 


189 


335 


923 


2072 



Table 2. Comparison between DP and AVAL (Time) 



INumber ot variables 


140 


160 


180 


200 


220 


240 


DP + MOM 


0.219 


0.355 


1.01 


2.269 


7.055 


19.8 


AVAL + MOM 


0.176 


0.273 


0.717 


1.554 


4.508 


12.1 


DP + UP + MOM 


0.261 


0.409 


1.039 


2.131 


6.15 


14.8 


AVAL + UP + MOM 


0.228 


0.339 


0.79 


1.535 


4.50 


10.5 



4.2 Success Rate of the Literal Production 



Table 3. Success rate of literal production 



Nb of variables 


100 


140 


180 


220 


260 


Nb of tests 


170 


860 


3795 


14136 


62672 


Nb of success 


152 


784 


3494 


13105 


58372 


% 


89 


91 


92 


92 


93 



Results of tablcHconfirm that about 90% of calls to LP succeed to produce 
a literal. This is a promising result and explains the gain in number of nodes 
when comparing AVAL to DP. Experiments on random instances show that 
after the depth ^ in the search tree, AVAL search efforts only consist in unit 
propagations. Indeed, all the calls to LP succeed to produce literals. Literal 
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production failures (about 10%) correspond to calls to LP in the top part of 
the search tree. In practice, an avalanch of mono-literals is observed after the 
hrst literal production. Such phenomenon occurs after nearly the depth ^ and 
the search process is achieved in linear time complexity. This phenomenon is 
observed for the classical method DP too, but later, after a depth of ^ in the 
search tree. This explains the difference between the efficiency of AVAL and DP. 
The more early the avalanch, the more efficient the algorithm. Thus, one can 
think that a minimal bound of the number of nodes that an enumerative method 
(w.r.t a given heuristic) has to explore is reached with the method AVAL. 

4.3 Efficiency of Our Method 

Theoretical complexity in the worst case of the LP algorithm is in 0(| ks/ 1 1 Lcj !)• 
But in practice the average complexity is linear in the number of variables. This 
is conhrmed by the experimental results of table^ The ratio ^ gives the average 
number of unit propagations for one call to the literal production procedure LP. 
Its variation is linear with respect to the number of variables. This allows to 
perform LP at each node of the search tree which explains the efficiency of 
AVAL. 



Table 4. Complexity of the LP algorithm 



Nb of variables 


too 


140 


180 


220 


260 


a=nb call of LF 


170 


860 


3795 


14136 


62672 


b=nb Unit Prop 


9919 


73303 


420363 


1930100 


10216322 


ratio - 

a 


58 


85 


110 


136 


163 



4.4 Threshold of Unit Clauses Production 

The number of binary clauses in the current set of clauses has a great impact on 
literal production. The more the number of binary clauses, the more the chance 
to succeed in producing a literal. As AVAL performances depend on the efficiency 
of literal production, it is important to know in practice how many binary clauses 
are necessary to produce a literal. In theory, the threshold of the satishability 
problem for 2-SAT random instances is reached when the ratio number of clauses 
to the number of variable is equal to one. This means that literal production shall 
succeed when the number of binary clauses is equal to the number of variables. 
But in practice literal production is guaranteed with a fewer number of binary 
clauses. Tabled reports experiments on random 3-SAT instances which show 
that for a ratio ^ > 0.7 the procedure LP always succeeds in producing a literal. 
This means that 0.7 x v binary clauses always produce a literal. This number 
of binary clauses is maintained at each node of the search tree after a depth 
of ^ and make an avalanch of unit clauses. It will be interesting to study the 
existence of a theorical threshold for literal production. 
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Table 5. Ratio nb binary / nb prop 



Nb of Variables 


too 


140 


180 


220 


260 


300 


C 


0.702 


0.708 


0.747 


0.748 


0.744 


0.757 



4.5 Comparison with SATZ and POSIT 

We compared both SATZ and POSIT methods to our method AVAL on hard 
random SAT instances, on the basis of the CPU times and the number of nodes. 
The number of variables stands from 100 to 400 (by a step of 50) and the 
samples of each test are 100 random instances when the number of variables is 
greater than 300, 200 otherwise. The instances are generated in the transition 
phase = 4.25). Table ^shows the results. We can see that AVAL solves 
problems with 400 variables in the hard region in less than 2 hours in average. 
AVAL is better than both SATZ and POSIT in the number of nodes. Because 
of sophisticated heuristics (application of UP to selected variables) SATZ gives 
the best CPU times, AVAL and POSIT CPU times are comparable. 



Table 6. Random Problems. 



Nb of variables 


100 


150 


200 


250 


300 


350 


400 


AVAL 


dime (sec) 


0.069 


0.268 


1.681 


12,1 


100 


610 


5278 




Nodes 


14 


72 


382 


2182 


13 946 


70 405 


502 803 


SALZ 


lime (sec) 


0.068 


0.205 


0.856 


4,399 


30.6 


189 


1096 




Nodes 


18 


111 


590 


3089 


18 371 


100 014 


521 349 


POSIT 


dime (sec) 


0.016 


0.148 


1.074 


8.605 


65.7 


407 


3698 




Nodes 


39 


264 


1502 


10094 


65 505 


334 847 


2 898 510 



4.6 Challenges Beijing and DIMACS 

We also compared the three methods on problems of the DIMACS and Beijing 
challenges. The maximum time that an algorithm can spend in solving an in- 
stance is limited to two hours (7200 seconds). Problems of the challenge Beijing 
are listed individually and those of DIMACS are gathered into classes. Time de- 
notes the total time spent in solving all the problems of a class. When a problem 
is not solved in two hours, its CPU time is considered as 2 hours. The symbol 
#M indicates the number of problems in a class and #S the number of solved 
problems. Tablesjandjshow the results. 

Problems of the challenge Beijing, listed in tabled ^re mostly planning and 
scheduling problems. We resolve one more instance than SATZ and four more 
instances than POSIT. Except the problem 2_bit_add_12, AVAL CPU times 
are comparable to those of both SATZ and POSIT. 



382 



Gilles Audemard, Belaid Benhamou, and Pierre Siegel 



For the DIMACS challenge, AVAL solved less instances than SATZ for the 
classes: dubois, iil6 and ssa, and less instances than POSIT for the class iil6. 
But only AVAL is able to solve the whole problems in class ii32. POSIT solved 
half of the class aim200. These results show the advantage of combining literal 
deduction algorithm LP with DP. 

Table 7. Challenge Beijing. 




Problem 



2bitac 




AVAL 


SATZ 1 


Time 


Nodes 


Time 


Nodes 


3706 


2 116 944 


>7200 


- 


6.4 


4 838 


113 


120 982 


35.2 


28 843 


0.265 


99 


0.02 


11 


0.01 


6 


0.06 


14 


0.05 


7 



>7200 



>7200 



MMBTiBWSM 


>7200 


- 


3101 


297 652 


3blocks 


2.2 


16 


1.6 


7 


4blocks 


1184 


18 823 


930 


228 040 


4blocksb 


11.5 


97 


8 


8 


e0ddr2- 10- by- 5-1 


2657 


705 


86 


35 


e0ddr2-10-by-5-4 


617 


661 


86 


32 


enddr2- 10-by- 5-1 


38 


10 


>7200 


- 


enddr2-10-by-5-8 


66 


15 


81 


30 


e wddr2- 10- by- 5-1 


41 


15 


124 


40 


ewddr2-10-by-5-8 


861 


238 


92 


39 



POSIT 



Time Nodes 



>7200 



>7200 



0.04 35 



0.01 34 



0.05 12 



>7200 



>7200 



2.38 669 



>7200 



70 I 8424 



>7200 



2726 34759 



>7200 



>7200 



143 250 



>7200 




Table 8. Challenge DIMACS 



AVAL 



SATZ POSIT 



Pb Class 




Time 




Time 


IB 


Time 


aim-50 




14 


lEI 


14 


Iei 


0.3 


aim- 100 




3.55 


IBI 


3.4 


IBI 


320 


aim-200 




4.2 


IBI 


3.85 


IB 


86400 


dubois 


UN 


43274 


m 


38665 


IB 


45500 


hole 




180 




213 


IB 


444 


ii8 


■alia 


15.4 


IS 


5 


IB 


0.77 


iil6 


■SIN 


14967 


WSi 


104 


IB 


7268 


ii32 


■aiiH 


2060 


iBa 


7638 


IB 


14410 






12.84 


1^1 


11 


1^1 


0.25 


par8 


■EIIIEI 


0.7 


msi 


0.66 


IB 


0.05 


pari 


■EIIIEI 


288 


iia 


403 


IB 


33 


ssa 


1 8 II 7 


10500 


IB 


826 


II 


7231 
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5 Conclusion 

Systematic search methods based on the Davis and Putnam procedure use unit 
propagation. But, only the explicit mono-literals occuring in the set of clauses 
are considered. AVAL does more propagation than these methods. Indeed, when 
there is no explicit mono-literal in the current set of clauses, AVAL calls the pro- 
cedure LP to produce one before branching. Produced literals are propagated 
as mono-literals, thus minimizing the number of branching nodes. The LP algo- 
rithm produces literals appearing in binary clauses with a linear time complexity 
( 0{v) in practice). This allows to use LP at each branching node of the search 
tree, thus increasing the efficiency of the AVAL method. 

We studied the behaviour of AVAL on hard random SAT instances generated 
in the neighbourhood of the threshold area and we observed two different parts 
in the search tree when solving such instances by AVAL. The hard part is the 
one formed by the first levels of the search tree. AVAL shows that enumerative 
methods have to spend a lot of time in this part of the search tree which contains 
all the branching nodes. Future work will consist to aim at finding variable 
ordering heuristics and techniques in order to reduce the search space of this 
part. 
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Abstract. We propose a model checking scheme for a semantically com- 
plete fragment of CTL by combining techniques from constraint logic 
programming, a restricted form of constructive negation and tabled res- 
olution. Our approach is symbolic in that it encodes and manipulates 
sets of states using constraints; it supports local model checking using 
goal-directed computation enhanced by tabulation. The framework is pa- 
rameterized by the constraint domain and supports any finite constraint 
domain closed under disjunction, projection and complementation. We 
show how to encode our fragment of CTL in constraint logic program- 
ming; we outline an abstract execution model for the resulting type of 
programs and provide a preliminary evaluation of the approach. 



1 Introduction 

Model checking [5] , is a technique for automatic verification of safety and liveness 
properties in finite, reactive systems. Given a model of the system and a property 
- often expressed in some temporal logic [10] such as CTL (computation tree 
logic) or the mu-calculus - model checking amounts to checking if a given initial 
state of the system satisfies the desired property. The early approaches relied 
on fixed point techniques where all states satisfying the given property were 
explicitly enumerated. Since even small (finite) systems tend to have very large 
state spaces early attempts were quite restrictive. 

More recently it was observed that sets of states could be represented implic- 
itly e.g. by logic formulas - so called symbolic model checking [15]. In combina- 
tion with very efficient representations of such formulas, e.g. BDDs, it is often 
possible to verify considerably larger - but still finite - systems. There are now 
several model checking systems around and model checking has been successfully 
applied both to hardware verification problems [2] and verification of computer 
protocols [11]. There is on-going work to extend model checking also to infinite 
systems. 

A complementary approach to reduce the search space is to try to avoid 
generating as much as possible of it. As pointed out above, the aim of model 
checking is to verify if a property holds in the initial state(s). By checking the 
formula and its sub-formulas only in those states that are reachable from the 
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initial state(s) it is often possible to substantially reduce the state space. This 
is known as local (or on-the-fly) model checking (e.g. [19]). 

Model checking has many characteristics in common with logic program- 
ming; a logic program is a symbolic description of a model (the so-called least 
Herbrand model in case of definite programs or the standard model in the case 
of stratified logic programs) and by means of resolution it is possible to verify 
certain properties (expressed by means of queries) of that model. This process is 
demand-driven in the sense that only the part of the model necessary to verify 
the property/query is produced. That is, the model is described symbolically 
and generated on-the-fly (locally) when needed for the verification of a specific 
property/query. 

Recently there have been several attempts to formalize and host model check- 
ing inside the logic programming paradigm. One of the first attempts were re- 
ported by the logic programming group at Stony Brook [16]. They describe an 
implementation of a model checking system called XMC [9] in the logic pro- 
gramming system XSB (a logic programming system based on tabulation [4]). 
In XMC the system model is described in a CCS-like language and properties 
are described in the alternation free fragment of the modal mu-calculus. While 
providing a “symbolic” description of states (CCS formulas), the approach does 
not offer an implicit representation of sets of states in the true sense of symbolic 
model checking. However, XMC relies on local checking and the results reported 
in [16] show that the approach can compete with state-of-the-art model checkers, 
although implemented in a general purpose logic programming system. 

Independently Charatonik and Podelski [3], and Delzanno and Podelski [7, 
8] described an alternative approach to model checking in which the transition 
relation between states is encoded as a (constraint) logic program; the temporal 
properties to be checked can also be encoded as a (constraint) logic program, and 
by use of the immediate consequence operator, they were able to characterize the 
meaning of the temporal operators of CTL in terms of least and greatest fixed 
points of compositions of the two programs. By means of the well-established 
magic templates transformation Delzanno and Podelski also introduced a way 
of achieving local model checking for some of the temporal operators of CTL. A 
novel feature of [3, 7, 8] is that the approach facilitates approximation of prop- 
erties of infinite state systems. 

We should also mention the early work of Rauzy, who developed the con- 
straint language Toupie (e.g. [17]). This is a equational constraint language with 
support for computing least and greatest solutions of sets of mutually recursive 
equations. Toupie is symbolic and, in a restricted sense, local; the actual check- 
ing of a property is preceded by a reachability analysis which eliminates some 
(but not all) states where the property does not need to be checked. 

In this paper we propose an encoding of a semantically complete fragment of 
the temporal specification language CTL using techniques from constraint logic 
programming (CLP) [13], constructive negation [20] and tabulation [22]. Our 
approach is fully symbolic in that it encodes and manipulates sets of states using 
constraints; it also fully supports local model checking of all temporal operators 
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using goal-directed search in combination with tabulation techniques similar to 
those in [16]. The approach is parameterized by the constraint domain, which 
means that any finite constraint language equipped with disjunctive constraints, 
projection and complementation can be used together with the scheme. 

In the next section we give preliminary notions from constraint logic pro- 
gramming and present the temporal specification language CTL. In Section 3 
we describe a (schematic) constraint logic program that encodes the semantic 
equations of CTL and discuss its correctness in Section 4. In Section 5 we give 
an abstract execution model specialized for the program schema. The execution 
model is embodied in a prototype implementation whose preliminary evaluation 
is presented in Section 6. 

2 Preliminaries 

We survey basic concepts and terminology from the field of constraint logic 
programming and provide a short summary of model checking - in particular 
the temporal specification language CTL (Computation Tree Logic). 

2.1 Constraint Logic Programming 

Constraint logic programs are defined in the usual way, see e.g. [13, 12]. A pro- 
gram is a set of clauses where each clause is an implicitly universally quantified 
expression of the form 

Aq < — C , L\, . . . , Ln- (n > 0) 

where Aq is an atomic formula, Li, . . . , L„ are literals, and C is a constraint. (In 
what follows we use A and B to denote atomic formulas, L to denote literals, 
and C to denote constraints.) A goal is an expression 

^ C,Li,...,Ln. (n>0) 

In what follows we frequently consider clauses where n = 0 and goals where 
n = 1. A clause of the form A ^ C is called an answer while a goal of the 
form <— C, A is referred to as a call. (As usual, a call denotes the logic formula 
V-(C A A); that is, -3(C A A).) 

We assume the existence of a sufficiently large set of variables VAR ranging 
over the constraint domain. By a valuation over a domain D we mean a mapping 
O'. VAR — > D. The set of all valuations is denoted VAL. A valuation 9 is called 
a solution of a constraint C iE D \= C6. By sol{C) we denote the set of all 
solutions of C. A constraint is said to be satisfiable iff sol{C) yf 0. 

An answer A ^ C represents the set of all atomic formulas A9 such that 
6 G sol{C). We use the notation |A ^ C\ to denote this set. Similarly, a call 
^ C, A represents the set of all A9 such that 9 G sol{C). We introduce the 
following order C on answers and calls: 

(A ^ Cl) E (A ^ C 2 ) iff [A ^ Cil C |A ^ C 2 I 
(^ Ci,A)E(^C 2,A) iff|^Ci,AlC |^C2,A1 
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Answers of the form A <— false are minimal, and answers of the form A <— true 
are maximal in the C-ordering. Two answers A <— (7i and A <— C 2 are said to 
be equivalent (denoted A ^ C\ ^ A ^ C 2 ) lA A ^ C\ A ^ C 2 lA A ^ C\] 
similarly with calls. 

We do not assume a specific constraint domain, but we assume that the 
language CON of constraints is closed under four operations (8>:C0N x CON — > 
CON, 0: CON X CON CON, tt: VAR* x CON ^ CON, CON ^ CON, satisfying 
the following^ 

- sol{Ci 0 C 2 ) = sol{Ci) n S 0 l{C 2 ) 

- sol\Ci © C 2 ) = sol{Ci) U sol\c 2 ) 

- 9 G soI{tt^) iff {39') G sol{C) such that 9{xi) = 9'{xi) for every {xi G x) 

- sol(^C) = VAL\sol(C) 

That is, we require that the language contains conjunctive and disjunctive con- 
strains, as well as projection and complementation. This is not a limitation of 
our approach as such, but rather a requirement of any approach to represent 
sets of states symbolically and exactly. We introduce C\ \ C 2 as a short-hand 
for C\ ©->(72. Conjunctive constraints are available in most constraint domains, 
but the other operations are not always available; CLP(B) (boolean constraints) 
and CLP(FD) (finite domain constraints) usually support all four operations 
(although some operations may be computationally expensive). 

Note that |A ^ Ci] U |A <— C 2 I = |A <— Ci © C 2 I (provided that C\ © C 2 
exists and satisfies the requirement above). We refer to A ^ (7i ©(72 as the join 
of A ^ (7i and A ^ (72. A goal ^ (7, A represents the formula -A{C A A) so 
the join of two goals ^ (7i, A and ^ (72, A equals ^ (7i © (72, A. 

Note that answers are really universally quantified formulas, so we can, and 
will, take the join also of answers Ai ^ (7i and A 2 ^ C 2 when Ai and A 2 are 
equal modulo renaming of variables provided that the answers are appropriately 
renamed first. We will do similarly with calls. 

A logic formula or a term is said to be ground if it contains no variables. 



2.2 Model Checking and CTL 

We briefly survey the temporal logic CTL (Computation Tree Logic); or rather 
a semantically complete subset of CTL. For an extensive survey of CTL and 
temporal logics, see e.g. [15, 10]. CTL is a branching time specification language 
for discrete dynamic systems. Formulas in CTL are used to specify properties 
of states and state transitions. In this context a state is characterized by a 
finite set of state variables and a state is a valuation of the variables - i.e. an 
assignment of values to the state variables. States are here denoted by a. It is 
often assumed that the state variables are boolean, but it is also possible to 

^ We do not require the constraint language to be equipped with these operations; 
only that a new semantically equivalent constraints can be obtained. For instance 
3xF{x) = F{0) V F{1) in the case of projection. 
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have finite domain variables or even variables with infinite domains (in which 
case checking properties is generally undecidable). 

Let c be a set of primitive constraints - for instance, boolean variables or 
simple equations involving finite domain variables. The abstract syntax of the 
CTL fragment that we consider here is defined as follows: 

F ::= c I Fi A F 2 I Fi V F 2 I \ ex{F) \ eg{F) \ eu(Fi, F 2 ) 

It should be noted that the fragment is semantically complete. That is, temporal 
operators not discussed here (e.g. ag and ej) can be expressed by means of the 
operators above (cf. [5]). 

A model M is a (transition-) relation between states, written a\Ma 2 - It 
is assumed that there is at least one transition from every state (possibly to 
itself). The model M defines a set of infinite computation paths of states ctoCTi . . ., 
written uqUi . . . G M . Model checking in CTL is the problem of deciding whether 
a given system model M and a given initial state a (or a set of states) satisfies 
a CTL specification F, written M, a \= F. The semantics of the satisfaction 
relation is defined as follows: 



M, 


CTo 
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iff 


CTo(c) 


= 1 
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Fi A F 2 
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M, ao 
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\= F 2 and M, aj 


^ Fi for every 0 < j < z 



Since the model M is static it is common to write simply s ^ F when the 
transition relation is clear from the context. 

Figure 1 depicts a model involving a single state variable S with the domain 
S' G 0 .. 3. In this model the property eg{S < 2) holds in the initial state S = 0, 
since there is an infinite path where S is always less than 2. Also the property 
eu{S yf 1, S = 3) holds in the same model and the same initial state, since there 
is a path where S yf 1 until S becomes 3. 

The semantic equations given above can be extended to sets of states: M,S \= 
F iff M, a \= F for each a £ S. 

3 A CLP Formalization of CTL 

In this section we show that the semantic equations of CTL can be naturally de- 
fined using (constraint) logic programming. We introduce two binary predicates 
- holds /2 and step/2] the atomic formula holds {F, S) expresses that a CTL for- 
mula F holds in the state(s) S. The predicate step{Si, S 2 ) expresses that there 
are transitions from all states in to some state in 82 - We will encode CTL 
formulas - even CTL state variables - as ground terms, while sets of states will 
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Fig. 1. State machine with a finite domain state variable 



be represented as a constraint between CLP variables; later we show how to 
couple CTL variables (encoded as constants) and CLP variables. 

Note that the satisfaction relation holds /2 does not explicitly involve the 
actual model; the transition relation is rather encoded in the relation step/2. To 
describe the system model (or the transition relation) we need two copies of the 
state variables - say and 52.^ The set of all transitions can then be defined 
in the following schematic way: 

step{SuS2)^C{Si,S2). 

where C'(S'i, 52 ) is a constraint which is (equivalent to) a disjunction of all pos- 
sible transitions. For instance, the system in Figure 1 (with only a single state 
variable) can be described as follows using a finite domain constraint: 

step{Si,S2) ^ 

(51 = 0 A 52 = 1) V (S'! = 0 A 52 = 2) V • • • V (S'! = 3 A ^2 = 2). 

Note that it is perfectly possible to give an intensional definition of the transition 
relation; for example, it is possible to express composition of models in a natural 
way. If we have sub-systems encoded by the relations stepi, . . . , step„, then the 
parallel composition can be defined schematically as follows: 

step{Si,S 2 ) ^ 

stepi(5i, 52 ), . . . , step„(5i, 52 ). 

In what follows we assume nothing about how the transition relation is defined; 
only that it is correct: that is, a\Ma 2 iff step{a\,a 2 ) is a consequence of the 
program.^ 

The meaning of the standard boolean connectives can be defined straightfor- 
wardly: 

^ To simplify the notation we consider only a single state variable, but 5i and S 2 can 
be also tuples of state variables. 

® By abuse of notation we sometimes view a state (which is defined as a function from 
state variables to values) also as a tuple of values. 
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(Cl) holds {F AG, S) ^ 

holds{F,S),holds{G,S). 

(C2) holds {FVG,S) ^ 
holds {F, S). 

(C3) holds{F\/ G,S) ^ 
holds{G,S). 

(C4) holds i^F,S) ^ 

^holds{F, S). 

Note that negation in CTL must be reduced to constructive negation in CLP. 
Actually we only need a restricted form of constructive negation - holds /2 will 
always be called with its first argument (the CTL formula) fully instantiated 
so there will be no need to construct (and then complement) any Herbrand 
constraints. For this to work we require that a goal ^ holds {F, S) has only a 
finite number of answers, and that the constraint (representing these answers) 
can be complemented (see e.g. [20] for details on negation in constraint logic 
programming) . 

The temporal operators ex and eu can be defined similarly: 

(C5) holds {ex{F), Si) ^ 

step{Si , S2), holds{F, 82)- 
(Ce) holds {eu{F,G),S) ^ 
holds{G,S). 

(C7) holds{eu{F,G),Si) ^ 

holds{F, ^i), step{Si, S2), holds{eu{F, G), 82)- 

The only problem is caused by the CTL formula eg{F): it is typically defined 
as a greatest fixed point; namely the largest set of states (1) where F holds and 
(2) where every state has at least one transition back to some state in the set. 
In a previous paper we extended CLP with a mechanism for computing greatest 
fixed points [14]. It is also possible to solve the problem by use of several nested 
negations, but negation means complementation which is often an expensive 
operation. 

On the other hand, if we assume that the state space is finite it is possible 
to formulate the semantics of eg{F) as a least fixed point, using the following 
trivial observation. 

Proposition 1. Let M be a finite transition system, then M, ao ^ eg{F) iff 
there exists a finite path (Jq . . .ai such that M, dj ^ F for all 0 < j < z and 
di = dk for some 0 < k < i. I 

By an A-path we mean a finite non-empty path where F holds in every state 
(except possibly the last one). F-paths can be characterized as follows. 

(Gs) path{F,Si,S2)^ 

holds{F, Si), step{Si, 82)- 
(Cg) path{F,Si,S3)^ 

path{F, Si, 82), holds{F, S2), step{S2, S3). 
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Now the property eg{F) obviously holds in a state a if there is an F-path ao ■ ■ - (Ji 
such that (Jo = CTi = a. Moreover, eg{F) must hold in a set S of states, if for 
every a G S there is an F-path a .. .Gi such that Gi G S. Consequently: 

(Cio) holds {eg{F),S) ^ 
path{F, S, S). 

In addition, eg{F) must hold in every state where F holds and where there is a 
transition to a state where eg{F) holds. 

(Cii) holds{eg{F),Si) ^ 

holds{F, ^i), step{Si, S 2 ), holds{eg{F), S 2 )- 

These eleven clauses are sufficient for defining the semantics of CTL. 

Finally we have to encode the primitive constraints of CTL. We illustrate the 
principle by example only, since this depends very much on the particular con- 
straint domain, and what primitive constraints that are being used. As pointed 
out, CTL formulas (including state variables) are encoded as ground terms, but 
for each state variable we also need a constraint variable. Each primitive CTL 
constraint is then lifted to the meta level. In case of a boolean domain we may 
for instance introduce one clause (using the syntax of SICStus Prolog) for each 
boolean state variable Ci of our CTL formula: 

holds (^Ci^ ■ ■ ■ 5 ■ ■ ■ 5 A^ti]) ^ . 

That is, the boolean state variable Ci is satisfied in a state [Xi, . . . , Xi, . . . , A„] 
if the constraint sat{Xi) is satisfied. 

The system model in Figure 1 involves a single state variable S with the finite 
domain 0..3. The following clauses illustrate how some primitive constraints can 
be encoded using CLP(fd): 

holds{s = N, S)^ S = N. 
holds\s <N,S) ^ S GO ..{N - 1) . 

4 Correctness 

We now have to show that the relation holds /2, as defined by the CLP program 
P above, is equivalent to the satisfaction relation in Section 2.2, provided that 
P contains correct definitions of step and the primitive constraints. 

The program F is a general constraint logic program. There are a number 
of different semantic frameworks for logic programs with negation (see e.g. [ 1 ]). 
Fortunately it can be shown that the program described in the previous section 
is (locally) stratified, and for such programs there is a well-established stan- 
dard model^ (usually denoted Mp) which coincides with most other semantic 
frameworks. 

^ This standard model should not be confused with the model in model checking. 
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In order to prove equivalence we have to assume that step/2 is equivalent to 
the transition relation; that is 

Mp ^ step((Ti, (J 2 ) iff a\Ma 2 - 

We also have to assume that P contains an equivalent definition of the primitive 
constraints: 

Mp ^ holds{c, a) iff M, a \= c. 

Theorem 2. Let F be a CTL formula, a a state and P a constraint logic 
program as described above. If step/2 is a correct realization of the transition 
relation M, and if the primitive constraints are correct then: 

M, a \= F Mp ^ holds{F, a) 



The theorem can be shown by rule induction using the fact that the size of the 
CTL formula in the head of each clause is never smaller than the size of CTL 
formulas in the body of the same clause. 

5 An Abstract Model of Computation 

In this section we describe an abstract model of execution for the restricted type 
of constraint logic programs considered here. The model is goal-directed, uses 
tabulation and a restricted form of constructive negation. It should be noted 
that while the model has been used as a basis for a prototype implementation 
(see Section 6), and may serve as a basis for a real implementation, there are 
many design decisions (intentionally) left open. 

There are two reasons why we need a new model (rather than using an 
existing CLP system): 

— no CLP system known to us has support for constructive negation (see [20]) 
which is necessary in order to deal with negation in CTL; 

— the program in Section 3 is highly recursive; in fact, the rules for eg{F) and 
eu{F\^ F 2 ) would, in most cases, result in infinite computations in existing 
CLP systems. 

However, both problems can be repaired; at least in the presence of CLP pro- 
grams with a finite number of solutions. Constructive negation fits very well 
with constraint logic programming. The main difficulty being that we have to 
be able to compute the complement of a constraint (which was one of our initial 
assumptions). When it comes to infinite (and repeated) computations it is possi- 
ble to use tabulation, or memoization, (e.g. [22, 6,4]). Efficient systems based on 
tabulation (and similar techniques) exist for logic programming, most notably 
XSB [18]. There are frameworks for extending tabulation also to constraints [21], 
but general and efficient implementations are not yet available. 
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Our execution model relies on the notion of a table. The table is used to 
record all procedure invocations and all answers to each procedure invocation. 
Informally a table is a set of answers and calls modulo the equivalence More- 
over the table will be kept in a standardized form, obtained by joining answers 
(and calls); for instance, the answers, A ^ C\ and A C 2 will be combined 
into ^ ^ Cl 0 C 2 . As a result the table will contain at most one answer per 
atomic formula (modulo ~), and similarly for calls.® 

The ordering C on answers and calls extends to tables. Hence, T\ C T 2 iff 
whenever A ^ Ci € Ti, then there is an answer A ^ C 2 & T 2 such that 
A ^ Cl E A ^ C 2 , and similarly with calls. 

Given an initial table Tq, a computation is a sequence of tables 

To l> 7"i l> . . . l> such that Ti C 7i+i for 0 < i < n — 1 

and where each table Tj+i is obtained from Ti by application of a so-called 
extension (l>) to be defined below. Each extension adds a new answer or call 
to the current table, and this process proceeds until no further extensions are 
possible (or more precisely until nothing new can be added to the table). The 
initial table Tq typically contains a single call C, A} - in our case the goal is 
typically on the form ^ C(S'), holds{f, S) where / is a CTL formula, and C(5) 
a constraint on S encoding the set of states where we want to check /. However, 
it is also possible to start from other initial tables; both standard (global) model 
checking and Rauzy’s approach can be simulated by alternative initial tables as 
discussed in the next section. 

Before defining the actual extensions we first introduce two auxiliary transi- 
tion relations =§> (call) and =4> (answer) between clauses. The relation describes 
partial instantiation and constraining of clauses, and the relation corresponds 
to resolution with answers (both positive and negative subgoals can be resolved) . 
Let T be a table, then: 

Call: If (^ C", B) gT, C ®C is satisfiable and 6 = mgu(A, B), then® 

(A ^ C, Li, . . . , L„) ^ (A ^ C 0 C, Li, . . . , L„)0. 

Answer I: If {B <— C) € T, C 0 C" is satisfiable and 6 = mgu(Ai, H), then 
(A^C,Ai,L2,...,L„) ^ {A^C(^C',L2,...,L„)e. 

Answer II: If {B C) G T, C \ C" is satisfiable and 9 = mgu(Ai, H), then 

(yl^C',~Ai,L2,...,Ln) ^ {A^C\C',L2,...,Lr,)9 

® On the other hand, our model is an abstract one, and in an actual implementation 
we may decide to keep table entries separate. 

® Here, and in the following transitions, we implicitly assume that the expressions are 
first appropriately renamed apart. 
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We then define as the relational composition of with the transitive and 

reflexive closure of That is, = =4>(=4>)*. 

The (three) extensions can now be defined as follows: 

1. r l> r U {A' ^ TTA’C'} if there is a program clause A ^ C, Li , . . . , such 
that 

A^ C,Li,...,Lr, A' ^ C 

2. T l> r U TTyi'C", A'^} if there is a program clause A ^ C, Li, . . . , Ln and 
formulas A', T'+i , . . .,L'^ such that 

3. r l> r U A[} if there is a program clause A ^ C, Li, . . . , Ln and 

formulas A' , T'+i , . . .,L'^ such that 

A^C,L,,...,Ln '^4 ^ C", L'+i, ...,L'n 

A computation is a saturation process where the extensions above are applied 
until no further extensions are possible. The extensions can be applied non- 
deterministically with one restriction; extensions relying on the transition An- 
swer II (answer resolution with a negative subgoal) should not be applied until 
the answer for the corresponding positive subgoal is completed. In our particular 
case it means that we must not generate answers on the form holds {^f,S) <— 
C{S) until we have exhausted all possibilities to extend holds{f,S) ^ C{S). 
(See [6,4] for details on how to deal with negation in tabled resolution.) 

6 A Preliminary Experimental Evaluation 

Since there is presently no CLP system that supports constructive negation and 
tabulation, we had to implement a prototype system in order to evaluate the 
approach outlined above. Instead of building a general purpose system we have 
hard-coded the CLP program in Section 3 and the extensions described above. 
The prototype supports boolean constraints and uses J0rn Lind-Nielsen’s BDD 
library BuDDy^ to represent boolean constraints. 

One of the main benefits of local model checking, is that it reduces the state 
space in which we have to check a property; it should be noted that this is 
not always productive in combination with symbolic model checking - there 
is not always a direct correspondence between the size of a BDD and the set 
of states that it represents. For example, the set of all states is represented 
by the boolean expression true which is a one-node BDD. Hence, for evaluation 
purposes it would probably have been better to pick another domain (or another 
representation of boolean expressions). However, even for BDDs we can report 
improvement in some cases, as illustrated below. 

Since there are relatively few clauses in our program the various extensions 
were hard-coded. As an example, consider for the clause defining A: 

^ http : //www. itu.dk/research/buddy/ 
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(Cl) holds{F AG, S) ^ 

holds{F,S),holds{G,S). 

The clause represents two possible uses of extension by call (the two body lit- 
erals), and one use of extension by answer. Figure 2 shows the dependencies 
between the different entries in the table. The arrows describe dependencies be- 
tween table entries. The labels on edges refer to the three different types of 
extensions. The fact that entries for the answers of sub-formulas depend on the 
corresponding calls are visualized by dashed edges. Each time a table entry is 
updated, all entries depending on that entry are scheduled for execution. 



Calls 



Answers 




Fig. 2. Dependencies between table entries due to (Ci). 



Because of the prototype nature of our system it is not meaningful to compare 
the run-time of our system with others. On the other hand, the framework 
described in Section 5 is general enough to simulate both local model checking 
and global model checking (the standard approach to symbolic model checking) 
as well as the restricted type of local checking used by Rauzy [17] (where we 
first compute all reachable states and then apply a global algorithm) . 

Local: In this approach the initial table is loaded with a single call as described 
in Section 5. This amounts to a top-down traversal of the CTL formula 
making use of all of the three extensions. 

Global: Here the initial table is loaded with calls of the form ^ true, holds{f, S) 
for each sub- formula / of the CTL formula that we want to check. This results 
in a bottom-up traversal of the CTL formula; i.e. we first compute the set 
of states where the inner-most formulas hold, followed by larger and larger 
sub-formulas. Only extension (1) is needed for this. 

Filtered Global: Here we first compute the set of all states G{S) reachable 
from the initial state; then the initial table is loaded with calls of the form 
^ G{S), holds{f, S) for each sub-formula / of the CTL formula that we 
want to check. We use only extension (1) but each answer is filtered with 
the states G{S). 








396 Ulf Nilsson and Johan Liibcke 



Table 1. The size of BDDs for local checking, global checking and filtered global check- 
ing. The numbers are (1) the total number of nodes in the BDDs, and (in parentheses) 
the total number of BDD nodes in all (2) call and all (3) answer entries.) 



CTL formula 


Local 


Global 


Filtered global 


eatl A eat2 


32 (30, 2) 


4 (0, 4) 


128 (0, 128) 


ex{ex{eatl A eat2)) 


267 (265, 2) 


525 (0, 525) 


109 (0, 109) 


-ieu{true, ^ex{true)) 


897 (681, 216) 


3831 (0, 3831) 


786 (0, 786) 


eti(stickl,eatl A eat2) 


63 (60, 3) 


61 (0, 61) 


249 (0, 249) 


ex (eatl) 


65 (64, 1) 


302 (0, 302) 


130 (0, 130) 


ex(ex(ex(eatl))) 


377 (291, 86) 


1385 (0, 1385) 


376 (0, 376) 


-ieu{true, ^eu{true, init)) 


4917 (4077, 840) 


209 (0, 209) 


2137 (0, 2137) 



As a sample model we used the dining philosophers. Our system consisted of 
five philosophers, each described by 2 binary state variables (one indicating that 
the philosopher is trying to pick up the sticks, and one indicating success), and 
5 additional state variables denoting the resources shared by the philosophers. 
This gives 2^® = 32768 possible states; 105 of those are reachable from the initial 
state. 

Table 1 summarizes our preliminary findings. The table describes the size of 
all final BDDs in the three different approaches. In addition we show how the to- 
tal number of BDD nodes is divided between call and answer entries. The size of 
the BDDs is probably a better measure than run-time since operations are gen- 
erally polynomial in the size of BDDs, but the size of a BDDs may in the worst 
case grow exponentially in the number of boolean parameters. We would like to 
point out that boolean constraints and BDDs is not the best domain and repre- 
sentation to demonstrate the usefulness of local, symbolic model checking, since 
large sets of states may have very compact representations as BDDs. Moreover, 
the dining philosophers is not the best example, since there are relatively few 
synchronization points. In spite of this, there are several properties where local 
checking beats global checking. Most notably the property ~^eu{true, ~^ex(true)) 
which is saying that there is “no deadlock” . On the other hand there are other 
properties where global checking beats local checking; in particular the property 
^eu{true, ~^eu{true, init)) which states that it is always possible to return to the 
initial state from any reachable state. It should be observed that the figures in 
the last column are somewhat misleading since they do not include the size of 
the BDD that represents the set of all reachable states. 

7 Conclusions 



We have encoded a semantically complete fragment of CTL in a constraint logic 
programming framework extended with constructive negation and tabulation. 
We have also described an abstract model of execution which encompasses both 
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local and global model checking as well as filtered global checking. In this frame- 
work we can combine symbolic model checking with different degrees of local 
model checking. Our framework is parameterized by the constraint domain, 
which means that any constraint language over a finite domain and equipped 
with disjunctive constraints, projection and complementation can be used. The 
program is very succinct and basically corresponds to the semantic equations of 
CTL. 

As far as we know this is the first formalization of a semantically complete 
fragment of CTL which supports both symbolic model checking, and on-the-fly 
generation of the state space; i.e. local model checking. Other approaches such 
as XMC [16] supports local model checking, but not symbolic model checking, 
while the approach of Delzanno and Podelski ([7] and [8]) allows for symbolic 
checking, but not for a semantically complete fragment of CTL, and there is 
only limited support for local checking. Rauzy’s constraint language Toupie [17] 
combines symbolic checking with a reachability analysis but the two are not 
intertwined, as in our approach. 
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Abstract. Structural testing techniques are widely used in the unit test- 
ing process of softwares. A major challenge of this process consists in 
generating automatically test data, i.e., in Ending input values for which 
a selected point in a procedure is executed. We introduce here an origi- 
nal framework where the later problem is transformed into a CLP(FD) 
problem. Specific operators have been introduced to tackle this kind of 
application. The resolution of the constraint system is based upon entail- 
ment techniques. A prototype system — named InKA — which allows 
to handle a non-trivial subset of programs written in C has been de- 
veloped. First experimental results show that InKa is competitive with 
traditional ad-hoc methods. Moreover, InKa has been used successfully 
to generate test data for programs extracted from a real application. 



1 Introduction 



Structural testing techniques are widely used in the unit or module testing pro- 
cess. Structural testing requires: 



1. Identifying a set of statements in the procedure under test, the covering 
of which implies the coverage of some criteria (e.g., statement or branch 
coverage); 

2. Computing test data so that each statement of the set is reached. 

The second point — called ATDcJ problem in the following — is the corner 
stone of structural testing since it arises for a wide range of structural criteria. 
The ATDG problem is undecidable in the general case since it can be reduced 
to the halting problem. Classical ad-hoc methods fall into three categories: 



— Random test data generation techniques which blindly try values 
until the selected point is reached; 




^ Automatic Test Data Generation. 
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which replace input parame- 



— Symbolic-execution techniques 
ters by symbolic values and which statically evaluate the statements along 
the paths reaching the selected point; 

— Dynamic methods 



which are based on actual execution of 
procedure and which use heuristics to select values, e.g. numerical direct 
search methods. 



The limit of these techniques mainly comes from the fact that they “follow one 
path” in the program and thus fail to reach numerous points in a procedure. 
A statement in a program may be associated with the set of paths reaching it, 
whereas a test datum on which the statement is executed follows a single path. 
However, there are numerous non-feasible paths, i.e., there is no input data for 
which such paths can be executed. Furthermore, if the procedure under test con- 
tains loops, it may contain an infinite number of paths. 



We introduce here an original framework where the ATDG problem is trans- 
formed into a CLP problem over finite domains. Roughly speaking, this frame- 
work can be defined by the following three steps: 

1. Transformation of the initial program into a CLP(FD) program with some 
specific operators which have been introduced to tackle this kind of applica- 
tion ; 

2. Transformation of the selected point into a goal to solve in the CLP(FD) 
system ; 

3. Solving the resulting constraint system to check whether at least one feasible 
control flow path going through the selected point exists, and to generate 
automatically test data that correspond to one of these paths. 

The two fi rst steps are based on the use of the “Static Single Assignment” form 
^^^^^3and control-dependencies They have been carefully detailed 

in . 

In this paper, we mainly analyze the third step: the constraint solving process. 
The key-point of our approach is the use of constraint entailment techniques to 
drive this process efficiently. In the proposed CLP framework test data can be 
generated without following one path in the program. 

To validate this framework, a prototype system — named InKA — has been 
developed over the CLP(FD) library of Sicstus Prolog. It allows to handle a non- 
trivial subset of programs written in C. The first experimental results show that 
InKa overcomes random generation techniques and is competitive with other 
methods. Moreover, InKa has been used successfully to generate test data for 
programs extracted from a real application. 

Before going into the details, let us illustrate the advantage of our approach 
on a very simple example. 



1.1 Motivating Example 

Let us consider the small toy-program given in Fig.J The goal is to generate 
a test datum, i.e. a pair of values for (x, y), for which statement 10 is executed. 
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“Static Single Assignment” techniques and control-dependencies analysis yield 
the following constraint systenj 
(Ti = (x, y, z, u G (0..2^^ - 1)A 

{z = X * y) A {ti = 2 * x) A {z < 8) A {u < x) A {t 2 = ti — y) A {t 2 < 20) 
Variables ti and t 2 denote the different renaming of variable t. 



int foo(int x, int y) 

int a, t, u\ 


1. 


{z = x*y\ 


2. 


t = 2* x\ 


3. 


if {x < 4) 


4. 


u = 10; 
else 


5. 


M = 2; 


6. 


if (z < 8) 


7. 


{ if (m < x) 


8. 


{ t = t-y, 


9. 


if (t < 20) 


10. 


{ ••• 



Fig. 1. Program foo 



Local consistency techniques like interval-consistency cannot achieve 

any significant pruning: the domain of x will be reduced to 0..2^® — 1 while no 
reduction can be achieved on the domain of y. So, the search space for (a;, y) 
contains (2^® — 1) x (2^^ — 1) possible test data. However, more information 
could be deduced from the program. For instance, the following relations could 
be derived from the first if_then_else statement (lines 3,4,5): 

(a; > 4 A ii = 2) holds if ^(a; < 4 A u = 10) holds 
(a; < 4 A u = 10) holds if ^{x > 4 A u = 2) holds 
Entailment mechanisms allow to capture such information. Indeed, since ^(a; < 
4 A u = 10) is entailed by u < a;, we can add to the store the constraint 
(a; > 4 A u = 2). Filtering a;>4Au = 2Acri by interval- consistency re- 
duces the domain of x to 4.. 11 and the domain of y to 0..2. 

This example shows that entailment tests may help to drastically reduce the 
search space. Of course, the process becomes more tricky when several condi- 
tional statements and loop statements are inter-wound. 

Outline of the Paper. The next section introduces the notation and some 
basic definitions. Section 3 details how the constraint system over CLP(FD) is 
generated. Section 4 details the constraint solving process. Section 5 reports 

^ In this context, an int variable has an unsigned long integer value, i.e. a value 
between 0 and 2®^ — 1. 
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the first experimental results obtained with InKa, while section 6 discusses the 
extensions of our framework. 



2 Notations and Basic Definitions 



A domain in FD is a non-empty finite set of integers. A variable which is as- 
sociated to a domain in FD is called a FD_variable and will be denoted by an 
upper-case letter. Primitive constraints in CLP(FD) are built with variables, do- 
mains, the G operator, arithmetical operators in {-I-, — , x div, mod }|and the 
relations Note that the negation of a primitive constraint is 

also a primitive constraint. In the following, c possibly subscripted denotes exclu- 
sively a primitive constraint. A constraint-store cr is a conjunction of primitive 
and non-primitive constraints. 

Non-primitive constraints are composed of combinators and guarded-con- 
straints. Comhinators are boolean combination of constraints. For example, the 
constraint element (/, L, P) which express that V is the element in the list 
L is a combinator. 

Guarded-constraints are built by using the blocking ask operator and 

are denoted Ci — > C2, where Ci and C2 stand for constraints. Ci is called the 
guard. The operational semantic of Ci — > C2 is given by the following rules: 

• The constraint Ci — > C2 is removed and C2 is added to a when Ci is 
entailed by cr; 

• The constraint Ci 

• The constraint Ci - 
by cr; 

Note that Ci and C2 are not restricted to be primitive and that checking whether 
~^Ci is entailed may require to compute the negation of a non-primitive con- 
straint. 

Entailment operations are based on partial consistencies. Two partial entail- 
ment tests have been introduced in domain- entailment and interval- 

entailment. They are based upon domain- consistency and interval-consistency. 
Let Ai, . . . , Xn be FD_variables, let Di, . . . , Dn be domains and let C be a 
constrain^ 



> C2 is just removed when ^C\ is entailed by cr; 

C2 is suspended when neither C\ nor ^C\ are entailed 



Definition 1 (Domain-Consistency) 

A constraint C is domain- consistent if for each variable Xi and value vt G Di 
there exists values v\, . . . , Ui_i, Ui+i , . . . ,Vn in D\, . . . , Di-i, Di+i , . . . , Dn such 
that C{vi, . . . ,Vn) holds. A store a is domain- consistent if for every constraint 
C in a, C is domain- consistent. 



Interval consistency is based on an approximation of finite domains by finite 
sets of successive integers. More precisely, if is a domain, D* is defined by the 
set {min(D), . . . ,max(I?)} where min(D) and max(Zl) denote respectively the 
minimum and maximum values in D. 

® div and mod represent the Euclidean division and remainder. 

^ We assume that all the constraints are implicitly defined on Ai, . . . , A„. 
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Definition 2 (Interval- Consistency) 

A constraint C is interval-consistent if for each variable Xi and value vi € 
{min{Di), max{Di)} there exist values vi, . . . , Ui_i, fi+i, . . . , m 
D*, . . . , D*_i, , D* such that C{vi, . . . , t>„) holds. A store a is interval- 

consistent if for every constraint C in a, C is interval- consistent. 

The following relaxations of entailment are introduced in 

Definition 3 (Domain- Entailment) 

A constraint C{Xi , . . . , Xn) is domain- entailed by D\, .. . , iff, for all values 
vi, . . . ,Vn in Di, . . . , D„ , C{vi, ... ,Vn) holds. 

Definition 4 (Interval-Entailment) 

A constraint C{Xi , . . . , X„) is interval- entailed by D\, .. . , iff, for all values 
vi, . . . ,Vn in D\, . . . , C{vi, ... ,Vn) holds. 

We introduce here another partial entailment test which is based on refutation: 
Definition 5 (abs- Entailment) 

A constraint C is abs-entailed by a store a iff, filtering a A by domain- 
consistency or interval- consistency yields an empty domain. 

3 Generation of the Constraint System 

Let P be a single procedure written in an imperative language, let n be a point 
(either a statement or a feanch) in E. Solving the ATDG problem requires to 
compute a vector of inpu^ values of P such that n is executed. 

For the sake of simplicity, we first introduce the constraint system generation 
technique for an array _if_while language over integers. Procedure calls are 
handled in our framework but we assume that there is only one mechanism 
for passing arguments: the call-by-value mechanism. Programs must be well- 
structured and must avoid floating-point variables. A procedure is assumed to 
have a single return statement. 

Next subsectionrecalls the general principles of the “Static Single Assign- 
ment” form The following subsections detail the transformation pro- 

cess of a program under SSA form into a CLP program. 

3.1 Static Single Assignment Form 

The SSA form is a version of a procedure on which every variable has a unique 
definition and every use of a variable is reached by this definition. The SSA form 
of a basic block is obtained by a simple renaming {i = i -\- 1 yields = A -I- 1). 
For the control structures, SSA form introduces special assignments, called fi- 
functions, to merge several definitions of the same variable. For example, the 

® An input variable is either a formal parameter or a referenced global variable. 
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if {x < 4) 


if (x < 4) 


u = 10; 


Ml = 10; 


else 


else 


M = 2 ; 


M 2 = 2 ; 




M 3 = (?1(mi, M 2 ); 


j = 1 ; 


ii = 1 ; 




/* Heading - while */ 




is = i>(ii,i 2 ); 


while {j * u < 16) 


while (j 3 * U 3 < 16) 


i = i + 1 


j 2 = ja -f 1 ; 



Fig. 2. SSA form of control statements 



SSA form of the if _then_else statement is illustrated in the top of Fig.^ The 
(/)-function of the statement U 3 = 4 >{ui, U 2 ) returns one of its argument: if the flow 
comes from the then- part then the (^-function returns ui, otherwise it returns 
U 2 - 

For other structures such as loops, the (^-functions are introduced in a special 
heading which is executed at every iteration. The (/)-functions work as usual: this 
explains the counter-intuitive renaming of variables (see Fig.^. 

For convenience, a list of (/)- functions will be written with a single statement: 
X 2 ■= xo), ■ ■ ■ , Z 2 := (/)(zi,zo) 1^2 := where Vi stands for a 

vector of variables. 

3.2 Generation of the CLP Program 

The basic idea is to translate each statement of the SSA form into a primitive 
constraint or a combinator, in order to build a CLP program. A clause is gen- 
erated for each procedure P of the program. The head of the clause has several 
arguments: 

— A list of FD_variables associated with the parameters of P ; 

— A list of FD_variables associated with the referenced globals of P ; 

— A list of FD_variables associated with the local variables used inside the 
decisions of P ; 

— A list of FD_variables associated with the globals defined inside P ; 

— A single FD_variable associated with the expression returned by P. 

Now, let us detail the transformation process. 

Declaration. A type declaration of a variable Xi is translated into a primitive 
constraint of the form: Xi G MinT--MaxT where Minx (resp. Maxx) is the 
minimum (resp. maximum) value of the type T. Such a constraint prevents 
overflows of values, a condition which is required to generate a test datum on 
which a selected point is reached. 
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Array. SSA form provides special expressions to handle arrays: access{aQ,k) 
which evaluates to the element of oq, and update{ao, j, w) which evaluates to 
an array ai which has the same size and the same elements as qq, except for j 
where value is w. access and update expressions are transformed into element/3 
constraints: 

• V =access(ao, k) is translated into element(A, Aq, V); 

• a definition statement oi =update{aQ, j,w) is translated into 
element(J, Ai, W) /\j^j(element(/, Aq, V) A element(/, Ai, V)). 

Conditional. The ifJhen_else statement is treated by using a combinator, 
called ite/3. For example, the ifj,hen_else statement of Fig.flis translated into: 
ite(A < 4, C/i = 10 A f/a = U\, U2 = “2 Alls = 1/2). The conditional statement 
express an exclusive disjunction between two paths. So, ±te(c,C\ A ... A C'n, 
C[A . . . A C^) holds iff (c A Cl A ... A C„) or (^c A C( A ... A C^) holds, where 
c is a primitive constraint, and Ci, . . . , C„, Cj, . . . , C^ are primitive or non- 
primitive constraints. The operational semantic of combinator ite/3 is based 
on the following rules: 

Definition 6 ite/3 (Operational Semantic) 

±te(c,C\ A ... A Cn, C'l A . . . A C'^) is reduced to the four following guarded- 
constraints: 

• c — > Cl A ... A C„ 

• ^c-^C[A...AC'^ 

• ^(c A Cl A ... A Cn) — *■ (^c A C'l A ... A C'nf) 

• A C'l A ... A C'n() — > (c A Cl A ... A Cn) 

The first two guarded-constraints result from the operational semantic of the 
ifj,hen_else statement in an imperative language. The last two are introduced to 
allow a more effective pruning, c and are included in the guards to facilitate 
the detection of inconsistencies by ahs-entailment (see section 4). 

Loop. Unlike the conditional, the while statement under SSA form cannot 
be translated directly. A while statement in SSA form is of the general form: 
V2 = 4 >{vo, t)i) while (c) {Ci; . . . ; Cp} where Vq is the vector of input variables 
of the while, Vx is the vector of variables defined inside the body of the while, 
and V2 is the vector of variables used inside and outside the while. This state- 
ment is transformed into a w(c, Vo, Vi, V2, Ci A • • • A Cp) combinator, which is a 
constraint generation program. 

w(c, Vo, Vi, Va, Cl A ... A Cp) holds iff (-c A Vo = V2) or (c A Ci A ... A Cp A 
w(c, Vi, V3, V2, Cl A ... A Cp)) holds, where c is a primitive constraint, c = 
subs{V2^Vo,c);Vo,Vx and V2 are three vector of FD_variables, V3 is a newly 
created vector of FD_variables, Ci = subs{V2 Vo, Ci ), ... ,Cp = subs(V2 ^ 
Vb, Cp), and Ci = subs{V\ ^ V3, Ci), ... ,Cp= subs{Vx V3, Cp); subs being 
the substitution of variables over a term. 
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The operational semantic of w/5 is defined by the following rules: 
Definition 7 w/5 (Operational Semantic) 

w(h, Vb, Vi, V 2 , Cl A . . .ACp) is reduced to the four following guarded- constraints: 

• c ^ (Cl A . . ,Cp A zc(c, Vi, V 3 , V 2 , Cl A ... A Cp)) 

• ~^c — > Vo = V2 

• -(c A Cl A . . . Cp) — ^ (^c A Vo = V 2 ) 

• -(-c A Vo = Fa) ^ (c A Cl A . . .Cp A w{c, Vi, Vg, V 2 ,Ci A . . . A Cp)) 

The first two guarded-constraints result from the behavior of the while state- 
ment. Whenever the decision of the statement c is verified, then the body is 
executed and another w/5 is stated. When the decision is refuted, the body is 
skipped and the input variables of the statement are equated to the vector of 
used variables. 

The third guarded-constraint is based on the following observation: if the con- 
straints of the body are inconsistent w.r.t the current information in the store, 
then the loop cannot be performed. The last guarded-constraint comes from the 
following observation: if the value of a variable is different before and after the 
while statement, then the body of the loop must be executed at least once. Note 
that the guards of both combinators are either primitive constraints or negations 
of conjunction of constraints, so the implementation of abs-entailment becomes 
straightforward (see section 4). 

Let us illustrate how w/5 works on the example of Fig. ^ The whilejio state- 
ment is translated into: w(Jg * C /3 < 16, [Ji], [J 2 ], [Ts], T 2 = -/a + !)• If the store 
contains Ji = 1, J 3 = C/ 3 , then the fourth guarded-constraint is activated be- 
cause ^(^(Ji * U 3 < 16) A Ji = J 3 ) is entailed by the store. So, the following 
constraints are added to the store: Ji * C /3 < 16 A J 2 = Ji -I- 1 A w( J 3 * C /3 < 
16, [J 2 ], [•/#], [T 3 ], J^ = J 3 + 1) where is a newly created variable. 

Procedure Call. A procedure call is translated into a goal to solve. For exam- 
ple, a statement such as v = foo(x, 29) is translated into 

foo([A, 29], 1], Liste_ofJocals, []j^)j where foo is the name of the clause gen- 
erated for the procedure foo and Liste_of Jocals is a the list of FD_variables 
associated to local variables and referenced in the decisions of the procedure. 
Such a mechanism allows the treatment of recursive procedure. 

3.3 Generation of the CLP Goal 

The decisions which must be verified to reach a given point in a procedure are 
called the control- dependencies They are syntactically determined in 

well-structured procedures. For loop statements, these decisions are computed 
dynamically. Let G(/oo, 10) be the control- dependencies associated with point 
10 in the procedure foo of Fig.J So, we have: C(/oo, 10) = (^ < 8 ) A (C /3 < 
X) A {T 2 < 20). The selected point determines a goal to solve with the clauses 
of the generated CLP(FD) program : 



C(/oo, 10), foo{[X, y], 0, [A, Zi, c/3, T 2 ], [],RET) 
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The generated CLP program for program foo and the goal associated with 
point 10 are given in the Fig-fl 




Fig. 3. CLP Program generated for the program foo 



4 Solving the Goal 

In our framework, the constraint solving process is based on: 

1. A filtering process based on partial consistency techniques and entailment 
techniques ; 

2. A search procedure which combines an enumeration process and a constraint 
propagation step. 

In view of the operational semantics of combinators introduced in the previ- 
ous section, there are several operations to be implemented. They include an 
entailment test, an algorithm for processing the guarded-constraints, and the 
implementation of the combinators themselves. 

4.1 Entailment Test 

Three levels of entailment relaxations may be used to achieve entailment tests: 
domain- entailment^ interval-entailment and ahs-entailment, defined in section 

2 . 

Consider the following example: a = {X G 1..100) A (F S 9. .11) A {X ^ Y) 
and the question “ is {X *Y yf 100) entailed by a ?” . 

The constraint is neither interval-entailed, nor domain-entailed because {X = 
10, Y = 10) does not verify the constraint. Thus, in our framework, we have im- 
plemented abs-entailment which is more effective — at least on our problems — 
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than domain- entailment and interval- entailment. Practically, we add the nega- 
tion of the considered constraint C to the store before starting a filtering step by 
interval-consistency. When the domain of one variable is reduced to an empty 
set, constraint C is entailed ; when all the constraints are interval-consistent, no 
deduction can be done and the previous store must be restored. For instance, 
filtering the store a A = {x € 1..100) A (y G 9. .11) A {x ^ y) A {x * y = 100) 
by interval-consistency leads to an empty domain for both variables, and then 
proves that the constraint x * y ^ 100 is ahs-entailed. 

This relaxation of entailment can be seen as a proof by refutation. Techni- 
cally, abs- entailment requires to compute the negation of the considered con- 
straint C . Since we only test the entailment of primitive constraints or the nega- 
tion of conjunctions of constraints in our framework, this computation becomes 
straightforward . 

Note also that no suspension will remain in the constraint store at the end of 
the resolution, since the last step of the solving process is an enumeration step. 



4.2 Processing Guarded Constraints 

The guarded-constraints are evaluated iteratively in the store. The algorithm 
for processing guarded-constraints is given in Fig. J 



/* Let Gi, C 2 be two constraints and cr be the current store * / 

/* Process Gi — > Ci'ma *j 

if filtering a A -^C\ by interval-consistency yields an inconsistency 
then /* Gi is abs-entailed by cr */ 

{aU{C2})\{Ci-^C2}-, 

if filtering cr A Gi by interval-consistency yields an inconsistency 
then /* -iGi is abs-entailed by cr */ 

a^a\{Ci ^C2}-, 

if neither Ci nor - 1 G 1 are abs-entailed by cr 

then continue 

/* The guarded-constraint Ci — > C 2 is suspended in cr * / 



Fig. 4. Algorithm for processing guarded-constraints 



Note that the second rule can be ignored until the end of the computation 
because it does not add any constraint to the store. Two kind of problems may 
occur with this algorithm: 
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— The store may contain other guarded-constraints which are activated as soon 
as a filtering is started ; 

— The store may contain a non-terminating combinator. In fact, some w/5 
combinator may introduce guarded-constraints which will recursively put 
other w/5 combinators in the store. This pitfall can be seen as a consequence 
of the halting problem. 

A practical solution for both difficulties consists in ignoring any other guarded- 
constraint or combinator of the store during the filtering of cr A ^C\. Other 
awakening policies exist^^^Q but are not discussed in this paper. 



4.3 Search Process 

Filtering by partial consistencies does not always yield a solution, thus a search 
step is necessary. Note that, up to this point, no choice point has been set up. 
In fact, the disjunctions introduced by the combinators are “captured” by the 
entailment tests. As usual, the search is interleaved with constraint propagation. 
Since the class of programs is unbound, experiments are the best way to de- 
termine a good heuristic for the ATDG problem. We have tested the first-fail, 
first-fail constrained, domain- splitting heuristics among others. Iterative domain- 
splitting yields the best results in average 

The search process stops in one of the following states: 

Success: A solution of the constraint system was found. In our frame- 
work, such a solution is a test datum on which the selected point n is reached 
in the procedure P, hence it is a solution to the ATDG problem. 

— Success: The inconsistency of the constraint system has been de- 
tected. If an inconsistency of the store is detected during the initial filtering 
step or during the search process, we can state that n is unreachable in P, i.e. 
there is no test datum on which n is executecj hence, the ATDG problem 
has no solution. This is an important information for the tester. 

Failure: The search process did not reach a success state during the 
allowed amount of CPU time. This can result from the non-termination 
problem of w/5. Gonsider a reachable point n in a procedure containing a 
loop which does not terminate for certain input values. If such an input is 
tried during the search process, the w/5 combinator will not terminate. 

Note that no information can be deduced when the process is stopped be- 
fore the end. It is not possible to determine whether it is a consequence of 
an infinite loop or just a very long search. In both cases, we say that our 
technique fails to find a solution of the ATDG problem. 



Sometimes called dead code. 
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5 First Experimental Results 



We compare our CLP framework with a random test data generation method and 
the dynamic approach of We implemented the random method by 

using the drand48 C function, which generates pseudo-random numbers with the 
well-known linear congruential algorithm and 48-bit integer arithmetic. Test- 
GEN is an implementation of the dynamic method for Pascal programs. The 
tool is not available, hence we base the comparison on the results published in 
The symbolic execution method has been implemented in a tool called 
Godzilla but the tool is dedicated to mutation analysis of Fortran 

programs making the experimental comparison very difficult. 



5.1 Our Prototype System 

InKa operates on a restricted subset of the C language. Unstructured statements 
such as goto statement are not handled in our framework. Pointer arithmetic, 
dynamic allocated structures, pointer functions, type casting, involve difficult 
problems to solve. Pointers are only partially supported by InKa (see section 6b 
Although, floating point numbers are finite in essence, they introduce problem^ 
which cannot be solved within the framework introduced here. All the types of 
integer variables (char, short, long,...) and almost all the C operators (34 out of 
42) are handled (by capturing their behavior into user-defined constraints). 

InKa includes a C parser, a SSA form generator and a Constraint system 
producer over the clp(fd) library of Sicstus Prolog. 



5.2 Experiments 

We only present our experiments on three classical academic programs of the 
Software Testing Community and one real-world program but InKa has been 
used successfully on several other programs The academic program J 

are 1) “bsearclU^^^^J which is a binary search in a sorted array; 2) a program 
published in named “sample” which contains arrays, loops and a lot of 

dependencies; 3) the famous program “trityp” which contains numerous 

non- feasible paths. 

Finally, we introduce the results for a real-world program extracted from an 
avionic project, named “ardeta03” . This program mainly contains complex C 
structures and bitwise operations but does not contain loops. 



5.3 Test Procedure 

For each program, a test datum for each basic block (sequence of statements 
without branching) is generated. Of course, this approach is not optimal to 

^ The evaluation process of an arithmetical expression in a CLP system and the eval- 
uation of the same expression in the operational software may yield different results. 
® The source code of these programs are available at 
I'CCD : / / WWW. essi . ir/ ruener/rrirvD.nrii 
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reach a complete block coverage since no coverage information is reused between 
two generations. 

For each selected block, we have compared InKa to the random method, 
and to the published results of Testgen. We have performed our experiments 
on a SOOMhz Sun UltraSparc 5. A time-out of 10 seconds per block was set. 
In 10 seconds, the random method generated approximatively 10^ test data, 
while InKa generated only one test datum. To limit the factor of “bad luck” 
which may occur with the random method, we repeated 10 times the generation 
with different initial values for the linear congruential algorithm, and we only 
considered the best results. 

introduces the results of Testgen on the three academic programs 
among others. The Testgen technique starts with a random generation of value 
which determines the success of the method. They performed their experiments 
on a PC with 60Mhz-Pentium processor. A time-out was set to 5 minutes and 
the same test procedure as ours was applied, except that they repeated 10 times 
their search for each block. Their “coverage represents the p ercentag e of nodes 
for which at least one try was successful in finding input data” According 

to this definition, they found 100% for each program. 

5.4 Results 

The results are shown in Fig.^ The number of lines of code and the number of 
statement blocks are reported in the first two columns; whereas an estimate of 
the search space is reported in the third column (number of possible test data) . 
The last three columns contain the results of block coverage obtained with the 
three different approaches. 



Programs 


loc blocks test data 


Testgen* 


Random** 


InKa** 


bsearch 


21 


10 


> lO^"* 


100% 


100% 


100% 


sample 


33 


14 


> lO"'^"' 


100% 


93% 


100% 


trityp 


40 


22 


>To™~ 


100% 


86% 


100% 


ardetaOS 


157 


38 


>T(F^ 


- 


74% 


100% 



(*) 50 minutes on PC Pentium (60Mhz) for each block 
(**) 10 seconds on Sun Sparc 5 (SOOMhz) under Solaris 2.5 for each block 



Fig. 5. Comparison on block coverage 



5.5 Analysis 

Testgen did allow 50 minutes per block whereas InKa did not spent more than 
10 seconds on each block. The tests with Testgen have been done on a PC with 
60Mhz-Pentium processor while InKa was run on SOOMhz Sun UltraSparc 5. If 
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we assume that there is less than a factor 30 between these two computers, InKa 
is still 10 time faster than TestgeiJ 




Fig. 6. Time required to generate a solution for each block 



Let us see in more details what appends on one of the programs. We report 
in Fig. ^ the curve of times required to generate a solution for the program 
“trityp” by the last two methods. First, note that the time required by the 
random method is smaller on some blocks. In fact, InKa requires a nominal 
time to generate the constraint system and to solve it, even if it is very easy to 
solve. Second, note that the random method fails on some blocks. For instance, 
the block 14 which requires for the random method to generate a sequence of 
three equal integers. On the contrary, this block does not introduce a particular 
difficulty for InKa, because such a constraint is easily propagated. 



6 Perspective 

First experiments are promising but, of course, more experiments have to be 
performed on non-academic programs to validate the proposed approach. The 
main extension of our CLP framework concerns the handling of pointer variables. 
Unlike scalars, pointer variables cannot directly be transformed into logical vari- 
ables because of the aliasing problem. In fact, an undirect reference and a variable 
may refer to the same memory location at some program point. In ^^^9, we 
proposed to handle this problem for a restricted class of pointers: pointers to 

Note that InKa is written in Prolog while Testgen is written in C. 
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stack-allocated variables. Our approach, based on a pointer analysis, does not 
handle dynamically allocated structures. For some classes of applications, this 
restriction is not important. However, the treatment of all pointer variables is 
essential to extend our CLP framework to a wide spread of real-world applica- 
tions. 
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Abstract. A number of diagnostic and optimisation problems in Electronics 
Computer Aided Design have usually been handled either by specific tools or 
by mapping them into a general problem solver (e.g. a propositional Boolean 
SAT tool). This approach, however, requires models with substantial 
duplication of digital circuits. In Constraint Logic Programming, the use of 
extra values in the digital signals (other than the usual 0/1) was proposed to 
reflect their dependency on some faulty gate. In this paper we present an 
extension of this modelling approach, using set variables to denote dependency 
of the signals on sets of faults, to model different circuits problems. We then 
show the importance of propagating constraints on sets cardinality, by 
comparing Cardinal, a set constraint solver that we implemented, with a 
simpler version that propagates these constraints similarly to Conjunto, a 
widely available set constraint solver. Results show speed ups of Cardinal of 
about two orders of magnitude, on a set of diagnostic problems. 



1 Introduction 

A number of problems in Electronics Computer Aided Design (ECAD) has been 
widely studied and they are still the subject of active research, with a variety of 
approaches. The evolution of the area, with new technologies and continuous new 
requirements and needs, makes it a suitable application field for CLP [12], whose 
usefulness was already exemplified and discussed [17]. 

One particular sub-area of ECAD that deserves plenty of attention is that of 
Automatic Test Pattern Generation (ATPG), which aims at checking whether a circuit 
is faulty or not. In this context, a digital circuit (e.g. a VLSI chip) is regarded as a 
black box, performing some function, and one has only access to its inputs and 
outputs. The basic problem consists of finding an input test pattern for a specific 
faulty gate, i.e. an input that makes the output dependent on whether the gate is faulty 
or not. In general, one is not interested in the basic problem but rather in some related 
and more complex problems. 

One such problem is the generation of minimal sets of test patterns, i.e. in finding 
sets of test patterns with minimum cardinality that cover all the possible faults in a 
digital circuit. A related problem is finding maximal test patterns, i.e. those that 
maximise the number of faults they unveil. A third problem, diagnosis, aims at 
generating patterns for a circuit that would produce different outputs for different sets 
of faulty gates. The problem is not only interesting in itself, but has possible 
applications on the related optimisation problems. 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 414-428, 2000. 
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These problems have usually been handled either by specific tools or by modelling 
them in some appropriate form to be subsequently dealt with by a general problem 
solver (e.g. a Boolean SAT-based solver [15]). Current techniques to deal with the 
problem of diagnosis try to generate input vectors that cause different outputs in two 
circuits. In [9] one tries to detect one fault assuming the circuit has the other; in [8] 
one tries to detect one fault without detecting the other; finally, in [14] one tries to 
detect both, and after undetect one of them. The complexity of the diagnosis increases 
significantly with the extra circuitry involved, thoug, and modelling the above referred 
optimisation problems into a SAT solver poses a more challenging problem with 
respect to the multiplication of circuits [13], and the associated combinatorics. 

As an alternative to Boolean satisfiability, a CLP system presented in [16] adds 
two extra values to the usual Boolean 0/1 values to code the dependency of a digital 
signal on the (faulty) state of a gate. With this extension, a test pattern is an input of 
the circuit that yields an output with one such extra value. In [2], this idea was adopted 
and extended further for diagnostic problems, by introducing a logic whose 8 values 
were used not only to represent dependency on a faulty gate, but also to discriminate 
the dependencies between two sets of faulty gates. Nevertheless, this 8-valued logic 
does not allow the modelling of ATPG related optimisation problems. 

In this paper we discuss an alternative approach using CLP over sets as a unifying 
modelling framework for all these ATPG related problems, whereby the dependency 
on sets of faults is modelled by explicit consideration of these sets in the signals that 
are carried throughout the digital circuit. 

Although avoiding the duplication of circuitry required by the Boolean approach, 
the domains of the variables in this new modelling become more complex, requiring 
the handling of set constraints, and their efficient constraint solving. Conjunto [6] was 
a first language to represent set variables by set intervals with a lower and an upper 
bound considering set inclusion as the partial ordering. Consistency techniques are 
then applied to set constraints by interval reasoning [3]. This language, implemented 
as an ECLiPSe [4] library, represented a great improvement over previous CLP 
languages with set data structures [6]. 

Conjunto makes a limited use of the information about the cardinality of set 
variables. The reason for this lies in the fact that it is in general too costly to derive all 
the inferences one might do over the cardinality information, in order to tackle the 
problems Conjunto had initially been designed for (i.e. large scale set packing and 
partitioning problems) [7]. Nonetheless, and given their nature, we anticipated that 
some use of this information could be quite useful and speed up the solving of ATPG 
related problems. We thus developed a new constraint solver over sets with two 
versions. The first fully uses constraint propagation on sets cardinality; the other uses 
a more limited amount of constraint propagation, similar to that used in Conjunto. In 
the following we will refer to these versions as Cardinal and „Conjunto“, respectively. 

In this paper we present a formal definition of Cardinal and show that, in a 
preliminary evaluation with diagnostic problems in digital circuits, it has a significant 
speed up (over 100 times, in average) over „Conjunto“. The paper is organised as 
follows. Section 2 addresses the modelling of ATPG problems with set constraints. 
Section 3 describes Cardinal. Section 4 presents some implementation issues as well 
as preliminary results. Section 5 summarises conclusions and discusses further work. 
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2 Modelling 

A digital circuit is composed of gates performing the usual Boolean logic operations 
(and, xor, not, ...) on their input bits to determine the output bits. A digital signal has 
two possible values, 0 or 1, and the circuit gates (or their connections) might be faulty. 
We will only address the usual stuck-at-X faults (X= 0 or 1), whereby the output of a 
gate is X regardless of its input. 

For some circuit under consideration, let «, and «<, be the number of input and 
output bits, respectively, / is the set of all possible inputs (#7=2"'), out(b,i,F) the output 
value for bit number b (b & l..«o) under input i (i el ) when the circuit exhibits a set of 
faults F. With such notation, a number of ATPG related problems can be formulated: 

1. ATPG (Basic). Find an input test pattern i for a set of faults F, i.e. an input for 
which some output bit of the circuit is different when the circuit has faults F or has 
no faults. 

test(FJ) <3> b el..no,out{b,i,F) ^ out(b,i,0) 

2. Diagnosis. Find an input test pattern i that differentiates two diagnostic sets F and 
G, i.e. an input i for which some output bit of the circuit is different when the 
circuit has faults F or G 

diff ({F,G},i) b e\..m,out(b,i,F) * out{b,i,G) 

Let D now denote a set of diagnostic sets (these can be a set of more common faults, 
but in the limit D may represent all possible sets of faults in the circuit). The next two 
related optimisation problems deal with sets with varying cardinality. 

3. Maximisation. Find an input i which is a test pattern for a maximum number of 
diagnoses in D. Set 7), c D now denotes the set of faulty gates for which input i is 
an input test pattern, i.e. 

Di = {F\F e D AtestiF ,i)} 
max(D,0 ^ j £ I,#Dj <#Di] 

4. Minimisation. Find a minimal set S of input test patterns that cover all diagnoses 
in D (the definition of covering is given below, and P(I) is the power-set of 7). 

cover(D,S) F e Dpi eS:test(F,i) 

minlT),^) <» cover(D,Si) VS’eP (1),#S’>#S v ^cover(D,S’) 

Given these ATPG related problems, we now present two alternatives to model them, 
the first representing digital signals with sets and Booleans, the second adopting a 
pure set representation. 

2.1 Modelling Digital Signals with Sets and Booleans 

Since the faulty behaviour can be explained by several of the possible faults, we 
represent a signal not only by its normal value but also by the set of diagnoses it 
depends on. More specifically, a signal is denoted by a pair L-N, where A is a Boolean 
value (representing the Boolean value of the circuit if it had no faults) and 7 is a set of 
diagnostic sets, that might change the signal into the opposite value. For instance, 
X={{f/0,g/0}, {i/l}}-0 means that signal X is normally 0 but if both gates / and g are 
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stuck-at-0, or gate i is stuck-at-1, then its actual value is 1. Thus 0-N represents a 
signal with constant value N, independent of any fault. 

Any circuit gate either belongs or not to the universe D of possible faults. We next 
show how to model the different gate types to process signals in the form of pairs L-N. 



2.1.1 Normal Gates 

Normal gates (those with no faults included in D) fully respect the Boolean operation 
they represent. We discuss the behaviour of not- and and-gates as illustrative of these 
gates, the others can be modelled as combinations of these. 

Given the above explanation of the encoding of digital signals, it is easy to see 
that, for a normal not-gate whose input is signal L-N, the output is simply L- ~n , since 
the set of faults on which it depends is the same as the input signal. 

As for the and-gate, three distinct situations may arise as illustrated below: 



G-1 




L, U L,- 1 



o 

o 



L., n Lg - 0 



L,\L,-0 



Fig. 1. And-gate 

In the absence of faults the output is the conjunction of the normal inputs. However, 
the output may be different from this normal value due to faulty inputs. In the first 
case of Fig. 1, with two Is as normal inputs, it is enough that a fault in either set LI or 
L2 occurs for the output to change, thus justifying the disjunction of the sets in the 
output signal. In the second case (two Os), it is necessary that faults occur in both LI 
and L2 to invert the output signal, thus imposing an intersection of the input sets. In 
the last case, to obtain an output different from the normal 0 value, it is necessary to 
invert the normal 0 input (i.e. to have faults in set LI) but not the normal 1 input (i.e. 
no faults in set L2) which justifies the set difference in the output. 



2.1.2 S-Buffers 

The gates that participate in the universe of faults D (i.e. that can either be stuck-at-0 
or stuck-at-1) may be modelled by means of a normal gate to which a special buffer, 
an S-buffer, is attached to the output. As such, all gates are considered normal, and 
only S-buffers can be stuck. An S-buffer for a gate g has associated to it a set Lg of 
diagnostic sets where g appears as stuck. Since g can appear either as stuck-at-0 or 
stuck-at-1, we split this set in two (T^o and Lgj), one for each type of diagnoses: 



Lso = {diag g D: g/0 g diag) 
Lsi = (diag G D: g/1 g diag) 
Ls = Lso Lsi 
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Table 1. S -buffer output 



In 


Out 


0-0 


Lsi-0 


0-1 


r 

o 


Lj-O 


Lsi (Li \ Lso) - 0 


Li-1 


Lso (Li \ Lsi) ■ 1 



The modelling of S-buffers is shown in Table 1. When the input is 0 independently of 
any fault, the S-buffer output would normally be also 0, but if it is stuck-at-1 then it 
becomes 1, thus depending on set Lsi- More generally, if the normal input is 0 but 
dependent on Z,, the output depends not only on Lsi but also on input dependencies Li 
(except if they include fault g/0). The same reasoning can be applied to the case where 
the normal input signal is 1, and the whole Table 1 is generalised as shown in Fig. 2. 



L-N 



LsnU(L^\L3^)-N 



Fig. 2. S-buffer 



2.1.3 Modelling the Problems 

To model the diagnosis problem, and differentiate faults in set F from faults in set G, 
(the universe is thus D={F,G} of cardinality 2), either {F}-N or {G}-N must be present 
in a circuit output bit. In any case, a bitZ-A^ must be present in the output where #Z=1. 

The goal of the maximisation problem is to maximise the number of output 
dependencies, i.e. the number of diagnoses covered by the input test pattern. The goal 
is then maximise Lt) where b ranges over all the output bits b with signals Lt-Nt,. 

The fourth problem (minimisation) is a typical set covering problem: the test 
patterns (/) are the resources, and the diagnoses (Z) are the services we want to cover 
with the minimum of resources. Each diagnosis can be tested by a number of test 
patterns, and each test pattern can test a number of diagnoses. The relation between 
these services and resources is test(FJ), which is not fully known a priori, though. 

2.2 Modelling Digital Signals with Sets 

With the previous representation, all digital signals are represented by a pair: a set of 
faults on which it depends plus a Boolean value that the signal takes if there were no 
faults at all. Both the set and the Boolean value can be variables, enforcing constraints 
on two domains to be expressed for each gate, and the modelling presented above 
implies an extensive use of disjunctive constraints, with the corresponding exponential 
complexity. For instance, to express the above and-gates, one needs to know the 
Boolean values of the signals to select the appropriate set constraint. 

It would thus be very convenient to join the two domains into a single one. 
Intuitively, to incorporate the two domains, the new one should be richer than any of 
them. But there is also the possibility of using a simpler one if the loss of information 
is not important for the problem, or if it can be compensated by the introduction of 
extra constraints. This latter alternative is the one we follow here. 
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More specifically, we propose the use of a transformation transf, where signals L-0 
are simply represented as L, and L-1 as L (the complement of L, w.r.t D): 



transf (S) 



\L, S=L-Q 
[I, 5= L-1 



Though transfix, not a bijective function (both L-0 and L -1 are transformed into L), 
we argue that it is quite useful to model our problems. For example, with this 
representation, the and-gate and the S-buffer are simply stated as follows: 



*-2 

Li 




^ ^2 

Lgi u (Lj \ Lgg) 



Fig. 3. And-gate and S-buffer over sets 



The correctness of this new simplified representation can be checked by simple 
analysis of each case, shown in Tables 2 and 3. 



Table 2. Application of tram/ function to the inputs and output of an and-gate 



11 


transf(II) 


12 


transf(I2) 


IIaI2 


tranf(IlAl2) 


Li-1 


Li 


L 2 -I 


Ll 


L 1 SJL 2 -I 


L 1 UL 2 = Lin Ll 


Li-0 


Li 


L 2 -O 


L 2 


L 1 OL 2 -O 


L,i^nL2 


Li-0 


Li 


L 2 -I 


Ll 


Li\L2-0 


L]^\L2 “ L^n Ll 


Table 3. Application of transf function to the input and output of an 


S-buffer 


In 


transf(In) 


S-buffer output 


transf(output) 



L,-0 Li LsiU(L.\Lso)-0 LsiU(L.\Lso) 



Li Lso U (Li \ Lsi) - 1 Lsou (L/ \ Lsi) = LsonLn Lsi = 

Lson(Lu LSI) =(LsonL/p (LsonLsi) 
= (Lin Lso\j LSI = LSI u (L/ \ Lso) 



In Table 2, the transformed output set is always the intersection of the transformed 
input sets, i.e. transf(Il) a transf(I2) = transf(ll a 12). Similarly, in Table 3, 
s_buffer(Ls, transf (Input)) = transf(s_buffer(Ls, Input)). 

For completion, it may be also noticed that the other gate operations can be 
expressed with the expected set operations: 




Fig. 4. Other gates over sets 
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2.2.1 Modelling the Problems 

To solve the diagnosis problem with this representation based exclusively on sets, it is 
still sufficient to ensure that a set L with cardinality 1 is present in an output bit of the 
circuit. Being D={F,G} the set of diagnoses F and G to differentiate, it is equivalent to 
have in an output bit an L (#L=1), in the sets representation, or to have an L-N (#L=1) 
in the mixed representation (pairs Set-Boolean). 

Proof. 

^ If Z (#Z=1) is present in an output bit, it represents either L-0 (#Z=1) or L -1 
(#1=1, since #D=2). In either case, it solves the problem. 

<= If an L-N (#Z=I) is present in an output bit, it is either L-0 (represented as L) or 
L-1 (represented as L ). In either case, the represented set has cardinality I. 

Therefore, the loss of information incurred by the transformation used has no effect in 
this problem, since it is not necessary to add any new constraints to solve it. 

Modelling the maximisation problem in a circuit c, is not so straightforward. Since 
a digital signal coded as D does not necessarily mean a dependency on all diagnoses 
(it can represent Z)-0, as well as 0-1), maximising the union of all the output bits is 
not adequate. In fact, it is necessary to know exactly whether an output signal depends 
on its set or on its complement. This can be done as shown in Fig. 5. 




Fig. 5. Modelling the maximisation problem with sets 

Circuit c with S-buffers is kept as before, but now the circuit with no S-buffers is 
added, sharing the input bits and with the corresponding output bits xor-ed. Values 
inside the normal circuit are necessarily independent of any faults, and can only be 
represented as 0 (for 0-0) and D (for 0-1). The xor gates in the output bits receiving 
a set L from the faulty circuit and either 0 or Z) (the universe) from the normal one, 
recover the correct dependency set of the signal as being either Z or Z (if the normal 
value were 0 or 1, respectively). A maximisation on the union of these real fault 
dependencies can be performed to obtain a desired solution of the problem. 

The reduction of the problem size by eliminating the Boolean part of the domain is 
now compensated by the duplication of constraints. Still, what could naively be seen 
as an useless manipulation, allows an active use of constraints by a set constraint 
solver avoiding the choice-points that would otherwise be necessary. 

Moreover, the exponential component of search, labelling, is only performed at the 
circuit with S-buffers (the other circuit simply checks this labelling). This is in 
contrast with Boolean SAT approaches, which consider one extra circuit for each 
diagnosis, which is unacceptable, in practice, for a large set of diagnoses [15]. 
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The minimisation problem is a meta-problem: it involves sets of solutions to set 
problems. A set variable S could be used ranging from 0 to P(I), where set S of inputs 
is constrained to cover diagnoses D. The goal is then to minimise the cardinality of S. 

To find a test pattern for a single diagnosis F using sets, we need to model a faulty 
and a normal circuit xor-ing the outputs and checking if at least one set value {F} is 
obtained. This is equivalent to the SAT approach for obtaining test patterns. 

The ideal is to consider all diagnoses D at the same time, with set constraints, and 
include or remove elements from S during the computation, updating the diagnoses 
covered until D is reached, and then start finding smaller sets for S in a branch-and- 
bound manner. This is still an open problem and perhaps the maximisation problem 
can be used to solve this minimisation one, by obtaining intermediate solutions. 

3 Cardinal Set Solver 

Clearly a constraint solver over sets is required to deal with these set problem models 
directly. Conjunto [6] represents set variables by set intervals with a lower and an 
upper bound considering set inclusion as the partial ordering. In Conjunto, a set 
domain variable S is specified by an interval {a,b\ where a and b are known sets, 
representing the greatest lower bound and the lowest upper bound of S, respectively. 
The cardinality of 5' is a finite domain variable C (#S=C). This cardinality information, 
however, is largely disregarded until it is known to be equal to the cardinality of one 
of the set bounds, in which case an inference rule is triggered to instantiate the set. 

Inferences using cardinalities can be very useful to more rapidly conclude the non- 
satisfiability of a set of constraints, thus improving efficiency of combinatorial search 
problem solving. As a simple example, if Z is known to be the set difference between 
Y and X, both contained in set {a,b,c,d}, and it is also known that X has exactly 2 
elements, it should be inferred that the cardinality of Z can never exceed 2 elements 
(i.e. from JCF c {a,b,c,d}, #X=2, Z=YX it should be inferred that #Z < 2), and thus 
immediately detect a failure upon the posting of a constraint such as #Z=3. 

Inference capabilities such as these (and other more complex discussed below) are 
particularly important when solving set problems where cardinality plays a especial 
role, as is the case of the circuit problems seen above. 

In this section we present a new constraint solver. Cardinal, that makes a number 
of such inferences. Cardinal is formally presented as a set of rewriting rules on a 
constraint store. This store maintains constraints over sets and over finite domains (the 
cardinality of the sets), but we only describe the rewriting rules of the set constraints 
(we assume that a finite domain constraint solver maintains bounded arc -consistency, 
or interval consistency, on these constraints). 

3.1 A Set Constraint Solver: Cardinal 

The universe notion is necessary not only for the set complement operation, but also 
for the especial cardinality inferences we propose. Hence we will use U to denote the 
set universe domain (for the proposed circuit problems, the universe is the set of 
diagnoses D), and u to denote the cardinality of U (u = #U). 
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A set variable X is represented by (or simply as \_ax,b^cx) where is its 

greatest lower bound (i.e. the elements known to belong to X), its lowest upper 
bound (i.e. the elements not excluded from X), Q its cardinality (a finite domain 
variable) with domain D^. In the remainder, a^, b^, Q and will refer to these set X s 
attributes if no confusion arises. Given the transformation presented above, 
independent values such as the circuit inputs are represented by {0, U\cx-.{o,u]- 

Cardinal implements a number of set constraints such as inclusion, equality, 
difference, membership and disjointness, together with set operations (union, 
intersection, difference and complement), as built-in. We only describe here the 
operations of sets complement and binary intersection and the equality and inclusion 
constraints, since these are enough to model the circuit problems. 

3.1.1 Set Variable 

When a variable is declared as a set variable, it is simply included in the constraint 
store, ensuring the bounds of the variable and that its cardinality C is a finite domain 
variable with domain D\ 



{telKX s[a,ft]c:D)} {Xs \a,b\c,0.\D] 

A number of inferences are subsequently maintained. The cardinality must always 
remain inside the limits given by the set bounds (the triggers of these inferences are 
shown in parenthesis next to the rewriting rules, and may correspond to one or more 
variables becoming ground, changing bounds, or being bound in the Prolog sense): 

(X: changed bounds) ^ (2) 

{ } \-^ {Cx > n,Cx < m] 

As in Conjunto, a set variable becomes one of its bounds if their cardinality is the 
same (this rule is triggered only when C* becomes a fixed value): 

1 i\ t2v — ^ dX Cx — ^bx /T\ 

(Cx: ground) (3) 

{]^{X = ax] {}h^{X = bx] 

When there are two domains declared for the same set variable, their intersection must 
be computed and the cardinalities made equal: 

a = ai<J a2,b = binbi 

{X e[a\,b)\cA,X&\a 2 ,b 2 \c 2 }h^ {X e\a,b\cA,C\ = C 2 ] 

Eventually a failure may be detected, either because the lower bound of a set is not 
included in its upper bound, or the domain of the cardinal becomes empty: 

(X: changed bounds) not{ax e fe) Dx = 0 

( } l-> fail { } l-> fail 



3.1.2 Set Complement 

For the set complement constraint it is assumed the existence of an universe of 
cardinality u, that is used in a finite domain constraint, Cy = u - C*, over the sets 
cardinalities. In general, the finite domains constraint solver maintains bounded arc 
consistency on this constraint. Nevertheless, we ensure full arc consistency when the 
constraint is posted: 
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{tell{X = Y)}h^{Cy = u-Cx,X = Y} 



(6) 



Whenever there is an update of the bounds of one of the sets, the bounds of its 
complement must also be updated accordingly: 

a = bx,b = ax 



(X: changed bounds) 
(Y : changed bounds) 



{X = Y}^{X = YJ e{a,b]] 
a = by,b = ay 



(7) 

( 8 ) 



{X = Y}h^ [X = Y,X €{a,b\} 

Assuming that the universe is not empty, a set cannot be the same as its complement: 

(X or Y: changed bounds) = (9) 

{X = Y,X = Y}h^ fail 

When the two sets are ground, their complementary nature can be easily checked: 

,,, , ,, eround{X),sround{Y),ax = ay ff'ound(X),ground(Y),ax ^ ay 

(X and Y: ground) ^ (10) 



{X = F}^{} 



{X = Y]h^fail 



Of course, this rule could be checked even when X or Y are not ground. Nevertheless, 
such check would only add to the overhead without useful inferences being made. 



3.1.3 Set Equality 

When two sets are told to be equal, so does their cardinality: 

{tell(X = 7)} ^{X = Y,Cx = Cy} 



When one bound of the set is updated, so does the corresponding bound of any set 
equal to it (the situation is similar to that of two domains for the same set): 

a = oxvj ay,b = bxr\by 



(X or Y: ch. bounds) 



{X = Y,X e\ax,bx\,Y s[ar,6r]l {X = Y,X s[a,6],7 s[a,6]} 



( 12 ) 



Again, when sets are ground, the equality is easily tested: 

(X and Y- ground) Sround{X\ground(Y),ax = ay ground(X),ground(Y),ax ay 
{X = Y]h^{] {X = Y]h^fail 



Of course, if only one of the sets becomes ground, the previous rule enforces the other 
set either to become with the same bounds (and ground, in which case this rule 
eliminates the equality constraint) or with an empty domain, causing a failure. 



3.1.4 Set Inclusion 

If Y contains X, then Cy is greater (or equal) than Cy- 



{telliX c 7)} {Xc Y,Cx < Cy} 



(14) 



When the lower bound (gib) of X increases, the lower bound of Y may also increase; 
and when the upper bound (lub) of Y decreases, so might happen to X 
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(X: changed gib) 



(Y : changed lub) 



a = ax yj ay 

{XcF}l-^{Xc YJe[a,by]} 
b = bxn by 

{XcY}t-^ {Xc Y,X e[ax,b]} 



(15) 

(16) 



If bx is contained in Oy, or X is the same as Y, the constraint XcF is trivially satisfied, 
and can be eliminated from the store: 



(X or Y: bound) 



ground(X)v ground (Y), be ay 
{XcFl^U 



[XeY,X= Y}\-^{X = Y] 



(17) 



3.1.5 Set Intersection 

While for the set complement the universe must be given, for the intersection Z of sets 
X and Y, the universe can be considered as the union of the upper bounds (U = 
by), u being its cardinality. 

The following rule states that the intersection of two sets must be contained in both 
sets, and posts a special constraint on the cardinality of the set intersection: 

( 18 ) 

ItelKZ = XnY)}\^{Z = Xn Y,tell{Z c X),tell(Z c Y),tell{Cz = X<8>Y)] 

The special cardinality constraint over sets (Cz=X®F) ensures that each possible value 
for Cz has a supporting cardinality pair in domains and Dy when the intersection is 
posted. Before formalising this operation, we first analyse what can the domain of 
cardinality Q be. If we take possible cardinality values cx of and cy of Dy, and the 
sum of cx and cy exceeds u, there must be common elements to X and Y, and their 
intersection has at least cx+cy-u elements. 

To reason about the upper bound, Q can never exceed cx nor cy since Z is the sets 
intersection. The elements in ax not in by (i.e. ax\by) can safely be subtracted from cx 
since they are definitely not part of the intersection, but are counted in cx (so an upper 
bound can be cx-#ax\by). A similar reasoning may be done for Y, yielding another 
upper bound. A final upper bound can thus be considered the minimum of the two (i.e. 
min(cx-#(ax\by), cy-#(ay\bx))). 

Thus for each pair cx and cy, an integer range for Q is calculated, and the ranges 
for all such pairs are eventually merged. This can in fact be regarded as maintaining 
arc -consistency between the cardinalities of X, Y and Z, when Z = X n T. In fact, this 
arc-consistency is enforced when the constraint is first told: 

a9) 

{tell(Cz = X ^ Y)} [Cz e{n:3i eDx,j eDy,i + J -u<n<rmn{i-#{ax\by),j-#{ay\bx))]} 

The usefulness of this rule for the problems we address, can be illustrated with the 
diagnosis problem. Let us take two setsX and Y which can both be 0 or D={f,g], and 
have them intersected (this is a typical case when two input bits are connected through 
an and-gate). While their set domain is the convex closure of the two bounds, their 
cardinality can only be 0 or 2. To find the cardinality domain of their intersection we 
examine cardinality pairs <cx, cy> = <0,0>, <0,2>,<2,0> and <2,2>. The three first 
pairs, yield only value 0 as a possible intersection cardinality, since one set has no 
elements. Pair <2,2> yields single value 2, since u is also 2 (cx+cy-u=2+2-2=2). Thus 
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the final cardinality domain for the sets intersection is also {0,2}. If only interval 
reasoning were performed on cardinality, the result would be the full range {0,1,2}. 

Instead of checking pairs of integers, it is equivalent and more efficient to check 
pairs of sub-ranges and their bounds when the constraint is posted. Nevertheless, this 
arc consistency is very costly to maintain, so it is only checked when the constraint is 
posted. Subsequently, only bounded arc consistency is maintained on the cardinality 
of the sets (by the underlying finite domains constraint solver): 



(X: changed gib or Y: changed lub) 
(X: changed lub, Y: changed gib) 
(X or Y: changed lub) 



n =#(ax\by) 

{Z = XnY] {Z = XnY,Cz<Cx-n] 
n =#(ay\bx) 

{Z = XnY}t-^ {Z = XnY,Cz<Cy-n] 



n =#bx+#by-#bz 

{Z = X nY} {Z = X nY,Cz > Cx + Cy -n} 



( 20 ) 

( 21 ) 

( 22 ) 



A number of other inferences are performed regarding intersection. The lower bound 
of the set intersection is kept as the intersection of the lower bounds of the arguments: 



(X or Y: changed gib) 



a = ax nay 

{Z = XnY]y^{Z = XnY,Z e[a,fe]} 



(23) 



If both arguments are the same set, their intersection is that set (idempotence): 



(X or Y: bound) (24) 

{Z = XnY,X = Y]h^{X = YMKZ = X)} 

If intersection Z is known to be the same set as one of its arguments, then the 
intersection constraint may be eliminated (as Z c T and Z c Y): 



(X or Y: bound) (25) 

{Z = X nY,X = Z} {X = Z} {Z = X nY,Y = Z} {Y = Z} 

Conversely, if an argument contains the other, the intersection is the included set: 

(X or Y- bound) ground(Y),bx c ay ground(X),bx c ax 

{Z = X nY]h^ {telKZ = X)} {Z = X nY] {tell(Z = Y)} 

Although inclusion could be inferred more generally, for efficiency reasons this rule is 
only triggered when either one of the arguments is ground. These four 
simplification/simpagation rules [5] exploit the fact that the universe is the neutral 
element of the intersection. Here, the universe is the set argument containing the other. 

All common elements to X and Y must be in Z. That is, X and Y must have no 
common elements outside Z. This is a costly operation, so it is performed only once 
(when Z is ground): 

bx’= bx \ {ay \ az),by’= by \ (ax \ oz) 

{Z = XnY]t-^ {Z = XnY,X e[ox,bx],Y e[ay,by]] 



(Z: ground) 



(27) 
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4 Implementation and Results 

We used ECLiPSe with attributed variables to implement Cardinal, a set constraint 
solver with cardinality inferences based on the above rules. The attributes of a set 
variable are its domain and its cardinality together with lists of suspended goals, since 
we used the underlying predicate suspension handling mechanism. The cardinality is 
an integer variable to be handled by the ECLiPSe finite domain library. To represent 
the domain of set S' as a set interval we need its bounds and bs- Since c bs, it is 
enough to store as the definite elements of S, and the difference bsVis as the possible 
extra elements of S. Eor efficiency reasons, the sizes of its two bounds are also stored. 

Gate constraints are currently implemented based on just two basic set operations: 
complement (not-gate) and binary intersection (and-gate). Set complement constraints 
take as arguments the universe and the input and output set variables. In general, 
constraints perform all the possible inferences when posted (interval-consistency on 
the sets; arc-consistency on their cardinalities), while their subsequent maintenance 
only ensures arc-consistency on their bounds. The rationale for this is that it is worth 
spending more time trying to reduce domains, only if this effort is not done too often. 

Our labelling strategy for circuit problems finds for the relevant output bits and S- 
buffers, the inputs they depend on. These are then labelled by assigning values (0 or u) 
to their cardinality. If successful, the rest of the circuit input is labelled. 

To assess the advantages of cardinality inferences, we took off inferences from 
Cardinal that are not implemented in Conjunto (i.e. rewrite rules 6, 14, 18 to 22 and 
24 to 27 presented in section 3). As mentioned before, this simpler version is referred 
to as „Conjunto“. We then tried to solve the same problems for the standard ISCAS 
digital circuits benchmarks [10] using Cardinal and „Conjunto“. From a set of 
diagnosis benchmarks created over these circuits [1], we randomly picked pairs of 
diagnoses to differentiate. The results are shown in Table 4 (times reported in seconds 
on a Pentium III, 500 Mhz). 



Table 4. Experimental Results 



circuit 


Diag1 


Diag2 


Diff. 


„Conjunto“ 


Cardinai 


Speed-up 


c432 


380gat/0 


415gat/1 


X 


8.1 


0.4 


20.3 


c432 


431gat/0 


428gat/1 


V 


39.4 


1.3 


30.3 


c432 


431gat/0 


419gat/0 


V 


37.9 


1.4 


27.1 


c432 


428gat/1 


41 9gat/0 


X 


24.0 


1.0 


24.0 


C1908 


1541/1 


1538/0 


V 


24.2 


3.2 


7.6 


C1908 


860/1 


72/1 


V 


156.3 


1.3 


120.2 


C1908 


72/1 


71/0 


X 


194.9 


1.0 


194.9 


C3540 


855/0 


707/1 


V 


4.1 


6.1 


0.7 


C3540 


955/0 


954/0 


X 


3482.8 


2.4 


1451.2 


C3540 


855/0 


707/1 


V 


1.8 


3.2 


0.6 


C3540 


403/0 


3544/1 


V 


352.1 


2.9 


121.4 


C6288 


5671gat/0 


5537gat/1 


V 


> 86400 


11.0 


> 7854.5 


C6288 


6288gat/1 


6285gat/0 


V 


> 3600 


8.9 


> 404.5 


C6288 


813gat/0 


6123gat/0 


V 


> 3600 


8.9 


> 404.5 




Modelling Digital Circuits Problems with Set Constraints 



427 



This table, with results for 4 ISCAS circuits, indicates the time that Cardinal and 
„Conjunto“ needed to find a differentiating test pattern between Diagl and Diag2 
(marked as V) or to prove it is impossible (i.e. the faults are indistinguishable, shown 
as X). For example, the first line reports that the differentiation of gate 380gat stuck- 
at-0 from gate 415gat stuck-at-1, in circuit c432, took 8.1 seconds in Conjunto and 0.4 
seconds in Cardinal. 

Globally, it can be stated that Cardinal showed a speed-up of two orders of 
magnitude compared to „Conjunto“ on this set of problems (and others we tried) 
although, as expected, the improvement was not uniform over all the tests. 

While for circuit c432 Cardinal showed a consistent speed-up around 25, for larger 
circuits the variation can be quite large. In circuits cl908 and c3540, the speed-up 
ranges from 0.6 to 1451.2, Cardinal being more efficient in harder problems (specially 
those where there is no differentiating pattern between the two diagnoses). For the two 
instances in circuit c3540 where there was an easy solution for „Conjunto“, Cardinal 
was slower due to the extra inferences performed, and the times thus reflect this 
overhead. The extra computing effort may be largely compensated, as tests in c6288 
show, where Cardinal easily found a solution, whereas „Conjunto“ had to be aborted 
in all three tests after one hour (one particular test was even kept running for one day 
of unsuccessful processing). Of course, the speed-up can be arbitrarily large as long as 
not enough propagation was achieved and we start labelling variables, since the 
execution time is exponential on the number of these variables. 

Due to all the especial inferences and list processing, we expected Cardinal to 
experience problems with larger circuits or in problems with many diagnoses. Also, 
since the general feeling is that, in practice, it is very costly to perform all the desired 
inferences over sets and their cardinalities, we tried to create another version with n- 
ary gates but with less inferences, which produced results that were midway between 
„Conjunto“ and Cardinal. The fact is that Cardinal still managed to efficiently solve 
problems for the largest of the benchmark circuits (c7552), so no improvements were 
obtained by reducing inferences. 

5 Conclusions and Further Research 

In this paper we showed how to model ATPG related problems in digital circuits with 
a constraint logic programming approach. We reckon our approach has great potential 
in this area, since competing alternatives, based on SAT, require substantial 
duplication of the circuits under consideration. In contrast, our technique uses set 
variables to denote dependency of faults and is able to model the problems without 
adding extra circuitry (more precisely, without imposing the labelling of more 
variables, the exponential part of search). 

Since we deal with set variables and set constraints, we realise that existing set 
constraint solvers were not adequate to handle these problems as they were not using 
actively important information about the cardinality of the sets, a key feature in these 
problems. We therefore implemented an optimised set constraint solver. Cardinal, and 
compared it with a simplified version with propagation similar to that of the widely 
available solver, Conjunto. Preliminary experimental results show that Cardinal obtains a speed 
up of about two orders of magnitude over „Conjunto“, in a set of diagnostic problems. 
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We are now working on two directions. On the one hand we will compare our 
results with results obtained with specialised SAT based tools dealing with the same 
problems. On the other hand, we will implement a second version of Cardinal that 
deals with optimisation problems. We are now starting a project with colleagues using 
a SAT tool, and we expect to have soon available more substantial evaluation results 
and comparison of the approaches. 

Acknowledgements: The first author was financially supported by „Sub-Programa 
Ciencia e Tecnologia do 2“ Quadro Comunitario de Apoio“. We would also like to 
thank the anonymous referees and Carmen Gervet for their helpful comments. 
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Abstract. This paperproposes to promote constraints to first-class status. In con- 
trast to constraint propagation, which performs inference on values of variables, 
first-class constraints allow reasoning aboul Ihe conslraints Ihemselves. This lets 
the programmer access the current state of a constraint and control a constraint’s 
behavior directly, thus making powerful new programming and inference tech- 
niques possible, as the combination of constraint propagation and rewriting con- 
straints a la term rewriting. First-class constraints allow for true meta constraint 
programming. Promising applications in the field of combinatorial optimization 
include early unsatisfiability detection, constraint reformulation to improve prop- 
agation, garbage collection of redundant but not yet entailed conslraints, and find- 
ing minimal inconsislenl subsets of a given set of constraints for debugging im- 
mediately failing conslrainl programs. 

We demonslrale Ihe above-mentioned applications by means of examples. The 
experiments were done with Mozart Oz but can be easily ported to other con- 
straint solvers. 

Keywords: Conslrainl programming, first-class constraints, early failure detec- 
tion, simplification and garbage collection of constraints, minimal sets of incon- 
sistent consb'aints. 



1 Introduction 

This paper proposes to promote constraints to first-class status and presents three ap- 
plications for combinatorial problems. In contrast to constraint propagation, which per- 
forms inference on values of variables, first-class constraints allow reasoning about the 
constraints themselves. This lets the programmer access the current state of a constraint 
and control a constraint’s behavior directly, thus making powerful new programming 
and inference techniques possible, as the combination of constraint propagation and 
rewriting constraints a la term rewriting. Promising applications in the field of combi- 
natorial optimization include early unsatisfiability detection, constraint reformulation 
to improve propagation, and garbage collection of redundant but not yet entailed con- 
straints. 

Commonly, a constraint that reflects its validity to a 0/1 -variable is called a meta 
constraint. This notion is slightly misleading since this reflection does not allow for true 
meta programming in the sense of self-reasoning and self-modification. Hence Smolka 
coined the term reified constraints, which we use in this paper, instead of meta con- 
straints (first used in [3]). First-class constraints are orthogonal to reified constraints 
and allow for true meta constraint programming. For example, one can obtain the name 



J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 429^32000. 
© Springer- Verlag Berlin Heidelberg 2000 



430 



Tobias Muller 



and the parameters of a first-class constraint and learn whether it is already entailed 
or not. Furthermore, one can explicitly discard a first-class constraint and can turn its 
propagation on or off. We demonstrate these operations in the following application 
areas: 



Early Failure Detection. Due to the limited view of a single constraint on the constraint 
store, reasoning and especially failure detection is limited too. Often recognizing 
a certain constraint pattern makes it possible to spot an inconsistency much earli- 
er than constraint propagation can do and sometimes constraint propagation on its 
own is not able to detect the inconsistency at all. For example x < y A y < x 
is obviously inconsistent. But the time ordinary finite domain propagation takes to 
detect the inconsistency is proportional to the domain size of x and y, and hence, 
can be quite long. Reasoning about the constraints themselves can detect the unsat- 
isfiability of this constraint immediately. 

Constraint Simplification. Constraints fed into a constraint solver can often be im- 
proved regarding their propagation behavior. Common sub-constraints, for exam- 
ple, can be collapsed and constraints can be reformulated to provided for better 
domain pruning. 

Garbage Collection. Usually constraints are garbage collected as soon as they are en- 
tailed by the constraint store. But typically that requires the parameter of the con- 
straints to be determined. In many cases constraints could be discarded earlier. Con- 
sider the finite domain constraint x-|-l = z A x < z. The constraint x < z can be 
discarded since it is implied hy x+1 = z. 

Minimal Sets of Inconsistent Constraints. Like every kind of programming, constraint 
programming is prone to error. A common programming error is to put up an in- 
correct model a given problem or to implement a constraint model incorrectly. This 
frequently results in inconsistent constraints which cause immediate failure. De- 
bugging such symptoms is supported by finding sets of constraints that are respon- 
sible for the inconsistency. 



First-class constraints are defined as an abstract data type, i.e., in terms of opera- 
tions on them. They are true first-class citizens: they can occur at any position where 
primitive values can occur too, e. g., as parameters of applications, as return values of 
functions, or as parts of composite data structures. That makes the new powerful pro- 
gramming techniques possible and allows the programmer, for example, to combine 
constraint inference on variable values with rewriting techniques to implement hybrid 
constraint solvers. Furthermore first-class constraints can be used for prototyping so- 
phisticated new constraints. 

To our knowledge existing systems do not provide first-class constraints even though 
it is straightforward to add them to existing solvers (cf. Sect.^. It is not sufficient to 
have access to a C-H- object representing a constraint as in ILOG Solver | ' . A first- 

class constraint is a value of an abstract data type defined by a set of operations (cf. 
Sect.Q. 

First-class constraints have been implemented with Mozart Oz Q and the exten- 
sions are orthogonal to the existing solver and do not impose any performance penalty 
when not using first-class constraints. 
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Plan of the Paper. Sect.^defines first-class constraints as abstract data types. The fol- 
lowing sections investigate early failure detection, simplification, garbage collection 
of constraints, and finding minimal sets of consistent constraints. Sectflcontrasts the 
expressiveness of first-class constraints with reified constraints, Sect.Jdiscusses im- 
plementation issues and Sect.Jcomments on related work. The paper closes with con- 
cluding remarks. 



2 Constraints as First-Class Values 

This section introduces a general model for constraint inference serving as a base for the 
promotion of constraints to first-class status. Then first-class constraints are introduced 
as values of an abstract data type. 

A Model for Constraint Inference. Constraint inference involves a constraint store, 
holding so-called basic constraints. A basic constraint is of 
the form a; = z; (x is bound to a value v),x = y (x is equat- 
ed to another variable y), or x G D (x takes its value in D). 

Attached to the constraint store are non-basic constraints. 

Together with the constraint store they form a computation space. A computation space 
can be asked, among other things, if propagation has reached a fix-point | ' z | . 

Non-basic constraints, as for example “x + y = z”, are more expressive than basic 
constraints and, hence, require more computational effort. In the following we call a 
non-basic constraint “constraint”. A constraint is realized by a computational agent (a 
so-called propagator) observing the basic constraints of its parameters (which are vari- 
ables in the constraint store; in the example x, y, and z). The purpose of a constraint 
is to infer new basic constraints for its parameters and add them to the store. A con- 
straint terminates (fails) if it is inconsistent with the constraint store or if it is explicitly 
represented by the basic constraints in the store, i. e., it is entailed by the store. A com- 
putation space becomes entailed as soon as all constraints are entailed or it becomes 
failed as soon as at least one constraint fails. 

First-Class Constraints. A first-class constraint is a value of an abstract data type and 
is hence defined in terms of its operations. It can be handled like any other primitive 
value, i.e, it can be part of composite data structures or can be used in applications or 
expressions. 

Operations on first-class constraints are provided by the module Constraint. Ac- 
cess to operations is obtained by the “ . ’’-operator and operations are applied by the 
“{ } ’’-operator. 

Note that reflective operations are typically non-monotonic, i. e., the produced result 
depends on the current state of the solver. Hence, these operations can be safely applied 
only if propagation has reached a fix-point. This has to be taken into account when 
adding new basic constraints to the constraint store while reasoning over first-class 
constraints. Adding new basic constraints typically requires the recomputation of the 
fix-point resulting in a changed set of first-class constraints to reason about. 



constraint • • • constraint 
\ / 
constraint store 
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First we define a minimal set of operations, i. e., this set does not contain operations 
which can be expressed by other operations of this set. Then we introduce operations 
that make more concise and elegant programming possible. 

The following operations designate the minimal set of operations to be provided: 
The first two operations are required to obtain access to a first-class constraint and 
to be able to identify a value as a first-class constraint. 

- C <- { F } (for short <- -operator) creates the constraint F, adds it to the current 
computation space, and binds C to an abstract value referring to F. 

-C<-# {f} (for short <-#-operator) creates the constraint F, adds it inactive, 
i. e., the propagation is turned off, to the current computation space, and binds C to 
an abstract value referring to F. The <-#-operator is used in conjunction with the 
following abstraction: 

- {Constraint . activate C} turns constraint propagation of constraint C on. 

- {Constraint .is C b} binds B to true if C refers to a constraint and otherwise 
to false. 

Obviously C <- { F } can be expressed by combining C <-# { F } and {Con- 
straint . activate c} but it is added for convenience since it is the usual way to 
create a first-class propagator. 

Programming with first-class constraints typically involves rewriting sets of con- 
straints to operationally more efficient formulations (the most efficient one is of course 
true). That requires discarding the redundant constraint which is replaced. Further- 
more, reasoning about constraints may take into account that a constraint has already 
become entailed by the constraint store, i. e., can be ignored. 

- {Constraint . discard C} discards C explicitly, i.e., C is removed from the 
computation space. By discarding a constraint, its whole host space may become 
entailed. 

- {Constraint . isEntailed C B } binds B to true if C is entailed, either explic- 
itly by the operation discard or by entailment through the constraint store, and 
otherwise to false. 

To be able to reason about constraints the programmer needs to identify what kind 
of constraint she is dealing with and what the parameters of the constraints are like. 
The question of which parameters are equal is especially interesting because it makes 
reformulations of constraints possible. 

- {Constraint .getName C N } binds N to the name of C. 

- {Constraint .getParameters C Ps } binds Ps to the parameters of C. 

- {Constraint . identifyParameters Vs Ids } maps the list of variables Vs to 
a list of integer identifiers ids by assigning to each element in Vs the index of its 
first occurrence in Vs. Thus equal variables can be detected easily. 

Additionally, we propose operations that have turned out to be useful and convenient 
in the applications discussed in this paper. 
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- {Constraint . toString C S } binds S to a textual representation of C. 

- (Constraint . ref lectSpace Rs Cs} takes a list Rs of variables. It collects 
all propagators that have at least one variable of Rs as a parameter. Furthermore, 
it collects propagators which share parameters with collected propagators. Thus, 
the transistive closure of all propagators “reachable” from Rs is computed. The 
collected propagators are turned into some normal form and returned in the list Cs. 

The application of Constraint . ref lectSpace makes it possible to use first- 
class constraints in an orthogonal way since the original constraint program needs not 
be modified (cf. Sect.Jand Sect.^. 

3 Early Failure Detection 

One of the major goals of constraint programming is to avoid exploration of parts of 
the search tree that do not contain any solutions. But there are cases where propaga- 
tion takes significant time to detect failure or is even unable to do so. An example for 
potential long lasting propagation are the finite domain constraints x < y A y < x 
and 2x = y A2u = V A y + 1 — V assuming sufficiently large domainsjAn exam- 
ple for an unsatisfiable constraint that cannot be spotted without any meta reasoning is 
x,y, z G {0, l}Ax^yAx^zAy^z. 

This section demonstrates how meta constraint programming can be used to de- 
tect unsatisfiable constraints where ordinary constraint propagation fails to do so. Thus 
the search tree can be significantly pruned and bigger instances of the problem can be 
solved. 

We use as example a modified Hamiltonian path problem, where the aim is to find 
a path through a given directed graph from an arbitrary starting node to an arbitrary 
ending node such that all nodes of the graph are visited once and the path is valid for 
the reverse direction too. 

The Constraint Model and Its Implementation. The problem data is given as set Arcs 
of 2-tuples arc{f, T), where the set T C {1, . . . , n} contains all nodes t G T such 
that there is an arc from node / to t. Every of the n nodes of the graph is represented 
by a finite domain variable Xi G {1, . . . , n} which represents the position of the ith 
node; the variables have to be pairwise distinct (constraint ^). Constraint Q expresses 
the path from the starting node to the ending node. Node Xi is the successor of x/ if 
Xi = X f + 1 holds. Note the extra clause for the ending point. The constraint Q is dual 
to constraint Q and models the reverse path. 



distinct{xi, . . . , x„) (1) 

V arc{f, T) G Arcs : \J {xi = x f + 1) M x f = n (2) 

ieT 

V arc{f, T) G Arcs \ \J {xi + 1 = x f) \/ x f = 1 (3) 

iGT 

^ Due to the significant propagation time, we used these constraints in ^3 to benchmark the 
propagation performance of our constraint solver. 
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We have implemented the constraint model one-to-one with Mozart Oz finite do- 
main constraints and used disjunctive comhinators producing choice-points to obtain 
the same behavior as the program used in [^. The search strategy is naive, i. e., it picks 
from the left-most finite domain variable xi the minimum element m and creates a 
choice-point xi = mV xi m. 

Deriving an Early-Failure Criterion. Deriving a criterion is a creative process and it 
is hard to give any guidelines. But it is helpful to have a tool handy that displays the 
constraints in a node of the search tree. Mozart Oz Q offers a combination of such 
tools, namely the Oz Explorer and the Oz Propagator VieweiJ 
The figure shows a part of 
the constraints of a node of 
the search tree without ear- 
ly failure detection. One may 
notice the constraints 
distinct{. . . , X 3 , . . . , xio, . . .) 

Al— X 2 +X 3 = OAl— X 2 +X 10 = 

0 (last two lines). Substitution of 
the two equations yields X 3 = 
xiQ, which contradicts the con- 
straint distinct{. . . , X 3 , . . . , xio, 
leads to an early failure detection criterion: the set D contains all indices of variables re- 
quired to be pairwise distinct (derived from the parameters of the disfmcf-constraint). 
The criterion is: 3Ci, C 2 ■ C\ = 1 + aiXi + ajXj = 0 A C 2 = 1 + akXk + aixi = 
0 A y^OAi=kAjy^lAj,lGDAaj = ai — > failure. 

Adding the Early Failure Detection Criterion. The early failure detection code is com- 
pletely factored out. It is embedded in the procedure DetectFailureEarly which is 
applied as soon as constrain^ropagation reaches a fix-point, i. e., right before the cre- 
ation of a new choice-pointj The procedure reflects the constraints to their first-class 
representation Cs according to a normal form. The variable EqCs refers to the equation- 
al constraints and the variable DistinctCs to the pairwise distinct constraints. Then 
for each distinct-constiamt a set D is computed and stored in the list of sets values 
DistinctSets (see for details on integer sets in Mozart Oz). Here the implemen- 
tation is more general than required for this example. 

proc {DetectFailureEarly RootVars} 

Cs = (Constraint . ref lectSpace RootVars} 

EqCs = (FilterEqualityConstraints Cs) 

DistinctCs = (FilterDistinctConstraints Cs) 

DistinctSets = (ComputeDistinctSets DistinctCs} 

^ The Propagator Viewer is still experimental and not yet official part of the Mozart Oz distribu- 
tion. It can be obtained from the author. 

^ Mozart Oz provides means to synchronize on reaching a propagation fix-point: A unary pro- 
cedure can be passed to the search engine and this procedure is applied to the solution variable 
of a search problem as soon as a fix-point is reached. 



- -tsi 
>flewer 



Propagator Viewer: 36 propagators in space #6 



□ X 



dlEt.inct{ xl x2 x3 x4 x5 x6 x7 x8 x9 xlO xll xl2 xl3 xl4 ) 



4- x6 
4- x5 



xl2 \= 0 
x6 \= 0 
x6 - x7 \= 0 
x6 • x7 \= 0 
• xll \= 0 

- x5 \= 0 

- x5 \= 0 
4- x3 = 0 
4- x4 = 0 
4- x2 » 0 
4- x3 = 0 
4- xlO = 0 



(top line). Generalization of this observation 
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Then two nested loops (procedures ForAllTaiiJand ForAlij applying anony- 
mous procedures $) try to match the appropriate equational constraints according to 
the early failure detection criterion. An equational constraint is represented by a tuple 
' = : ' (P LHS RHS) where p is a reference to the actual constraint and lhs (rhs) is the 
left hand-side (right hand-side) of the equation. The left resp. right hand-side is repre- 
sented by a list of addend tuples addend (Sign Coef f Var) where Sign is the sign 
(— 1 or 1), Coef f is the absolute value of the coefficient, and Var is a reference to the 
variable. 

Constraints of form \ + ax + hy = 0 are isolated bv pattern matching and the 
pattern for such a constraint is [Al A2 A3] o;|as it can be found in the 

case-statements. 

in 

{ForAllTail EqCs 
proc {$ Tail} 

case Tail of ('=■'(_ 1-^ XI X2] 0)) | T then 

{ForAll T 
proc {$ TC} 

case TC of [B Y1 Y2] 0) then 

After isolating two matching equational constraints the constant addends are com- 
pared and it is checked if the variables are in a D-sst. The predicate Some is true if 
at least one of the elements of the list passed (here DistinctSets) evaluates the 2nd 
argument function to true. 

if A == B andthen 

{Some DistinctSets 
fun {$ Set} 



{VarlsInSet XI Set} 






andthen 


{VarlsinSet 


X2 


Set} 


andthen 


{VarlsinSet 


Yl 


Set} 


andthen 


{VarlsinSet 


Y2 


Set} 



end} 

then 

Here the anonymous function $ checks if the variables of the addends are in one 
and the same D-sst. It uses the predicate VarlsinSet which checks if a variable is in 
a given set. The connector andthen is a short-circuit conjunction. 

if (isEqAddend XI Yl} 

andthen (isNeqAddend X2 Y2} 
orelse {IsEqAddend XI Y2} 

andthen {IsNeqAddend X2 Yl} 
orelse {IsEqAddend X2 Yl} 

The procedure { ForAllTail List Proc } applies the unary procedure Proc to all non- 
nil tails of list List. 

^ The procedure {ForAll List Proc} applies the unary procedure Proc to all elements 
of list List. 

* Note that there is an order on the addends: the first one is constant, the next ones contain 
variables and the variables are subject to a certain order. 
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andthen {isNeqAddend XI Y2} 
orelse {isEqAddend X2 Y2} 

andthen {IsNeqAddend XI Yl} 
then fail % raise failure 

end 

end 

end % case 

end} 

end % case 

end} 

end % DetectFailureEarly 

Finally, the variables of the addends are tested to meet the early failure detection 
criterion and if so, failure is raised by the statement fail. The predicate IsEqAddend 
(IsNeqAddend) tests if two addends are equal (not equal). The individual applications 
of IsEqAddend are connected by the short-circuit disjunction orthen. 

Evaluation. TableHshows the effectiveness of the presented technique impressively. 
Entries indicate that after 100.000 nodes of the search tree no solution was found 
and search was aborted. 

Table 1. Effectiveness of early failure detection. 



# nodes 


no early failure detection 
solution found after 
^ choices/^ failures 


with early failure detection 
solution found after ^ detected 
^ choices/# failures failures 


10 


72/52 


72/52 


0 


20 


- 


160/124 


1 


30 


- 


298/244 


68 


40 


- 


499/406 


162 


50 


- 


499/406 


162 



By accident the results for problems with 40 and 50 nodes are identical. The first 
solution was found on a 200MHz Pentium Pro in a range from a tenth of a second till 
less than a minute depending on the problem. But the benchmarks aim at demonstrating 
the effectiveness of the technique, and the early failure detection code has not been 
particularly optimized. 

Early failure detection requires constraints to be first-class values in order to re- 
flect the state of the constraint solver for making symbolic detection of inconsistent 
constraints possible. 



4 Constraint Simplification 

This section demonstrates another constraint programming technique made possible by 
first-class constraints. It is not unusual that a constraint model and consequently its 
implementation contains redundant constraints or constraints in a formulation that does 
not allow for the strongest possible propagation. 
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Consider the constraint a; -I- a; = yf\x S {l,2}At/ C {3, 4}. Without exploiting the 
equality of the two variables on the left hand-side the constraint cannot deduce that the 
only valid instantiation isa; = 2Ay = 4. Hence the simplification x + x = y^2x = y 
improves constraint propagation significantly. 

This section reuses the Hamiltonian path problem defined in Sect-Hbut uses reified 
constraints instead of disjunctive combinators. A reified constraint connects a constraint 
C with a 0/1-variable B: (C ^ B) A B G {0, 1}. Variable B is bound to 1(0) if C 
is entailed (disentailed). As long as B is unbound C does not add any constraints to 
the constraint store. In case B is bound to 1(0) the reified constraint is replaced by 
C{^C). Reified constraints are used mainly for handling over-constrained problems, 
i.e., problems where not all constraints can be fulfilled at once, or for modeling dis- 
junctive constraints as in the following case. 

The Constraint Model and Its Implementation. The constraint model expresses the dis- 
junctions by reified constraints. The parentheses “()” enclosing the equations indicate 
reification. Constraint Q stands for the path from the starting to the ending node and 
constraint B for the same path in reverse direction. 

distinct{xi, . . . , Xn) (4) 

+ ^ (5) 

iGT / 

+ ^(Xi + 1 = X/) I = 1 (6) 

iGT / 



Deriving a Simplification Rule. 

In this case finding a suitable 
rule is easy. Regard the lines in 
the figure starting with the vari- 
ables xi 6 and X 3 . In both cas- 
es the corresponding constraints 
reify 1 + x\ — X 2 = 0. That 
makes it possible to equate x\q 
and X 3 and to discard a copy of 
1 + xi — X 2 = 0. In gener- 
al 3 (C*i <--!• Bi), (Cj <--> Bj) : 

Ci = Cj ^ Bi = Bj A discar d{C j) . 

The proposed simplification has two effects: it removes redundant propagation by 
discarding superfluous constraints, and it strengthens the constraint store by adding 
equality constraints! 

Adding Constraint Simplification. Constraint simplification is executed whenever prop- 
agation reaches its fix-point. It reflects the constraints of a computation space with Con- 
straint . ref lectSpace to obtain direct access to the constraints, and function Fil- 
terReif ied filters out all reified constraints {C B) since the other constraints are 

’’ In Mozart Oz equality is represented directly in the constraint store. 




V arc{f, T) G Arcs : I (x/ = n) 



V arc{f,T) G Arcs : I (x/ = 1) 
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of no interest. The result is stored in ReCs. Furthermore, FilterReif ied generates a 
textual representation of C using Constraint .toString which is used as index for 
the dictionary Diet to easily identify reified constraints which are identical modulo the 
0/ 1- variable S. 

fun {SimplifyAndCollect RootVars} 

ReCs = {FilterReif ied (Constraint . ref lectSpace RootVars}} 
Diet = {NewDietionary} 

in 

For each reified constraint the actual simplification is done in a ForAll loop which 
calls an anonymous procedure $. This procedure accesses the components of its argu- 
ment hy pattern matching: i is the textual representation index, p is a reference to the 
reified constraint itself, C the reified constraint, and B is a 0/1-variahle. Note that # is 
the infix tuple constructor and hence I #rei fled (P C B) is a 2-tuple matched against 
the argument passed to the anonymous procedure. 

(ForAll ReCs 

proc {$ I#reified(P C B) } 

if (Dictionary .member Diet l} then 

reified(Pl Cl Bl) = (Dictionary . get Diet l} 

in 

Bl = B 

(Constraint .discard P} 

else 

(Dictionary .put Diet I reified(P C B) } 

end 

end} 

% return 0/1-variables of the reified constraints 
(RetrieveBools Diet} 
end % SimplifyAndCollect 

Using Dictionary . member the procedure checks if a reified constraint is already 
stored under the textual representation index i. If so, the individual components of 
the entries are retrieved hy pattern matching the 0/1 -variables are equated, and the 
constraint referred to by P is stated to be entailed by Constraint .discard. That is 
exactly what the simplification rule requires. In case the reified constraint is not yet 
stored in Diet a new entry is created by Dictionary .put. Finally, the 0/1-variables 
of the reified constraints are retrieved and returned by RetrieveBools. 

The search strategy branches over the 0/1 -variables of the reified constraints Q and 
Q returned by SimplifyAndCollect to stay as close as possible to the program used 
in Sect.y 

Evaluation. The number of 0/1 -variables coming from the reified constraints is sig- 
nificantly reduced by simplification. In combination with the additional equality con- 
straints, this leads to an enormous reduction of choice points (see Tabled, even better 
than for early failure detection in Sect.^ 

* The return value of the function application (Dictionary . get Diet l} is matched 
against the tuple reified ( PI Cl Bl) and the newly introduced variables PI Cl Bl are 
bound accordingly. 
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Table 2. Effectiveness of constraint simplification. 



# nodes 


no simplification 
solution found after 
^ choices/^ failures 


with simplification 
solution found after ^ simplified 
# choices/^ failures constraints 


10 


292/288 


4/2 


26 


20 


- 


19/0 


60 


30 


- 


19/94 


118 


40 


- 


2673/2632 


158 


50 


- 


122/73 


199 



Only for the graph with 40 nodes the number of choice points is much greater. This 
indicates that the search strategy used is not stable enough against variations of the 
problems, but this is not the focus of this paper. 

Constraint simplification requires constraints to be first-class values in order to re- 
flect the state of the constraint solver and thus making symbolic constraint simplifica- 
tions possible. 

5 Garbage Collection of Constraints 

Usually constraint solvers collect redundant constraints as they become entailed by the 
constraints in the store. Even if their memory is not freed due the implementation of 
the solver, they are at least not rerun anymore if their parameters receive new basic 
constraints. Eor example, consider x < y A x G { 0 , . . . , 3 } A ?/ G { 3 , . . . , 6 }, and 
suppose the <-constraint is entailed by the basic constraints x G { 0 , . . . , 3 } A y G 
{ 3 , . . . , 6 } and is garbage collected. That is not always the case, as demonstrated for 
the no-overlap constraint in the tiling problem. 

The Problem Description and the Constraint Model. A given number of square tiles 
has to be placed on a master plate (see figure). The tiles must not 
exceed the master plate along the x- and y-axis. This is enforced by 
the capacity-constraint which is not of interest here. Furthermore, 
the tiles must not overlap which is enforced by the nonoverlap- 
constraint. Consider the square tiles Ti and T2 with length li and 
I2 ■ Their positions on the master plate are determined by their left lower corners {x\ , yi) 
and (a;2, y2) which results in the nonoverlap-constiaint 




xi + < X2 V X2 + ^2 < V yi + < y2 V y2 + ^2 < yi- ( 7 ) 

The constraint Q is encoded by the reified constraint 



(xi + h < X2) + {x2 + h< xi) + (yi + h < y2) + (y2 + ^2 < yi) > 1 - 

Note the >-constraint which is necessary since two tiles can be non-overlapping in 
both the X- and y-axis. This constraint causes the trouble regarding garbage collection 
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since as soon as one of its reified constraints is valid the remaining three constraints 
could he discarded. But this is impossible without first-class constraints because a rei- 
fied constraint cannot be discarded, it just reduces to its embedded positive or negative 
constraint. 

Implementation Issues. The encoding of the nonoverlap-constmint by the procedure 
imposeNonOverlap catches the references to the individual constraints involved, i. e., 
the reified <-constraints and the >-constraint. This is achieved by using the < --operator. 
The nonoverlap-constmint returns these references wrapped in the tuple nonover- 
lap (PO [PI P2 P3 P4]). 

fun {ImposeNonOverlap XI Y1 LI X2 Y2 L2 } 

B1 B2 B3 B4 PO PI P2 P3 P4 

in 

PI <- {(XI + LI =<: X2) = Bl} 

P2 <- { (X2 + L2 =<: XI) = B2 } 

P3 <- { (Y1 + LI =<: Y2) = B3 } 

P4 <- { (Y2 + L2 =<: Yl) = B4 } 

PO <- {B1 + B2 + B3 + B4 >=: 1} 

nonoverlap (PO [PI P2 P3 P4] ) 

end 

The procedure CollectNonOverlapConstraints is called when propagation 
has reached a fix-point. It receives as its argument a list of tuples produced by Im- 
poseNonOverlap and checks for all tuples if the enclosed >-constraint is entailed by 
applying Constraint . isEntailed to PO. If so, the remaining reified constraints are 
determined to be entailed by Constraint . discard. 

proc {CollectNonOverlapConstraints NonOverlapConstraints } 
{ForAll NonOverlapConstraints 
proc {$ nonoverlap ( PO Ps) } 

if {Constraint . isEntailed PO} then 
{ForAll Ps proc {$ P} 

if not {Constraint . isEntailed P} 
then { Constraint . discard P} end 
end} 

end 

end) 

end 

Evaluation. Table^shows the number of reified <-constraints garbage collected for 
different instances of the tiling problem. 



The third column shows the amount of memory saved which is in balance with the 
overhead imposed by the extra data structures used. 

The proposed garbage collection scheme relies on first-class constraints for detect- 
ing redundant constraints and for explicitly discarding such constraints since they can- 
not be garbage collected yet by entailment. 



Promoting Constraints to First-Class Status 



441 



Table 3. Effectiveness of constraint garbage collection. 



# tiles 


collected constraints 


saved memory 


6 


18 


5K 


9 


44 


IIK 


17 


197 


lOOK 


21 


1528 


1.7M 



6 Computing Minimal Sets of Inconsistent Constraints 

Solving a combinatorial problem by constraint programming requires expressing the 
problem in terms of constraints, i.e., finding a constraint model, and implement the 
conceived constraint model as a constraint program for a concrete constraint solver. This 
process is prone to error. The first run of the constraint program frequently results in an 
immediate failure of the solver, caused by an inconsistent set of constraints. The set of 
constraints is usually large and only a subset is responsible for the failure. Hence, being 
able to find minimal inconsistent subsets of constraints of a given set of constraints may 
simplify debugging the above-described situation significantly. Note that there may be 
several minimal inconsistent sets of constraints since several errors may occur at once. 

Idea. According to the model presented in Sect.^ constraint propagation takes place 
in computation spaces. A failed space hosts an inconsistent set of constraints. Finding 
minimal sets of inconsistent constraints starts by reflecting the last consistent state of 
the failed computation space. Reflection comprises all basic constraints, i. e., constraints 
of the form x € D and x = y, and all propagators. Such a reflection makes it possi- 
ble to restore the constraints of the last consistent state of the failed space in a fresh 
space. Since such a restoring would immediately result in a failure, the propagators 
are imposed as inactive first-class propagators, i. e., they are imposed with propagation 
turned off. A solution is a set of inconsistent propagators. Hence, the fresh space is ap- 
propriately wrapped to propagate its failure as solution. The starting point for searching 
a solution that all propagators are inactive. Search turns propagation successively on for 
every propagator and then checks whether the set of active propagators is inconsistent 
or not. 

Implementation. The last consistent state of a failed computation space is reflected 
by Constraint . ref lectSpace and equal variables are spotted by Constraint. 
identifyParameters. The reflected propagators are imposed as inactive first-class 
propagators using the <-#-operator in a fresh computation space to be able to catch 
failure. Furthermore, every propagator is assigned a unique integer identifier and is 
connected via its corresponding first-class value to a 0/1 -variable such, that constrain- 
ing the 0/1-variable to 1 (0) activates (discards) the propagator. That makes it possible 
to use the standard search library on finite domain variables. A possible solution is a set 
of integers denoting a set of inconsistent propagators. 

We are interested in minimal sets of inconsistent constraints. Branch-and-bound 
search is used to ensure that new solutions are either a proper subset of an already found 
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solution or a distinct set of inconsistent constraints. An appropriate order constraint, 
which ensures that new solutions meet the above condition, has to take into account 
two cases: 

1. A new solution TV is a proper subset of the current solution O, i. e., N C O resp. 
N\C where C = TV n O. 

2. A new solution TV is distinct to the set of inconsistent constraints O, \.e.,0\C ^ 
0 A TV \ C ^ 0 where C = TV n O. 

These two conditions can be collapsed to O \ (TV n O) ^ 0. The implementation of 
the order constraint uses Mozart Oz’s finite set constraints 

A first minimal set of inconsistent constraints is found by starting with all prop- 
agator’s propagation turned on and successively turning propagation off. As soon as 
turning a propagator inactive makes the set of active propagators not immediately in- 
consistent, this propagator is kept active. Thus, by processing all propagators once, a 
first minimal set of inconsistent constraints is found. Finding other possible sets re- 
quires backtracking to the first propagator turned inactive and turning this propagator 
active and continue search from there. The order constraint described above prunes the 
search space further by disallowing solutions subsuming already known ones. 

Example. Consider the inconsistent set of constraints composed of the constraints C1. . .5: 
X <ci y y <c 2 z h z <c 3 X f\ z <c 4 u A u <c 5 X. As One can easily see, there 
are two minimal sets of constraints that are not in a subset relation: S'! = {cl, c2, c3} 
and S2 = {cl, c2, c4, c5}. 

Expectedly, the search routine finds two solutions S'! and S2, as the corresponding 
search tree shows (see the rhombus-shaped nodes in the Mozart Explorer display ( ' ^ | in 

Fig-O- 



We use the Mozart Constraint Investiga- 
tor to present the solutions graphically. The 
first solution, corresponding to S'!, is shown as a 
variable graph in Eig.^^] i. e., the nodes of the 
graph denote variables and edges represent prop- 
agators. Thick solid edges stand for propagators 
being part of the set of inconsistent constraints. 

The propagator graph in Eig.^^J depicts 
propagators as nodes and variables shared be- Fig. 1. Search tree of example, 
tween propagators as edges between the respective propagators. Propagators being part 
of the inconsistent set of constraints are shaded. Having propagators, represented by 
their nodes, identified as being responsible for a failure, the Investigator allows to high- 
light their occurrence in the source code by simply clicking the respective propagator 
node. 

The second solution, corresponding to S2, is shown as the variable graph in Eig.H 
and reveals a second reason for the example set constraints being inconsistent. 

Eirst-class constraints are the key to this application since they make it possible to 
reflect a failed computation space and to do search over constraints by explicitly turning 
propagation on and off. 
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(a) Parameter graph where failed propagator edges are thick solid line. 




(h) Constraint graph where nodes of failed propagators are shaded. 



Fig. 2. First solution (left-most solution (rhombus) node in Fig.^. 




Fig. 3. Variable graph of second solution (right-most solution (rhombus) node in Fig.^- 



7 First-Class Constraints vs. Reified Constraints 

This section summarizes the unique features of first-class constraints used in the pre- 
sented applications and argues why the expressiveness of first-class constraints goes far 
beyond what can be expressed with reified constraints. 

Reflection. First-class constraints make it possible to reflect the propagator’s name and 
parameters to values. Reified constraints do not offer reflection. 

Activation and Deactivation. Applications searching over sets of constraints 
(cf. Sect.H have to be able to impose propagators with propagation turned off and 
then to toggle propagation as computation proceeds. Initially, reified constraints 
(C'<-^i3c{0,l}) are inactive w. r. t. propagation. Turning propagation on is done 
by constraining B tol. But once turned on, propagation cannot be turned off due to 
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monotonicity of reified constraints J Although not mentioned so far, propagation of 
a first-class constraint C can be turned off by calling {Constraint .deactivate 
C}. 

Explicit Entailment. Applications rewriting constraints need to be able to discard con- 
straints even if they are not entailed by the constraint store. Replacing a set of 
constraints C by T is the special case of garbage collecting C, as demonstrated 
in Sect.^ Replacing C by C' ^ T was discussed as constraint simplification in 
Sect.H Reified constraints do not support this functionality. 

Checking for Entailment. It is frequently necessary to find out if a constraint is already 
entailed or not. First-class constraints provide the operation 
Constraint . isActive. Reified constraints can be used for entailment check- 
ing too, where B = 1 indicates entailment. The constraint C f\ (C<-^ B G {0,1}) 
does this test but it must be ensured that B 0. 

Operations on first-class constraints are non-monotonic, i. e., they can be undone or 
can produce different result depending on the current state of the computation space 
they are applied on. Reified constraints are monotonic, i.e., they cannot be undone 
and in conjunction with a certain set of other constraints they always reach the same 
fix-point. In fact, first-class constraints and reified constraints are orthogonal concepts 
and reified constraints can of course be first-class constraints too (cf. Sect.J where 
the nonoverlap-constmint uses reified first-class constraints). The use of the notion 
meta is somewhat misleading since true meta programming is only possible with the 
expressiveness that first-class constraints provide. 



8 Adding First-Class Constraints to an Existing Solver 

This section briefly summarizes the necessary additions to an existing constraint solver 
to provide for first-class constraints. 

Promoting a constraint to first-class status means giving the programmer direct ac- 
cess to it and thus being able to inspect and control the constraint. This is straightfor- 
wardly done by introducing a data type referring to constraints. 

Inspecting a constraint (cf. getName and getParameters in Sect.fl requires be- 
ing able to retrieve a constraint’s parameters and name. Constraint solvers implemented 
in C++ typically represent a constraint as an object such that it is easy to add appropriate 
member functions and keep the changes local to the actual constraints. 

Furthermore, first-class constraints need to have a unique identity to enable the 
check for equality of first-class constraints^ This can be done by deriving an iden- 
tity from the memory address of the object representing a constraint. But care must be 
taken for garbage collection and all kinds of operations that change the location of a 
constraint in memory. 

^ Note that constraining B toO imposes the negative constraint -iC. 

This paper ignores identity on first-class constraints. But if one has to implement reflect - 
Space just with the other operations, to guarantee termination one has to check equality of 
constraints. 
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Discarding a constraint and checking for entailment (cf. discard and isEntailed 
in Sect.^ typically requires setting a flag in the constraint representation. The con- 
straint solver has to check right before the execution of a constraint whether it was 
explicitly entailed in the mean-time, i. e., between wake-up and execution, or not. 

The programming techniques presented in Sect.J Sect. J and Sect.Jneed to detect 
the fix-point of constraint propagation. Hence the constraint language has to provide a 
combinator that allows the programmer to do so. Implementation may simply check if 
the propagation queue, which maintains constraints to be executed next, is empty. 

The experimental implementation of first-class constraints was straightforward since 
Mozart Oz provides so-called extensions. They are intended to allow the programmer 
to add new data types via a C-H- interface [j]. There were no modifications necessary 
to the actual propagation engine such that there are no performance penalties. 



9 Related Work 

One approach at gaining more control and expressivity over constraints was the idea 
to exploit a constraint’s truth value as proposed for the cardinality constraint in [ i ^ | . 
Applying arithmetic and boolean operations to constraint’s truth values was explored 
in [2]. These constraints are usually called meta or reified constraints. They are available 
in nearly all current constraints solvers. 

Meta-programming as known from Lisp or Prolog means manipulating a program 
by another program. Therefore, the program code is represented as a term of the re- 
spective programming language and then submitted to a meta-interpreter written in this 
language. Such a scheme for the constraint programming language CLP(JZ) is proposed 
in Q. They use quote and eval functions which are analogous to the corresponding 
Lisp functions. 

Solvers dedicated to a certain set of constraints as well as dedicated constraints can 
of course do the same analysis as discussed in this paper. In early failure detection 
as described in Sect.Jhas been proposed as a by-product of analyzing the impact of 
simplifications for equational constraints on the propagation behavior. 

ILOG Solver Q] is a C-H- library for constraint programming in C-H-. It does not 
support first-class constraints as presented in this paper but ILOG Solver 4.4 allows 
the user to define a new constraint by defining a new class of constraints derived from 
the library class ilcConstrainti. It is straightforward to provide the required extra 
functionality according to Sect.^by adding appropriate member functions to the class 
definition of the new constraint. 

Constraint Handling Rules (CHR) [£| are a committed-choice language for rewrit- 
ing constraints towards a solved form which eventually denotes a solution. A CHR 
program is a set of guarded rules of the form H op G \ B where op S {< = >, = = >}, 
H = Hi, . . . , Hi, G = Gi, . . . , Gj, and B = Bi, . . . , Bk- A multi-head H is a se- 
quence of CHR, the guard G is a sequence of built-in constraints, and the body B is 
a sequence of CHR and built-in constraints. A rule fires as soon as a the CHR store 
implies H and the constraint store implies G. Then the CHR and constraint store are 
extended by B. A propagation rule (op = = = >) extends the appropriate stores by re- 
dundant constraints B. A simplification rule (op — < = >) behaves like a propagation 
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rule but additionally removes H from the CHR store. CHR can be used to implement 
the techniques proposed in Sect.Jand Sect.Jdue to the multi-heads of the rules. For 
example, the inconsistent constraint x < y A y < x can be detected by the following 
CHR rule: 



less (x, y) , less (y, x) <=> true | false. 

To the best of our knowledge none of the above-mentioned approaches, nor other 
existing systems, offer the same expressiveness or generality as the scheme proposed in 
this paper, to promote constraints to first-class status. 



10 Conclusion and Future Work 



We have introduced constraints as first-class citizens and investigated possible fields of 
application. Furthermore, we have demonstrated programming techniques using first- 
class constraints, have proved their effectiveness, and argued that first-class constraints 
and reified constraints are orthogonal concepts (cf. Sect.^. 

The experiments have shown that the programmer needs appropriate analysis tools 
to find powerful meta-constraint propagation rules especially for the techniques dis- 
cussed in Sect.Jand Sect.B Furthermore, the effects of simplification and garbage 
collection may overlap since simplified constraints become redundant and can be dis- 
carded. 

The experiments were done with Mozart Oz using the Oz Explorer and the Oz Prop- 
agator Viewer. The experimental implementation of first-class constraint was straight- 
forward since Mozart Oz provides adequate programming interfaces to extend the con- 
straint solver’s functionality easily from user level 

Extending an existing constraint solver can be done with minimal effort and without 
performance penalties when first-class constraints are not used. 
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Abstract. We describe a technique for formulating a problem for solu- 
tion by a finite domain constraint solver, where the finite domains can 
be modelled in correspondence with an Entity-Relationship diagram or 
UML Class diagram. This works particularly well where data for the 
problem is retrieved from database(s) over a network, but we believe the 
modelling discipline will be more generally useful. We show how rela- 
tionships are conveniently represented using the infers operator of the 
generalised constraint propagation (Propia) library of ECLiPSe. Further, 
we can then express sets of quantified constraints over the data model 
in the declarative Colan language, and use this to generate equivalent 
ECLiPSe code directly. The user then has only to maintain the declar- 
ative version of the constraints, which are much easier to read. They 
can also be reused in many ways by fusing them with constraints from 
other sources, as in the KRAFT project. An important subclass of such 
constraints behave as conditional constraints which need delayed appli- 
cation, and we discuss experience in making such constraints more active 
in the solving process. 



1 Introduction 

Finite domain (FD) constraint solving is now a well established technique, and 
forms the basis of constraint logic programming (CLP) systems such as CHIP 
and ECLiPSe. However, even with the assistance of these packages, it is quite 
daunting for the average procedural programmer to use it. Thus, in the KRAFT 
project 0 we have been researching ways to generate CLP programs for FD 
solution from declarative constraint descriptions, that are much easier to read 
and understand. We also encourage the re-use of such descriptions by having 
them available over an extranet. 

The unusual thing about our constraint descriptions is that they are ex- 
pressed (and type-checked) against a data model that gives the semantics of the 
domain. Thus, many people think of an entity-relationship diagram (or UML 
class diagram) as being a useful diagrammatic guide and visualisation of the 
types of entities and relationships in a database (or an 00 application), but 
they do not think of it as an operational basis for forming queries or specifica- 
tions. However, in Q we showed how quantified constraints can be expressed 
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constrain each t in tutor 

such that astatus (t)="research" 
no s in advises (t) has grade (s) =< 30; 

constrain each r in residue to have 
distance (atom(r, "sg") , 

atom(disulphide(r) , "sg") ) < 3.7; 



Fig. 1. The above examples demonstrate how Daplex/Colan Q expresses a con- 
straint on a university database containing student records. The same constraint 
language is applicable to the domain of protein structure modelling, as in the 
example restricting bond lengths. 



in a very readable form of first order logic, including evaluable functions. An 
example is given in figure^ Here a variable t ranges over an entity type tutor, 
which is populated with stored object instances. Each of these instances may be 
related to instances of student entities through the relationship advises. These 
entities can be restricted by the values of attributes such as grade. There are 
also other entity types such as residue (representing parts of protein chains) 
which have method functions for determining distances by computation^ The 
constraint then expresses a formula of logic which is true when applied to all the 
instances in a database, or even to instances in a solution database which is yet 
to be populated with constructed solutions. In this latter case it is behaving as 
a specification, rather than as an integrity constraint. 

The great advantage of this approach when formulating combinatorial prob- 
lems is that each entity type forms the natural basis for one or more finite 
domains. The values in the domains become tokens or object identifiers for 
the objects themselves. They thus naturally have a finite set of values. The 
attributes of the objects may have continuous values representing spatial or 
temporal values. These values are considered as components of objects and held 
in tuples as constants or Prolog variables. They can be accessed and tested in 
the normal way. We do not need to map them onto finite domains unless the 
problem requires it. The instances of relationships, as described below, can 
be represented by asserted facts, just like tuples in a relational database table, 
referencing the object identifier values of the related objects. In this form we can 
use the infers construct, for generalised eonstraint propagation in the ECLiPSe 
Propia library, to prune values from the finite domains. 



2 Specifying a CSP by Database Integrity Constraints 

A constraint is an excellent declarative way to specify domain-specific semantic 
features in a particular data model. It is an important abstraction which extends 
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a data model in various ways so that it can address questions of importance to- 
day, in the era of the Internet. Recently, it has also been realised that constraints 
are a highly suitable representation for knowledge in distributed agent-based ap- 
plications Q, enabling novel approaches to the solution of design and configura- 
tion problems. When used as mobile knowledge which is exported and attached 
to data, constraints restrict the way in which the data can be used and form 
relationships with other objects. This mobility, together with its declarativeness, 
allows constraints to be transported, transformed, combined and manipulated 
in a distributed environment. 

We have chosen to use the Golan language Q developed for the P/FDM func- 
tional database system because it is based on Shipman’s Daplex language 
which is being used for its original purpose of integrating data expressed in 
different local databases using different local schemas. We have found this con- 
straint language (figure to be independent of the problem domain and able 
to represent the knowledge stored in a variety of local data models. It has the 
power of first order logic with safe expressions restricted by mixed quantifiers 
over finite domains of objects stored in databases or finite subranges of integers. 
It also has much of the power of a functional programming language for recursive 
computation. 

To specify a CSP by database integrity constraints expressed in Golan, we 
visualise a solution database which is empty and yet to be populated by the 
solutions of a GSP, after it is solved. Figure H shows the ER diagram of our 
example solution database for configuring PG. We restrict the combination of 
values which can be stored and qualified as solutions to the GSP by imposing 
integrity constraints against the solution database schema, thus formalising the 
GSP specification. In practice, the solution database may simply provide a frame- 
work for GSP specification and does not physically exist or contain any data. 
Here are some example constraints imposed on the solution database and serve 
as GSP specifications: 

constrain all p in pc 

to have cpu(p)="pentium2" 

constrain all p in pc 

such that name(has_os(p))="winNT" 
to have memory (p) >= 64 

These example constraints expressed in Golan are quantified constraints with 
the last one being a conditional constraint which only applies when a certain 
condition is true. The implementation of conditional constraints and quantified 
constraints, which form the basic patterns of constraint specification in Golan, 
will be discussed in section J Note that, although we use a syntax originally 
devised for database integrity constraints, here we extend it to problems that 
need a GSP solver, not just a database engine. 

To solve a GSP, we retrieve candidate data values from other populated 
databases, test them against the required constraints, and optionally store the 
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Fig. 2. In this ER diagram, we have three entities pc, hard_disk and os linked 
together by their attributes. The single-valued attribute has_os(pc) is repre- 
sented by a single-arrow while the multi-valued attribute has_disk(pc) is de- 
noted by a double-arrow. Attributes underlined are keys of their respective entity 
class. 

qualified ones into the solution database. Candidate data in our example are 
usually provided by different vendors giving the available components for PC 
configuration. For illustration purpose, we populate our single vendor database 
with the following values of partially configured PC, OS and hard-disk, although 
in real practice these candidate data may be stored in distributed databases: 



pc object-id 


model (pc) 


cpu(pc) 


memory (pc) 


has_disk(pc) 


pci 


"P5-120" 


"pentium" 


32 


diskl, disk2 


pc2 


"P5-233" 


"pentium" 


32 


disk2, disk3 


pc3 


"P2-333" 


"pentium2" 


64 


disk3, disk4 



os object-id 


name (os) 


size (os) 


osl 


"win95" 


300 


os2 


"linux" 


200 


os3 


"winNT" 


500 



hardjdisk object-id 


model (hardjdisk) 


size (hardjdisk) 


diskl 


sg-256 


256 


disk2 


wd-512 


512 


disk3 


ib-1024 


1024 


disk4 


ib-2048 


2048 



It is important to note that these values are originally stored in the vendor 
database instead of the solution database. Some attributes, like has_os, are not 
populated in the vendor databases as a configuration is not yet made. It is only 
when the CSP is solved that values for these attributes are determined and 
qualified values (as solutions) are copied into the solution database. 

3 Compiling Data Objects into CLP Structures 

A CLP program reasons over CLP data structures and therefore we have to 
compile constraints and data into their corresponding CLP program codes and 
data structures before the CLP system can utilise them. 
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3.1 Data Objects and Scalar Attributes 

In the functional data model, attributes of an entity are modelled as functions 
on a data object, which is identified by a unique object identifier. A simple 
but flexible approach to represent a data object and its attributes in a CLP 
system is by using Prolog term structures. The following example shows how a 
pc/5 structure is used to represent three pc objects pci, pc2 and pc3 with their 
respective attribute values of cpu, model, memory and has_disk. In this example, 
the has_disk attribute is multi-valued and contains the object-id of all related 
harddisk data objects as a list: 

pc (pci , ’P5-120 ’ Pentium, 32, [diskl ,disk2] ) . 
pc(pc2, ’P5-233’pentium,32, [disk2,disk3] ) . 
pc(pc3, ’P2-333’pentium2,64, [disk3 ,disk4] ) . 

Instead of using these facts as a passive test against instantiated values, 
ECLiPSe supports the use of a user-defined predicate (e.g. pc/5) as an active 
constraint by generalised constraint propagation The following ECLiPSe 
goal constrains the finite domain variables Pc, Model, Cpu, Memory and Disks to 
the value combination as specified by pc/5: 

pc(Pc, Model, Cpu, Memory, Disks) infers most 

An alternative representation is to model the relationship between an ob- 
ject and each of its attributes by a separate constraint. The following example 
shows how the object/2 and fnval/5 (meaning ‘function value’) term struc- 
tures are used to represent data objects and the single-valued attributes model, 
cpu, memory, and the multi-valued attribute has_disk of the object pci: 

object(pc,pcl) . 

fnval (model, [pc] , [pci] , string, ’P5-120’) . 
fnval(cpu, [pc] , [pci] , string, pent ium) . 
fnval (memory, [pc] , [pci] , integer, 32) . 
fnval (has_disk, [pc] , [pci] ,hard_disk, diskl) . 
fnval (has_disk, [pc] , [pci] ,hard_disk,disk2) . 

This approach offers a uniform representation across different entity classes 
and attributes by modelling the relationship between the input arguments and 
output value of a function. Type information is included to make it self-describing 
and to discriminate between overloaded functions. The single-tuple approach 
(e.g. pc/5), on the other hand, has to change its arity when the number of 
attribute changes in representing objects of different entity classes. As a result, 
we choose to use the fnval/5 structure to represent the attributes of a data 
object. Once these facts are established, we can use the following ECLiPSe goals 
to set up the constraints between the domain variables Pc, Model, Cpu, Memory 
and Disk: 



Developing Finite Domain Constraints - A Data Model Approach 453 



object (pc, Pc) infers most, 

fnval (model , [pc] , [Pc] , string, Model) infers most, 
fnval(cpu, [pc] , [Pc] , string, Cpu) infers most, 
fnval (memory, [pc] , [Pc] , integer, Memory) infers most, 
fnval (lias_disk, [pc] , [Pc] ,hard_disk, Disk) infers most, 

3.2 Relationships between Objects 

In the functional data model, relationships between objects are modelled as 
attributes and thus are also represented as functions. Instead of returning scalar 
values, these functions return the object identifiers of the related data objects 
and we can use the same technique as described in section The example in 
section ^Hshows two hard_disk objects diskl and disk2 are related to a single 
PC pci: 

fnval (has_disk, [pc] , [pci] ,hard_disk, diskl) . 
fnval (has_disk, [pc] , [pci] ,hard_disk,disk2) . 

Once again, the infers operator of generalised constraint propagation in 
ECLiPSe allows these facts to be used as an active constraint, like the following 
goal: 

fnval (has_disk, [pc] , [Pc] ,hard_disk, Disk) infers most 

4 Constraint Compilation 

4.1 Existentially Quantified Constraint 

Quantified constraints in Colan Q fall into two main categories. They are either 
universally quantified or existentially quantified. To facilitate the compilation of 
quantified constraints into CLP codes, we have implemented two meta-predicates 
f orall/3 and exist/3. When supplied with the set of quantified variables and 
ECLiPSe code fragments compiled from the generator and predicate of a quan- 
tified constraint, these two meta-predicates behave as a universal quantifier and 
an existential quantifier respectively. They are defined in an ECLiPSe module 
to provide the required runtime support. 

By default, a CSP implemented as a CLP program has an implicit existential 
quantifier over each involved variable. When we execute a CLP program and 
find the solutions to a CSP, we have found “the existence of values in the value 
domains of the involved variables such that all required constraints are satisfied”. 

Assume that we want to restrict the existence of a PC in the solution database 
such that it has at least one installed hard-disk of a capacity greater than 
or equal to 1024 unit. This requirement can be written as a first-order logic 
expression: 

(3p, d, s) pc{p) A harddisk(d) A hasjlisk{p, d) A size{d, s) A (s > 1024) 

By searching for the existence of solution for variable Pc, Disk and Size, the 
following ECLiPSe program posts the same constraint: 



454 



Kit-ying Hui and Peter M. D. Gray 



post (Pc , Disk, Size) 

object (pc, Pc) infers most, 
object (harddisk, Disk) infers most, 

fnval (has_disk, [pc] , [Pc] , harddisk, Disk) infers most, 
f nval (size, [harddisk] , [Disk] , integer, Size) infers most. 

Size #>= 1024. 
solve (Pc , Disk, Size) 

post (Pc , Disk, Size) , 

indomain(Pc) , indomain (Disk) , indomain(Size) . 

Therefore, the exist/3 meta-predicate can simply be implemented as: 

exist (Variables , Generator_code , Predicate_code) : - 
call (Generator_code) , 
call (Predicate_code) . 

where Generator_code defines the initial domains of the involved variables, and 
Predicate_code imposes the required constraint. Variables is the list of in- 
volved variables which are shared between Generator_code and Predicate_code 
and serve as a means to link the two program fragments. 

Now our previous example can be expressed in term of the exist/3 meta- 
predicate. Notice how the generator and predicate codes are linked by the shared 
variables Pc, Disk and Size and the use of the infers operator as discussed in 
section H 

post(Vars) 

Vars= [Pc , Disk, Size] , 

Gen_code= 

(object (pc, Pc) infers most, 
object (harddisk, Disk) infers most, 

fnval (has_disk, [pc] , [Pc] , harddisk, Disk) infers most, 
f nval (size, [harddisk] , [Disk] , integer, Size) infers most 
), 

Pred_code=(Size #>= 1024), 
exist (Vars , Gen_code , Pred_code) . 

The following captured log shows how the domains of Pc, Disk and Size are 
reduced after the constraint is posted, pci is removed as none of its hard-disks 
satisfies the requirement: 

[eclipse 2] : post(V) . 

V = [_173{[pc2, pc3]>, _281{ [disks, disk4]>, _770{[1024, 2048]}] 
4.2 Conditional Constraints 

Conditional constraints are constraints which require their guarding conditions 
to be satisfied before the constraints are applied. A conditional constraint has 
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the operational semantics of an “if-then-else” statement where we cannot decide 
which one of the two branches to take before the guarding condition is evaluated. 
The following example specifies that "linux" must be used when a PC has 64 
units or more memory, otherwise the use of "win95" is enforced: 

if memory (p) >= 64 

then name (has_os (p) ) = "linux" 
else name (has_os (p) ) = "win95" 

We define a meta-predicate if _then_else/4 on a set of variables with the 
testing condition and the two alternate branches of the decision. In general, there 
are two approaches to implementing a conditional constraint: passive or active. 
A passive approach delays evaluating the guarding condition until all variables 
are instantiated. This is similar to a generate-and-test strategy. An active one 
takes an aggressive approach to make its decision as soon as enough information 
is available, and if possible, without fully instantiating all the involved variables. 

We use the technique of applying the guarding condition as a constraint 
and detect the change in the solution space, which is based on the fact that 
when there is a combination of variable values that fails the guarding condition, 
applying the guarding condition as a constraint either removes this combination 
of values, or creates a delayed-goal | . Applying the guarding condition as a 
constraint has three possible outcomes: 

1. The guarding condition fails to apply as a constraint 

In this case, the guarding condition must fail as no value combination within 
the variable domains can satisfy it. Therefore, we execute the else branch of 
the conditional constraint. 

2. The guarding condition applies with delayed-goals 

When the guarding condition applies with delayed-goals, it means some de- 
cisions cannot be made. In this case, we have to suspend our conditional 
constraint until more information is available. 

3. The guarding condition applies without any delayed-goal 

When the guarding condition applies without any delayed-goal, we can pro- 
ceed to detect any change in the solution space. If the solution space has 
changed, then the original variable domains must have some variable com- 
binations violating the guarding condition. In this case, we have to suspend 
our decision until the variables are more constrained. However, if the solu- 
tion space has not changed and there is no delayed-goal, then we are sure 
that no value combination in the variable domains will violate the guarding 
condition. In this case, we can safely execute the then branch. 

Ideally, this approach allows us to evaluate the guarding condition as soon as 
possible without fully instantiating all domain variables. In actual implementa- 
tion, however, we found that it is difficult to detect the potential change of the 
solution space without exploring all value combinations, which is not an efficient 

^ A delayed-goal in ECLiPSe is a goal waiting for a certain event to occur. 
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solution as we try to avoid instantiating any variable, if possible. Thus in real 
practice, we choose to suspend our decision even if there is no delayed goal in 
applying the guarding condition as a constraint. The then branch is only exe- 
cuted when all involved variables are ground and the condition gets evaluated. 
Even so, this will detect a failure of the condition earlier than a purely passive 
approach. 

The evaluation of a conditional constraint is thus a loop of awakening and 
suspension until the guarding condition finally succeeds or fails (figure ^1. To 
detect the presence of any delayed-goal in applying a constraint, we use the 
ECLiPSe predicate subcall/2 which executes a constraint and gets the list 
of introduced delayed-goals. Now the need to check for the presence of any 
delayed-goal in each iteration of the loop creates a technical problem. When the 
constraint is awakened, applying the predicate for a second time does not give us 
any new information if the constraint is already applied in a previous iteration. 
That means we should not apply the guarding condition in any previous iteration 
but only compute the possible change in domains and detect the presence of any 
delayed-goal introduced. This is an interesting problem as we have to know what 
will happen when a constraint (i.e. the guarding condition) is imposed without 
really applying it, thus performing a trial application of a constraint. 

The key to this problem is the Prolog predicate findall/3. As findall/3 
finds all solutions to its non-deterministic goal by backtracking, it executes the 
goal that contains subcall/2, collects information and undoes it. As a result, 
delayed-goals and domain change information are collected but the constraint is 
finally undone, with the results of all constraint application instances in a list. 

Figurefldescribes the implementation of the if _then_else/4 meta-predicate. 
This solution of if _then_else/4 works well with a ‘suspension-aware’ implemen- 
tation of a quantified constraint and we can have a conditional constraint nested 
in the predicate part of a quantified constraint. The aggressive evaluation of the 
guarding condition encourages an early but decisive application of constraints 
which helps cutting down variable domains. 

In general, the presence of conditional constraints in a CSP shifts the be- 
haviour of the constraint solver from prune- and- search towards generate-and- 
test, as some decisions cannot be made until more constraint information is 
available. In the worst case, all constraints may have to be delayed until all 
variables are instantiated. However, the constraint solver should be able to give 
us the best combination of active and passive constraint processing by wak- 
ening constraints as soon as they are applicable. The suspension mechanism 
of ECLiPSe allows constraints to be posted together but processed at different 
time, only when they are ready. This differs significantly from a LP system where 
the order of constraint processing (consistency test) is determined by the order 
of constraint posting. 

The following example illustrates the behaviour of the if _then_else/4 meta- 
predicate. Notice that the guarding condition is compiled into a constraint when 
we call if _then_else/4: 
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Fig. 3. The implementation of the meta-predicate if _then_else/4. 



post_active( [Pc, Os, Name, Memory] ) 
object (pc, Pc) infers most, 
object (os, Os) infers most, 

fnval (has_memory , [pc] , [Pc] , integer , Memory) infers most, 
fnval(name, [os] , [Os] , string, Name) infers most, 

Vars= [Memory] , 

If=(Memory #>=64), 7, the ’active’ test 

Then=(Name #= ’linux’), 

Else=(Name #= ’win95’), 

if _then_else (Vars , If ,Then,Else) . 7, call if _then_else/4 

As soon as we post the extra constraint Memory #< 64, the correct OS is 
chosen: 

[eclipse 2]: post_active (V) , V= [Pc, Os, Name, Memory] , Memory #< 64. 

V = [Pc{[pcl, pc2]}, osl, win95, 32] 
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constrain all p in pc 
all d in has_disk(p) 
to have size(d) >= 1024 



Fig. 4. This example shows three related variables Pc, Disk and Size represent- 
ing a PC, its installed hard-disks and the size of the hard-disk. The universally 
quantified constraint causes 256 and 512 to be removed from the domain of 
Size, whose changes propagates to variable Disk and Pc, causing diskl, disk2 
and pci to be removed. Primary bad values are circled in black and secondary 
bad values are marked in grey. pc2 is indirectly removed as it is related to the 
bad value disk2, thus violating the universal quantification. 



4.3 Universally Quantified Constraint 

Our implementation of a universally quantified constraint makes use of several 
facilities in ECLiPSe - the suspension mechanism, the ability to operate on finite 
domains and to examine delayed goals associated with a variable. In particular, 
we choose to implement the universal quantifier as a meta-predicate f orall/3, 
so that a universally quantified constraint is formed by providing the set of quan- 
tified variables, the codes of the generator and the predicate of the constraint. 

Like other constraints in ECLiPSe, our universally quantified constraint works 
by solution elimination, where values violating the constraint are removed from 
their respective domains. When the predicate part of the quantified constraint is 
imposed, some values are removed as a direct consequence. We call these values 
primary had values as they are promptly removed by the constraint (figure H. 
However, these primary had values are not the only ones to be removed. If there 
are related variables which are also universally quantified, we also have to remove 
values that these variables will take which are associated with a had value. These 
secondary had values are indirectly removed by the universal quantification be- 
cause of their relationship to the primary had values. As the imposed constraint 
propagates through the related variables, this process of indirect value removal 
continues. 

To achieve the desired behaviour of universal quantification, we have to col- 
lect information on the had values that violate the required constraint, so that 
we can determine what values to remove, either directly or indirectly. We use 
the same technique as in the implementation of the conditional constraint (sec- 
tion ^3, where we trial-apply a constraint and compute the difference of the 
involved variable domains before and after the constraint is imposed. 

We have a loop of suspension- and- awakening until the predicate applies with- 
out any delayed-goal (see figure H. This implementation encourages an early 
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utilisation of constraint information, which in turn allows an early triggering of 
conditional constraints instead of waiting for variable instantiation. The overall 
solving process is thus pushed towards a prune- and- search strategy rather than 
generate-and-test. It also has the major advantage of being ‘suspension- aware’, 
which allows the proper handling of nested quantified constraints. 

Our example constraint requires all hard_disk installed in a PC to have a 
size of 1024 units or more: 



(Vp, d, s)pc{p) A harddisk(d) A hasjdisk{p, d) A size{d, s) — > s > 1024 

The following ECLiPSe codes defines a predicate post/1 which posts the 
universally quantified constraint on variables Pc, Disk and Size with the meta- 
predicate forall/3: 

post(Vars) 

Vars= [Pc , Disk, Size] , 

Gen_code=( 

object (pc, Pc) infers most, 
object (harddisk, Disk) infers most, 
fnval(pc, [pc] , [Pc] , harddisk, Disk) infers most, 
fnval (size , [harddisk] , [Disk] , integer , Size) infers most 
), 

Pred_code=(Size #>= 1024), 
f orall (Vars ,Gen_code ,Pred_code) . 

Here are the variable domains of the three variables Pc, Disk and Size after 
calling post/1. Notice how Pc is instantiated by posting the constraint alone: 

[eclipse 3] : post(V) . 

V = [pc3, _346{[disk3, disk4]}, _835{[1024, 2048]}] 



5 Related Work 

Early work in generation of CLP code from CoLan-style constraints is reported 
in Q. This shows how the classic eight queens problem can be described as con- 
straints on sets of data values and then code-generated in CHIP. The emphasis 
here is on how to deal with nested loops and other control issues. The data 
model for this is very simple and does not include relationships, instead it just 
compares numerical attributes: 

constrain each q in queen to have row(q) in {1 to 8}; 
constrain each q in queen 

so that no ql in queen has (ql <> q and 
(col(ql)=col(q) or row(ql)=row(q) or 
abs (row(ql) -row(q) ) = abs (col (ql) -col (q) ) )); 
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f BEGIN 




(T END ^ 



Fig. 5. The implementation of the meta-predicate f orall/3. 



The KRAFT project worked in a domain of configuration of telecommunica- 
tion equipment, including various specialised subtypes of equipment and many 
complex relationships. Examples of various complex constraints that we have 
compiled are given in Q. These may be more representative of real-life engi- 
neering problems than the commonly used examples of magic squares and eight 
queens. Another example of complex engineering assembly data that has been 
very neatly captured in an object-relational model Q with a query language 
similar to ours is given in Q. This is an area where scientists traditionally work 
directly in Fortran with large matrices passed to Finite Element packages; yet 
the data-model based representation interfaced to the FE package paid off in ex- 
tra flexibility and scalability, and in clarity of problem formulation. By analogy, 
one should be able to use it with a constraint solver. 

Recently Freuder, in an invited address Q, has identified modelling as “the 
transformation of the customer’s statement of the problem into a form suitable 
for efficient processing by constraint algorithms or languages” . He admits that 
it is largely a black art at present and calls for improved facilities, in order 
to get wider usage of CLP. This is echoed in a recent conference paper 



Developing Finite Domain Constraints - A Data Model Approach 461 



including a simple declarative high-level language EaCL which is intended as 
a “solver-independent representation” for transmitting specifications across a 
net. Thus EaCL acts as a high level language in which to capture the problem, 
with aims similar to CoLan. Instead of using objects with attributes, as in our 
model, EaCL works directly in terms of named finite domain variables, possibly 
in an array. The ER model is, instead, naturally independent of the data storage 
representation. Thus there is a choice of whether to keep object attributes in 
one tuple or in several. There is also a choice of arrays or collections of tuples. 
This is a new field that is opening up, with many varieties of description yet to 
be explored. 



6 Conclusions 

The use of a Data Model is well established in the structured database world. 
Correspondingly Class Diagrams are a well established part of the UML mod- 
elling language used by object-oriented programmers. Thus people are increas- 
ingly used to relating data values to this formalism. Many combinatorial con- 
straint problems that suit finite domains also have data in this form. We con- 
jecture that many of these problems, especially in the area of configuration, are 
ripe for an automatic generation approach which would save the end user from 
maintaining CLP code. 

We have described our own approach, as used in the KRAFT project, in the 
hope of encouraging others to follow suit. Once one has the idea of how to use 
a data model in this way, the details of how to generate the code are relatively 
straightforward. We have found the ECLiPSe system particularly suitable as 
a target, because of its use of generalised constraint propagation from stored 
data. Once one uses this framework, one can then see particular patterns in 
the generated code, which then call for improved performance. We believe that 
conditional constraints are one such pattern, and we have described a way to 
compile them into code that uses the constraint in a more active fashion. Certain 
kinds of universal constraint have similar considerations. 

We believe that increased facilities for automatic generation of CLP are 
needed to make this technique more widely usable. As these get more widely 
used they will stimulate improved implementation of time-critical operations 
that are commonly generated. We look forward to future developments combin- 
ing program transformation with improved algorithms to tackle the conditional 
constraint problem. 
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Abstract. We propose an extension of concurrent constraint program- 
ming with primitives for process migration within a hierarchical network, 
and we study its semantics. 

To this purpose, we first investigate a “pure” paradigm for process mi- 
gration, namely a paradigm where the only actions are those dealing 
with transmissions of processes. Our goal is to give a structural def- 
inition of the semantics of migration; namely, we want to describe the 
behaviour of the system, during the transmission of a process, in terms of 
the behaviour of the components. We achieve this goal by using a labeled 
transition system where the effects of sending a process, and requesting 
a process, are modeled by symmetric rules (similar to handshaking-rules 
for synchronous communication) between the two partner nodes in the 
network. 

Next, we extend our paradigm with the primitives of concurrent con- 
straint programming, and we show how to enrich the semantics to cope 
with the notions of environment and constraint store. 

Finally, we show how the operational semantics can be used to dehne an 
interpreter for the basic calculus. 



1 Introduction 

Concurrent constraint programming (ccp) Q is a computational paradigm 
which combines the notions of concurrency and constraints. Classical ccp is based 
on a shared (constraint) store and, as such, it implies a centralized computational 
model. 

In this work, we aim at enriching the ccp paradigm with the notion of local- 
ities, local stores and environments, and process migration. More precisely, we 
consider a distributed version of ccp where processes (or agents) run at specific 
sites, and have associated a local environment of procedure declarations, and a 
local store of constraints. The sites are organized hierarchically, and therefore an 
agent may contain sub-agents. The computation of a process only depends on its 
local code and data; however, a crucial characteristic that we wish to describe is 
the ability of an agent to move from site to site in the network, and bring along 
its environment and store. 
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Our main goal is to provide a Structural Operational Semantics for such 
an extension of ccp, namely a semantics in which the behaviour of complex 
processes is defined in terms of the behaviour of their components. This results 
in the usual advantages for reasoning and for the definition of formal tools. In 
the long-term our motivation is to be able to describe and reason about the 
migration of software agents in a distributed system. 

1.1 Process Migration versus Link Mobility 

The term “mobility” has become associated with two meanings - firstly that 
of reconfiguring a network by changing the links or connections between nodes, 
and secondly the ability of a node within a network to migrate its position, thus 
also reconfiguring the topology of the network. In order to avoid confusion, we 
use link mobility to describe the former, and process mobility, or migration, for 
the latter. In this work, we are concerned with process mobility. 

The classical work on link mobility is Milner’s n-calculus Migration has 
been described by Cardelli and formalized in work on agent-passing calculi, 
for example Plain CHOCS^^ and Strictly -Higher- Order n- calculus ^ 3 . For a 
study of the correspondence between the two concepts, see Sangiorgi . 

An important consideration in migration is that of locality, namely the ex- 
plicit association between agents and specific sites. Several calculi supporting this 
notion have been presented recently; see for instance Of these, however, 

only Fournet et al’s Distributed Join Calculus treats locality in combination 
with migration. This is done in style of the Chemical Abstract Machine, by cre- 
ating a flat model of local solutions with associated local names, and organising 
them as an implicit tree of nested locations. In contrast with we describe 
migration in the SOS style, maintaining the network structure explicitly as it is 
done in Q. Another difference with is that we are able to describe migration 
to a sublocation, while this is not possible in 



1.2 Models of Mobile Computation 

One can distinguish various types of mobile computation, which depend on the 
way the environment is treated under migration. 

Following Cardelli Q, we regard a closure as the run-time description of a 
running procedure, i.e. the code plus the context of its execution. In general this 
context may include data, active network connections which are preserved on 
transmission, and new connections that are created to keep the closure in touch 
with the site that it has left behind. 

With respect to the notion of closure, we can distinguish three increasingly 
richer models of mobility: 

1 . Code mobility only. 

2. Mobility of agents, which are closures with contexts which lack link infor- 
mation. These agents do not communicate remotely with other agents, but 
move to some location and communicate locally there. 
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3. Mobility of general closures which include network connections (links), like 
in Obliq 

In this paper we focus on the agent mobility only. At the end of Section 3 
we discuss possible extensions towards the last, most general model. 



1.3 Distributed Concurrent Constraint Programming 

To our knowledge, there have been only two previous proposals for distributed 
extensions of ccp: Distributed Oz and Distributed ccp 13- 

The proposal in ^3 is based on the notion of agents computing within their 
local stores of constraints, and exchanging constraint abstractions through chan- 
nels. A process receiving an abstraction applies it to its local variables, thus 
making a sort of local version of the received constraint. The dependency on 
global information is avoided by a static analysis of the program, giving the 
sufficient conditions under which the store of two agents can be divided in two 
local (independent) stores. 

In ^3 notion of global and local information coexist: the computation 
of an agent mainly depend on local data, but the bindings on the shared logical 
variables are global and require handling by a distributed constraint solving 
algorithm. The main kind of mobility is cell mobility, namely the information 
content of a cell (a sort of imperative variable) can be exchanged between agents. 

Neither nor ^3 deal with distribution and agent migration in our sense, 
i.e. by using an explicit notion of site, in a network organized hierarchically, and 
by transferring environment and store along with the code. 



1.4 Structure of the Paper 

The next section presents an abstract paradigm for the description of process 
migration between any two sites within a hierarchical network. Section 3 shows 
how the paradigm can be enriched to cope with the concepts of environment and 
constraint store, thus laying the foundations of concurrent constraint program- 
ming with process migration. Section 4 presents a simple (centralized) interpreter 
for the paradigm described in Section 3, and Section 5 discusses future work. 



2 The Basic Paradigm for Migration 

In this section we present our methodology for describing migrating agents within 
a hierarchically organized network. Our basic assumption is that the topology 
of such a network can be described as a tree, where each node is associated with 
a name n and contains an agent A. Names are unique only amongst peer nodes 
(sharing the same parent), and the unique address (location) of a node is given 
by the string tt formed by concatenating the names of the nodes on the direct 
path from the root to that node. Thus we permit the same name to be used more 
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than once in a system, and our calculus ensures that no ambiguity concerning 
addresses can raise when an agent migrates within the network. 

An agent A in a node n can migrate to any other node m in the network. 
In this migration A is relocated together with all its subnodes and is inserted 
in m together with the agent B of m. The structure of the network can change 
as a result of this migration, for instance when a process which contains nested 
nodes migrates to a leaf node. 

We assume two basic actions for migration: go and fetch. The first sends an 
agent to a node n at a specified location; the second gets a copy of an agent from 
a node n at a specified location, leaving the agent available for another request. 
We think that this naturally formulates “go” instructions and “fetch” requests. 
In both cases we specify the location by giving the path to n starting from the 
first (i.e. lowest in the tree) common ancestor of n and the node m which is 
performing the action. We will call this path the relative address from the point 
of view of m, and the sub-address from the point of view of the ancestor. 

The syntax of our basic calculus is specified by the following grammar, where 
the symbol || represents the usual parallel operator and 0 represents inaction: 

Agents A ::= 0 | node{n,A) \ go{7T,A) \ fetch^n) | A |j A 

We assume the usual structural equivalences for the parallel operator: 

A II 0 = A 
Ai II A2 = A2 II Ai 
(Ai II A2) II A3 = Ai II (A2 II A3) 

The operational semantics is defined by a labeled transition systems whose 
configurations are agents and labels have the following form, where A is an agent: 

• s{TTf,Trt, A) : send A from sub-address tt/ to relative address tt^ 

• r{TTf,Trt, A) : receive A from relative address iTf to sub-address tt^ 

• vs{TTf,TTt, A) : virtual send A from sub-address tt/ to relative address tt^ 

• vr{TTf,TTt, A) : virtual receive A from relative address iTf to sub-address nt 

• as{TTf,TTt, A) : actual send A from sub-address tt/ to sub-address ttj 

• ar{TTf,TTt, A) : actual receive A from sub-address tt/ to sub-address nt 

• migrate(7T f , 7Tt, A) : relocate A from sub-address tt/ to sub-address tti 

The last three kinds of labels correspond to transitions that can be performed 
only by the first common ancestor of the nodes m and n between which the 
migration takes place. Basically, the idea is the following: when a node m exe- 
cutes an action go^iTt, A), it performs a send transition s(m, tt^, A). Correspond- 
ingly, the node n at the relative address nt performs a virtual receive transition 
vr^TTf, n, A), where iTf is the relative address of m from the point of view of n. 
This virtual transition is a “spontaneous initiative”, i.e. it is generated by the 
agent 0 (always present in a node because of the equivalence A = A || 0). 

These transitions propagate upwards in the tree until they hit a common 
ancestor. At this point the send becomes an actual send, matches with the virtual 
receive, and the migration takes place. 
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Table 1. Specification of labels and conditions for the propagation rule. The 
function hd gives the first element of a string. 



e 


Cond 


£' 


s{nf,nt,B) 


hd{nt) A ^ 


s{nnf,nt, B) 


s{nf,7H,B) 


hd{nt) = n 


as{mrf, TXt,B) 


r{nf,nt,B) 


hd{nf) A 


r{TVf ,mvt, B) 


r{nf,TTt, B) 


hd{nf) = n 


ar{nf,nnt, B) 


Vs{TVf,TTt, B) 


- 


vs{n-Rf,TTt, B) 


Vr{TTf,-Kt, B) 


- 


vr{TTf, nixt, B) 


migrate{nf, nt, B) 


- 


migrate{nnf, mit, B) 



During the upward propagation of vr{TTf, tt, A) the sub-address tt of the vir- 
tual receiver is incrementally constructed, until it becomes tt^. Analogously, dur- 
ing the upward propagation of s{n' ,nt, A), the sub-address tt' of the sender is 
constructed, until it becomes ttj. The actual send and the virtual receive can 
match only if the sub-addresses correspond, i.e. only if they are of the form 
as{TTf,TTt, A) and wr(7r/, ttj, A) respectively. Note that, strictly speaking, only 
one of these constructed address is necessary to test if the two actions match; 
we do it this way just for the sake of symmetry. 

The mechanism for the fetch^Tr) action is analogous: in this case its node will 
perform a receive transition and the node at the relative address tt will perform 
a corresponding virtual send transition. Note however that fetch and go are not 
symmetric to each other: go does not cause a duplication of the agent, while 
fetch does. 

The above ideas are formalized by the following rules, which specify the 
transition relation. A represents the empty string. 

The following four axioms introduce the send and receive, and their virtual 
counterparts. 



{send) go{'Kt,A) 
{receive) fetch{TTf) 
{virtual send) A 

{virtual receive) 0 



s(A,7Tt ,A) 
r{-n f ,A,A) 
vs{X,-Kt,A) 
vr{TTf ,A,A) 



0 

A 

A 

A 



The following rule specifies the upwards propagation of transitions in the tree 
structure: 



{propagation) 



A 



A' 



node {n, A) — > node{n, A') 



Cond 



In this rule, i' and the side condition Cond depend on i as specified in Table] 
The following two symmetric rules describe the actual migration: 
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{migrategj 



as(Trf,Trt,B) 

41l > 412 



vr(Trf,Trt,B) 

412 > 4I3 



migrate{7rf,7Tt,B) 

Ai ^ ^3 



{migrate 



ar(Trf,Trt,B) 

41l > 4I2 



vs(Trf,Trt,B) 

4I2 > 4I3 



migrate{7rf,7Tt,B) 

Ai ^ ^3 



Note that, if the two nodes between which the relocation takes place are not 
along the same branch, then one can use more elegant rules for migration, mod- 
eling it as handshaking between the real and the virtual actions. More formally, 
the migratCgg could be replaced by the following: 



{migrate' g^) 



s(-!Tf ,mrt,B) . 

Ai > A'-^ 






node{n, A\ || A 2 ) 



migrate(nn f ,nnt ,B) 



node{n,A'i || A!^) 



and analogously for the migrate 

This rule however does not cover the case of relocation between ancestor and 
descendant, because that situation cannot be described, in our paradigm, by 
using the parallel operator. 

Finally, the rule for the parallel operator is the standard interleaving rule, 
refined by a condition intended to maintain the uniqueness of names among 
sibling nodes: 



{parallel) 





Ai II 4I2 




names A'l n names A 2 = 0 



where the function names {A) gives all the names of top-level nodes in A. 
Formally: 

names { 0 ) = 0 

names {node {n, A)) = {n} 

names{go{7T, A)) =0 

names {fetch{TT)) = % 

names{Ai || A 2 ) = names{Ai) U names{A 2 ) 

We conclude this section with some examples illustrating how our model 
works. 



Examples 

In the following examples, for the sake of simplicity we omit null agents and 
represent the agent node{n,Q) by node{n), or (in the figures) by n: 
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(1) Reorganising a Branched Network to a Linear Network 

X 

b 
a 
c 

There is only one (strict) order of migrations: 

node{x,node{x,go{x.b,node{a)) || node{b) || go{x.b.a,node{c)))) 

migrate{x ,x .b ^node{a)) 

node {x, node (b, node (a) || go(x.b.a, node(c)))) 

migrate(x,x.b.a,node(c)) 

node(x, node(b, node(a, node(c)))) 



go(x.b,a) 




go(x.b.a,c) 



(2) Using Fetch 




f g f g f g 



Again the reader can verify that there is only one order for migration com- 
mands to be executed 



(3) Swapping Children Nodes Using Two Agents 

In this case two different migration histories are possible: 



1 . 

2 . 



migrate(a.b,a.c,node(d)) 

migrate(a.c,a.b,node(e)) 



migrate(a.c,a.b,node(e)) 

migrate(a.b,a.c,node(d)) 
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a 



a 



b 



/ 





\ 



c 



5o(a.c,d) 



5o(a.b,e) 



e 



d 



3 Enhancing ccp with Migration 

In the previous section we have dealt with the simple case of agents without 
environment or store. Of course, this is a very simplistic assumption. One of the 
main issues about migration is the formalization of the way a migrating process 
is inserted in to the environment of the host, how it interacts with the resources 
of the host, what are the scoping rules, etc. 

In this section we investigate how the basic calculus for migration can be 
enriched with the notions of environment and constraint store, laying the foun- 
dations for concurrent constraint programming with process mobility. 

Let us first recall the definition of ccp 

Agents A ::= 0 | tell{c) \ ask{ci) ^ | A || ^ | p{x) \ ^xA 

The c and Ci’s are constraints, i.e. elements of a given constraint system 
(C, h). We recall that h represents a relation of entailment between elements 
of C, that C is closed under logical conjunction A, and that a cylindrification 
operator : C ^ C is defined for any variable x. 

Briefly, the computational meaning of this paradigm is the following: the 
agents interact via a common store which ranges over C. The execution of tell{c) 
adds c to the current store, i.e. if the current store is s then the resulting store is 
s A c. The guarded choice agent X^r=i Btsk{ci) Ai selects nondeterministically 
one j such that ask(cj) is enabled in the current store s, i.e. s h cj, and then 
behaves like Aj. The agent 3xA behaves like A, with x considered local to A. 
Finally, the agent p{x) is a procedure call. Its meaning is given by a declaration 
of the form p{y) A. 

In this presentation, taken from there is a unique global set of decla- 
rations. Furthermore, although in the course of the computation some agents 
might obtain a local store, initially there is only a unique global store (this as- 
sumption makes it easier to describe the semantics) . Since our purpose here is to 
study agent migration in the presence of a structure of environments and stores, 
we will enrich this paradigm with the possibility of associating local declarations 
and a local store with an agent (besides a local variable) . More precisely, we will 
substitute the hiding construct d^A with the more general block construct: 



block{D, X, s, A) 
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where H is a (possibly empty) set of local procedure declarations, X is a (possibly 
empty) set of local variables, and s is the initial (possibly empty) local store. 

Thus the syntax of this extended ccp, enhanced with the migration con- 
structs, will be: 

Agents A ::= 0 | tell{c) \ 0'Sk{ci) ^ | ^ || | p{x) \ 

block{D, X, s, A) I node{n,AA) \ 50(71, A) | /etc/i(7r) 

The operational semantics is defined via a labeled transition system as fol- 
lows: the basic configurations are the blocks, the labels are only those introduced 
in Section ^ plus r, which will label the transitions corresponding to the stan- 
dard (unlabeled) ccp transitions. The transition rule for tell is similar to the one 
for standard ccp: 



block{D, X, s, tell{c)) block{D, X, s U c, 0 ) 

The symbol U here represents concatenation, and will be interpreted as logical 
conjunction when the store is checked for entailment. In Q the corresponding 
rule uses logical conjunction directly. We need to distinguish the contribution 
made by an agent essentially to deal with the presence of an initial local store. 
This will become apparent in the rule for nested blocks. 

The guarded choice rule is just the same as in standard ccp. 

block{D, X, s, Y^=i dsk{ci) Ai) — ^ block{D, X, s, Aj) s h Cj 

For the parallel operator, we have to add the condition on uniqueness of 
sibling names. The function names extends to ccp in the obvious way (for the 
procedure call it gives the empty set and for the choice it gives the union of the 
names of all branches). 



blocHD.X,s,Ai)^blocHD,X,s’.A[) ^ ( A 2 ) = 0 

block{D ,X ,s ,Ai 11 ^ 2 ) >block{D.X,s' W-^2 ) 



The procedure call is just the same as in standard ccp. In this rule. Ay is an 
elegant mechanism which links the formal and the actual parameter, and avoids 
clashes with other variable names in the network. See |^J for details. In our 
case, we will have to enrich it so that it also avoids clashes with sibling node 
names 



block{D, X, s,p{x)) block{D, X, s, Ay(A)) p{y) A G D 

The rule for the block construct enriches the rule for hiding in with the 
treatment of definitions in nested blocks, and with the distinction of the agent’s 
contribution to the store, which is necessary for coping with the possibility of 
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an initial (non empty) local store. 

block {Di <D2,X2, (3x2 Si) U S2, 2I) 
i 

hlock{Di <D2,X2, (3x2 Si) U S3, 2I) 

block{Di, Xi, Si U 3X2S2, block{D2, X2, S2, A)) 

i ^ 

block{Di, Xi, Si U 3X2S3, block{D2, X2, S3, ^)) 

Here, Di <\ D2 represents the hierarchical union of Di and D2, i.e. in case p is 
defined both in Di and in D2, the declarations for p in D2 override those in D\. 

The intuition behind the above rule is the following: In the internal block, the 
procedure declarations D\ of the external block are visible, except for those which 
are “shadowed” by local declarations of the same procedure name (standard 
rule of scoping). The external store (si) is also entirely visible, except for the 
constraints involving variables with the same name as the local ones (X2). The 
information about the shadowed external variables {X2) is be filtered away by 
using the cylindrification operator 3x2 ■ Conversely, in the external block the 
information produced in the internal block (s2 and S3) is entirely visible, except 
for the constraints involving the local variables. Again, this information is filtered 
away by using 3x2- This way of treating the store is inspired by 

The rule for the node expresses that the environment of an agent in a node 
is the same as the environment of the nod® 

node{n, block{D, X, s, A)) — ^ node{n, block{D, X, s' , A')) 
block{D, X, s, node{n, A)) — ^ block{D, X, s' , node{n, A')) 

Note that the premise of this rule is a transition between node agents. These 
will be considered auxiliary configurations and the rules for their transitions are 
the rules propagation, migrate and migrate of Section^ The rule parallel 
is not needed. 

Finally we have to adapt the rules send, receive, and their virtual counter- 
parts. The following definitions formalize migration with dynamic scope, i.e. 
when a migrating agent brings with it only its internal environment, not its 
external one: 

block{D, X, s, go{TTt, A)) ^ ^ block{D, X, s, 0 ) 

block (D, X, s, fetch^n)) ^ ^ block{D, X, s, A) 

block{D, X, s, A) X, s, A) 

block{D, X, s, 0 ) ^ block{D, X, s, A) 

^ We could have simplified the syntax and the semantics by unifying the concept of 
node and block, i.e. we could have considered only one construct containing a node 
name, local declarations, local variables, local store and an agent. The reason why 
we did not do this is because we think of a node as a physical site which can host 
many parallel agents, each one with its own environment. 
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Note that we could model a more lexical kind of scoping rule by modifying 
the label of the send and the receive actions. For instance, the send rule would 
be written as 



block{D, X, s, go(7Tt, A)) 



s(X,7Tt ,block{D ,X,s,A)) 



block{D, X, s, 0) 



In this way we export also the local environment and the store of the father. 
However note that this is a mixture of dynamic and lexical scope: to represent 
a purely lexical scoping rule, we would need closures. 



3.1 An Example 



We illustrate now our extension of ccp with an example. We assume dynamic 
scope, although in this example it does not really matter. 

Assume that a seller, at address root. a, is willing to sell a certain good to 
the best offerer, by auction. Three potential buyers, at nodes root.b, root.c, and 
root.d respectively, are willing to buy the product, but are too busy to participate 
directly in the auction process. Instead, they send an agent to the site where the 
auction takes place. The agent will have certain parameters specified, like the 
increment for raising the bidding each time, and the maximum price the buyer is 
willing to pay. At the end, the auctioneer will send an agent back to each buyer 
to tell whether he has won the bidding or not. 

The following process represents the auctioneer. For simplicity, we assume 
a very simple kind of auction, with only one round: all the offers are collected, 
compared, and the best one wins. We use askx{c) — > A to represent the agent 
ask{3xc) tell{c) || A. 

The following process represents the potential buyer at site root.b. The other 
buyers are similar, except possibly for the price offered (100) and the continua- 
tion process (A). 

node {root.b, 

block{%, {price, answer}, {price = 100}, 

go{root.a, offer{b, price)) || ask {winner {answ er) ^ A) 



Note that, thanks to the mobility of the store, the information can be trans- 
mitted from the buyer to the auctioneer and viceversa. Thanks to the locality 
of the stores, there is no need of distributed constraint solving, and we can also 
ensure a certain privacy of the information; for instance, the winner’s identity 
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will not be available to the other buyers. 

node{root.a, 

hlock{%, {pb, pc, pd}, 0, 

ask{offer{b,pb) A offer{c,pc) A offer{d,pd)) 
askpb^pc^pdipb > pc Apb > pd) 
go{root.b, tell{winner{yes))) 

II 

go{root.c, tell{winner{no))) 

II 

go{root.d, tell{winner{no))) 

askpb^pc,pd(pc > pb Apc> pd) 
go{root.b, tell{winner{no))) 

II 

go{root.c, tell {winner (yes))) 

II 

go{root.d, tell{winner{no))) 



askpb,pc,pd{pd > pb Apd > pc) 
go{root.b, tell{winner (no))) 

II 

go{root.c, tell (winner (no))) 

II 

go(root.d, tell(winner(yes))) )) 



4 Interpreter 

We have implemented an interpreter in SICStus Prolog based on the operation 
semantics defined in previous sections; the interpreter can be obtained over the 
Web at ittp : //WWW. SOI . citv . ac .UK/ are/migratioi The software has been 
used as part of an undergraduate module on Software Agents given to final year 
Computing and Software Engineering students at City University. 

Our implementation technique involves representing a transition rule in the 
form: 



... aJ-Aa'^ 



Condition 



by the Prolog clause 

trans(Al, Label, name (Label, DbsAl, . . . ,DbsAn) ,An’) 

trans(Al,Ll,DbsAl,Al’) , ..., trans (An,Ln, DbsAn, An’ ) , 
Condition. 
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Thus, for instance, the axiom 



s{\,th,A) 

go(TTt,A) — > 0 

is represented by the unit clause 

trans(go(To,A) , s([],To,A), send(s( [] ,To,A)) ,0) . 
and the rule 



as{Trf,Trt,B) vr(Tr f ,TTt ,B) 

Ai > A2 412 4 I 3 

migrate{'K f ,B) 

Ai > 4 I 3 

is represented by the clause 

trans(Al, migrate (Fr, To, B) ,migrate_go (migrate (Fr, To, B) ,0A,0B) ,A3) 
trans(Al,as(Fr,To,B) ,DA,A2) , 
trans(A2,vr(Fr,To,B) ,DB,A3) . 

Users can input an agent description as a Prolog term at the prompt; the 
interpreter will process this term and output a trace of 

agento migration_actioni agenti . . . migration_actionn agentn 

and will offer to display alternative traces and final states (if these exist). The 
final state of the agent is also reported, which can be either inactive (contains no 
migration instructions) or stuck (contains migration instructions which cannot 
be processed, for example references to addresses which do not exist). 

For instance. Example 3 of Sectionals represented by the term 

node (a, node (b,go ( [a, c] ,node (d, 0 ) ) ) //node (c , go ( [a,b] ,node (e , 0 ) ) ) ) 

where the symbol"//” represents parallel composition. 

If we give this term to the prompt, the interpreter responds in the following 
way: 

History : 

Scene : 1 node (a, node (b,go ( [a, c] ,node (d, 0) ) ) // 

node (c, go ( [a,b] ,node(e, 0 )))) 
Move: 2 migrate! [a,b] , [a,c] ,node(d,0)) 

Scene : 3 node (a, node (b, 0) //node (c , node (d, 0) //go ( [a,b] ,node (e, 0) ) ) ) 
Move: 4 migrate! [a,c] , [a,b] ,node(e,0)) 

Scene : 5 node (a, node !b,node !e , 0) ) / /node !c ,node !d, 0) //O) ) 

Inactive final state 

New Network=node !a,node !b,node(e , 0) ) //node !c,node(d, 0) ) ) 

More solutions? ; 
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History : 

Scene : 1 node (a, node (b,go ( [a, c] ,node (d, 0) ) ) // 

node (c, go ( [a,b] ,node(e,0)))) 
Move: 2 migrateC [a,c] , [a,b] ,node(e,0)) 

Scene : 3 node (a, node (b,node (e , 0) //go ( [a, c] ,node (d,0) ) ) //node(c , 0) ) 
Move: 4 migrateC [a, b] , [a, c] ,node(d,0)) 

Scene : 5 node (a, node (b,node (e , 0) //O) //node (c ,node (d, 0) ) ) 

Inactive final state 

New Network=node (a,node (b,node(e , 0) ) //node (c, node (d, 0) ) ) 

More solutions? ; 

No (more) solutions 

5 Future Work 

In the present proposal names are “static entities” . One might want to relax the 
side condition of the parallel rule and provide instead a renaming mechanism 
that renames a migrating node when it is going to be inserted in parallel with 
another node having the same name. 

In our approach the paths contained in an agent do not change during mi- 
gration. This means that the relative address specified by a path inside an agent 
will refer, after migration, to a location different than the one before migration. 
This might be regarded as undesirable. One direction of future work is to enrich 
the calculus so to ensure location invariance during migration. 

One of the advantages of SOS semantics is that it helps in developing an 
algebraic theory of the language, based on the concept of bisimulation. This task 
is particularly facilitated when the rules are in the so-called De-Simone format 
, or similar formats since such formats ensures that bisimulation is a 
congruence. In our case the labels of the transitions contain agents and therefore 
we need to consider a sort of higher-order extension of the De-Simone format 
along the lines of 0. In the future we intend to check whether the format of our 
rules is in some sort of extended De-Simone format for which the congruence 
theorem holds, and then try to determine the algebraic laws of the language 
following similar work done in first-order process algebras Q. 
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Abstract. As extensions to traditional logic programming, both tabling 
and Constraint Logic Programming (CLP) have proven powerful tools 
in many areas. They make logic programming more efficient and more 
declarative. However, combining the techniques of tabling and constraint 
solving is still a relatively new research area. In this paper, we show how 
to build a Tabled Constraint Logic Programming (TCLP) system based 
on XSB — a tabled logic programming system. We first discuss how to 
extend XSB with the fundamental mechanism of constraint solving, ba- 
sically the introduction of attributed variables to XSB, and then present 
a general framework for building a TCLP system. An interface among 
the XSB tabling engine, the corresponding constraint solver, and the 
user’s program is designed to fully utilize the power of tabling in TCLP 
programs. 



1 Introduction 

As two separate research directions within the area of Logic Programming (LP), 
tabling and Constraint Logic Programming (CLP) have long been studied. Both 
of them have proven to be powerful tools and have made logic programming 
more efficient and more declarative. 

Since its introduction in logic programming tabling (also called memo- 
ing) has been used in many areas Q. It can not only avoid redundant compu- 
tations and many infinite loops, but can also, through tabled aggregation Q, 
give an easy way to find the optimal solutions for some problems. Tabling for 
pure logic programming has been implemented in the XSB system QQ. 

CLP is a natural extension of LP, and has gained much success since the 
late 1980’s. Stemming from LP, CLP is a new class of programming languages 
which applies efficient constraint solving techniques to increase the power and 
declarativity of LP. Just like a classic logic programming system, a CLP system 
can also benefit from the power of tabling — the ability to avoid redundant 
computations and infinite loops and to find the optimal solutions. In other words, 
tabling can further increase the declarativity of a CLP system. Some mostly 
theoretical work has been done to combine tabling and constraint solving. For 
example, tabling has been applied to the constraint extensions of Datalog in 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 478^^ 2000. 
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^3 and to CLP in a general scheme for the evaluation of constraint logic 
programs based on a tabling mechanism has been given in and a tabling 
algorithm for CLP has been designed in However, no practical general 
framework for building a Tabled Constraint Logic Programming (TCLP) system 
has been constructed. 

Having the best tabling engine, XSB is a very good candidate system to be 
extended to a TCLP system. However, prior to version 2.0, XSB did not have 
the features necessary to incorporate constraint solving. This motivated to the 
introduction of attributed variables to XSB. 

In the early stage of constraint logic programming, constraint solving was 
“hard- wired” into a built-in constraint solver over a specific constraint domain. 
This implementation strategy makes it difficult to modify an existent constraint 
solver to build a new solver over a new domain. To build a constraint solver over 
a new domain, one has to start everything from scratch. This situation changed 
with the introduction of attributed variables. Attributed variables are 

a new logic programming data type that associates variables with arbitrary at- 
tributes and supports extensible unification Q. Because of the ability to store 
attributes, attributed variables can be used to represent user-defined constraints 
on the variables (usually a whole constraint store can be represented by a set 
of attributed variables) . Attributed variables can extend the default unification 
algorithm in that, when an attributed variable is to be unified with a term 
(which can be another attributed variable), a user-defined unification handler 
(in a high-level language, like Prolog) is called to process the two objects to be 
unified and possibly change the attributes of the involved attributed variable(s). 

Attributed variables have proven to be a flexible and powerful mechanism to 
extend a classic logic programming system with the ability to solve constraints, 
and they have been implemented in many constraint logic programming systems, 
e.g. SICStus ^3 and ECL'PS® Q. Based on attributed variables, logic program- 
ming systems have been enhanced by constraint solvers over rational and real 
numbers ^ and feature trees Also, attributed variables have been recently 
used in the implementation of a high level language to write constraint solvers 
— Constraint Handling Rules (CHR) where constraints are compiled into 

clauses and stored in attributed variables. Compared to CHR, using attributed 
variables to directly implement constraint solvers is as “constraint assembler” 
programming 

The flexibility of the attributed variable mechanism is the major reason why 
we chose it to introduce constraints to XSB. Another reason is that we want 
to make XSB a conservative extension of CLP, so that standard CLP programs 
run (reasonably) well on XSB. XSB is a conservative extension of Prolog in 
that it includes all functionality of Prolog: Prolog programs run well on XSB. 
For this reason we took relatively standard implementation techniques from 
CLP as a basis for our implementation of constraints in XSB. However, the 
interesting, important, and challenging aspect of the integration is the interaction 
between the tabling mechanisms and the constraint mechanisms, and whether 
this approach can result in a (reasonably) efficient TCLP system. This paper 
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concentrates on the interaction of the implementation of the two mechanisms: 
constraints and tabling: the representation of constraints through attributed 
variables and the representation of tables as tries. 

To introduce attributed variables to XSB, a new data type and a new type of 
interrupt have to be added to XSB (see Q) . More importantly, in order to copy 
constraints into and out of tables, we need to modify parts of the basic data 
structure of the tabling engine, namely the tabling tries and the substitution 
factor ^ 3 ^ 3 , to support attributed variables. Tabling tries provide an efficient 
way to look up terms in a table or insert terms into a table, and the whole table 
space of XSB is divided into two parts: subgoal tables (a.k.a. subgoal tries) and 
answer tables (a.k.a. answer tries). Subgoal tables contain all the subgoal calls, 
while answer tables contain only the answer substitutions of the corresponding 
subgoal calls. (We call the answer substitutions the “substitution factor” since 
they are the only parts of the entire answer subgoal that need to be stored.) In a 
TCLP system, a subgoal call is associated with a set of constraints, and an answer 
is associated with a set of answer constraints. The two sets of constraints are 
normally represented by the same set of attributed variables, whose attributes 
in the call might be updated in the answer. Therefore, we have to keep the 
update information of attributed variables in the subgoal table and answer table. 
This requires the substitution factor to be extended to contain not only regular 
variables in the call, but also attributed variables in the call. 

Having introduced attributed variables to XSB, it is possible to simply ap- 
ply tabling to a CLP program in the same way we table a normal LP program: 
a subgoal (or answer), together with the constraints involved, is saved into or 
retrieved from the table as a regular XSB subgoal (or answer) . The identical sub- 
goal call (with the identical constraints) will never be computed twice. However 
there exist two drawbacks in this naive tabling. First, since only identical calls 
(or answers) are checked when they are saved into or retrieved from the table, in 
order to get any reasonable reuse of tables, constraints must be represented in a 
canonical form. Second, when a new call is made, only looking up the table for 
the equivalent call and then consuming the existing answers in the table cannot 
fully utilize the power of tabling, and the amount of table space required can be 
extremely large. In many cases, a new subgoal call can consume the answers of 
an old call in the table if the old call subsumes the new one. Allowing this kind 
of subsumption tabling can make more use of the tables and further reduce the 
amount of redundant computation Q. 

In this paper, we shall present a general framework for building a TCLP 
system based on XSB using the idea of subsumption tabling. In this framework, 
an interface among XSB’s tabling engine, the constraint solver, and the CLP 
programs is designed, which gives the user more control on how the tabling 
engine works on the tabled predicates. The interface is divided into two parts: 
one is at the point when a subgoal call is to be put into the subgoal table; the 
other is at the point when an answer is put into the answer table. In the first 
part, we can define what form of subgoals should be stored in the subgoal table: 
for example a goal more general than the specific call might be specified. In the 
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second part, we can define what kind of answers to a certain subgoal should be 
considered new and stored into the answer table. This is done in a similar way 
in which table aggregation is implemented. 

The remainder of the paper is organized as follows: In Sect.^ we explain 
how to extend XSB with attributed variables. We concentrate more on the mod- 
ifications of tabling tries and substitution factor to efficiently support attributed 
variables. In Sect.^ we discuss some new issues when constraints and tabling 
are combined. Then, we present the general framework for building a TCLP 
system in Sect.^ An example of the application of this framework is shown in 
Sect.^ Finally, we give the conclusion and future work. 

2 Extending XSB with Attributed Variables 

2.1 Basic Changes to the System 

Since attributed variables are a new data type in XSB, a new cell tag, ATTV, is 
added to the system. An attributed variable is represented as a pair of words (as 
a list): the first word is a free variable, which can be further bound to another 
term; the second word is a regular Prolog term, which is the attribute of this 
attributed variable. A new type of interrupt, attributed variable interrupt, is 
added to XSB, so that whenever an attributed variable is to be unified with a 
non-variable term, an attributed variable interrupt is triggered, and then the 
high-level user-defined unification handler is called to finish the unification. 

In this paper, we focus on how to extend tabling tries and substitution fac- 
tor to support attributed variables. Other more detailed information about the 
implementation can be found in Q. 



2.2 Modifications of Tabling Engine for Attributed Variables 

In XSB, tabling tries are used as the basic data structure of the table. They 
provide an efficient way for term lookup and insertion. As constraints are stored 
in attributed variables, we have to extend tabling tries to support attributed 
variables in order to copy constraints into and out of tables. Moreover, being 
variables, attributed variables must be stored in the substitution factor. Since 
they have certain patterns of use, optimizations can be done for them. Thus we 
treat them specially in the substitution factor. 

As attributed variables are represented as lists, they can be copied into tries 
as lists: the first word (the free variable) can be copied as a regular variable, 
and the second word (the attribute) can be copied as a normal Prolog term. 
However, this representation could store the attributes of an attributed variable 
multiple times if it appeared in a term multiple time. This could waste a lot 
table space if the size of the attribute is very big (say this attributed variable 
is involved in many complicated constraints). Basically, to support attributed 
variables in tries, two problems have to be considered. First, since attributed 
variables are treated as variables, they (including their attributes) have to be 
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kept shared when copied into and out of tables. Second, because an attributed 
variable in the call might often not be updated in the answer, it is important not 
to construct its attribute again in the answer table. We need to find a way to 
share the unchanged attributed variables between the subgoal table and answer 
table. 

In XSB without attributed variables, an array called Var Enumerator and a 
counter called var_ctr are used to keep track of all the variables encountered 
when we copy a term into a trie, so that variables are numbered and kept shared 
in tries. When a variable is encountered for the first time, it is bound to VarEnu- 
merator[var_ctr] (and trailed) and VarEnumerator[var_ctr] itself is set to be a 
free variable. Then a node, vl {i = var_ctr), is put into the trie and var_ctr is 
increased by one. Later, if this variable is encountered again, it will be derefer- 
enced to Var Enumerator [i]. Thus we can tell that it is an old variable, and a 
node, Vi, is inserted into the trie. Here, nodes vi and Vi are two different types 
of trie nodes, which represent the first and a later occurrence of the zth variable 
in the term respectively. 

Carefully designed, VarEnumerator and var_ctr can also be used efficiently 
to handle attributed variables in a similar way. The basic idea is that attributed 
variables and regular variables are numbered together and they share the use 
of VarEnumerator. To distinguish an attributed variable and regular variable 
in tries, a new type of trie node is added. When an attributed variable, X (see 
Fig.O^))) encountered for the first time, its first word (the free variable) is 
bound to Var Enumerator [var_ctr] (and trailed) and VarEnumerator[var_ctr] is 
set to be a free variable (shown in Fig.^b)). Then a node, v] (i = var_ctr), is 
put into the trie and var_ctr is increased by one. Node vl is the newly added 
type of trie node, which denotes the first occurrence of an attributed variable 
(the ith variable in the term). Following vl, the attribute of X (pointed to by 
the CS cell) is copied into the trie as a normal term. Now, if this attributed 
variable is encountered again (from X’ in Fig. Jb)), it will be dereferenced to 
Var Enumerator [i] and treated as a later occurrence of a regular variable, so only 
one node, Vi, is inserted into the trie. The attribute of X is not copied into the 
trie again. 

As we can see, the same type of trie node, Vi, is used for the later occurrence 
of a variable, no matter it is a regular variable or an attributed variable. This 
does not cause any confusion when a term is copied out of the table. We can 
tell whether a node Vi is a later occurrence of a regular variable or an attributed 
variable by the index i, because the first occurrence of this variable (saved in the 
trie as vi or Vi) has been built in the heap and a tagged pointer to it has been 
saved in an array (similar to VarEnumerator). 

The above described algorithm can be used directly to construct the subgoal 
trie. The numbering and sharing of attributed variables is shown in the following 
example. 
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Fig. 1. How to number attributed variables and keep them shared in tries: (a) 
Before the new attributed variable X is processed; (b) After X is processed. 



Example 1. Suppose we have a program and a query as shown in Fig. Jaj 
After the query has been executed, the subgoal trie of p/5 contains only one 
subgoal and is shown in Fig.Jb). In this subgoal, attributed variable A2 appears 
twice: the first occurrence is saved as U 3 (since it is the third variable in the call) 
followed by the attribute a ( 2 ), while the second occurrence is saved as only one 
node, U 3 . 

Constructing the answer trie (e.g. the one shown in Fig.^c)) is more complex 
than constructing the subgoal trie. Because some attributed variables (e.g. A3 
in Fig.Ja)) in a subgoal call might not be changed in the answer, there is no 
need to construct these attributed variables again in the answer trie. Instead, 
we want to share them between the subgoal trie and answer trie. This can be 
achieved by initializing the array VarEnumerator and var_ctr in a special way 
before we copy an answer into the answer trie (see Q). We reserve the first k 
elements of VarEnumerator for all the attributed variables in the call (assuming 
there are a total of k attributed variables in the call), and number all the new 
variables in the answer starting from fc + 1. By doing so, we can use only one 
node, say Vi {1 < i < k), to represent an unchanged attributed variable in the 
call. 

For example, in the program and query shown in Fig. Q there are three 
attributed variables in the call of p(X,Al,A2,A3,A2): Al, A2, A3, among which 
A3 is not changed in the answer. Therefore, the first 3 elements of VarEnumerator 
are reserved for the three attributed variables, and var_ctr is initialized as 3. New 
variables in the answer, A2 (= A4) and New, are numbered 4 and 5 respectively 
(see the nodes tq and U 5 in Figureflc)). The unchanged attributed variable A3 
is numbered 3 in the answer trie (since it is the third attributed variable in the 
call) and represented by a single node U 3 . 

^ The predicate put_attribute(+ Far, +Attr) is a newly added built-in predicate. It 
changes Far to an attributed variable with attribute Attr if Far is a regular variable, 
or updates the attribute of Far to Attr if Far is already an attributed variable. 
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Fig. 2. An example of a subgoal trie and answer trie 



3 Tabling and Constraints: Necessary Operations 

To efficiently apply tabling to constraint logic programs, some general operations 
on constraints are needed from the constraint solver, e.g projection (or approxi- 
mate projection Q) and entailment checking, though they are not so important 
in a normal CLP system. Currently we only consider ideal CLP systems i.e. 
we assume that complete algorithm are available for operations of satisfiability 
checking, projection, and entailment checking. For the constraint solvers in which 
projection operation is hard (or impossible) to get (e.g. the constraint solver over 
finite domains), approximate projection can be used but the completeness is not 
guaranteed Q. 

3.1 Projection 

In the execution of a query Q in a TCLP program, each call of a subgoal G 
(an atom) is associated with a set of constraints, a subset of constraints of the 
current constraint store which includes all the constraints accumulated so far 
since the beginning of the execution of Q. The basic idea of tabling is to try to 
avoid recomputing the subgoal G if it has been called in the same (or similar) 
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environment before, where the environment of G is the related constraint set. 
Each call of a subgoal and the associated constraint set are stored in the table 
and act as an index. Therefore, the need for the projection of a set of constraints 
onto a finite set of variables appears. This operation is indeed necessary whenever 
putting a call or putting an answer into the table. When putting a call into the 
table, we want to restrict the constraint set to contain only related constraints, 
the constraints which contain only the variables in the called subgoal; when 
putting an answer into the table, it is also necessary to project out variables and 
constraints introduced during the subcomputation. 



3.2 Entailment Checking 

In a TCLP system, the operation to check if a set of constraints is entailed by 
another set of constraints is required for several purposes. Firstly, before a call 
is put into the table, we have to make sure that no call in the table is equivalent 
to this call, i.e., their associated constraint sets are not equivalent. Two sets of 
constraints are equivalent if they can be entailed by each othe J 

Secondly, when a subgoal is called, only checking if it has been called in 
exactly the same environment as before cannot fully utilize the power of tabling. 
It not only requires more table space, but also forces some unnecessary redundant 
computation. This is because, if a previous call can be entailed by the current 
call (i.e., the previous call subsumes the current call), then the answer of this 
previous call can be consumed by the current call, and it is possible that there 
is no need to recompute the current call. For example, if a call p{X) A {X > 5} 
is already in the table and an answer, X = 10, has been returned, then a new 
call like p{X) A {X > 7} can immediately use the answer X = 10 in the table, 
since the constraint {X > 5} is entailed by {X > 7}. 

Thirdly, before a new answer of a call is saved into the table, it has to be 
guaranteed that no duplicate answers are stored in the table. More generally, if 
there is already an answer in the table and it is entailed by the new answer, then 
the new answer can be discarded. 



4 Our Solution: A General Framework 

Given the necessary operations on constraints, we construct a general frame- 
work for building a TCLP system. This framework is domain independent and 
is parameterized by the constraint operations. The implementations of the do- 
main dependent operations themselves are left to the developers of the different 
constraint solvers. 

Basically this framework sets up an interface among the tabling engine of 
XSB, the constraint solver, and the CLP programs, and the purpose is to give 
the user more control over the tabling engine. Generally, this interface can be 

^ In some constraint solvers which always keep constraints in a canonical form, this 
operation may not be required, since two equivalent constraints are always identical. 
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divided into two parts. In the first part, the user tells the XSB engine what kind 
of calls should be stored in the subgoal table. The user could generalize a call 
even if it has not been seen before. If a more general call has been called before, 
a new call which is subsumed by this old call should, in general, not be put into 
the subgoal table. Instead it should consume the answers for the more general 
call. In the second part, the constraint solver tells the XSB engine what kind of 
answers should be considered new and put into the answer table. This can be 
done in a similar way in which tabled aggregation is implemented (we assume 
some familiarity with the implementation of aggregation in XSB, see 

The interface consists of three interface predicates. The first two of them are 
provided by the constraint solver: 

1. projectionC+TargetVars) 

This is the constraint projection operation. It projects the current constraint 
store over a set of variables, TargetVars. 

2. entail C+Answerl , +Answer2) 

This predicate is defined using the entailment checking operation of the 
constraint solver. Given two answers, Answerl and Answer2, to the call of 
a tabled predicate, this predicate checks if the first one entails the second 
one. We assume that answer constraints are represented within the answers 
using attributed variables. 

The third interface predicate is: 

3. abstract (+DrigCall , — NewCall , —Constraints) 

which is the most complicated one. It controls what kind of calls of a tabled 
predicate should be stored in the subgoal tables, i.e., it abstracts the call, 
DrigCall, of a tabled predicate Pred to a more general call, NewCall (which 
has a new predicate, TPred), and only stores NewCall in the subgoal tables. Ba- 
sically abstract/3 relaxes the constraints related to DrigCall, and stores the 
constraints that are not passed to NewCall into Constraints. In other words, 
DrigCall is equivalent to the conjunction of NewCall and Constraints. 

Just as XSB performs variant tabling and subsumptive tabling on pure Prolog 
[9, our framework supports two different kinds of basic call abstractions. The 
first one is called variant abstraction, which is the default one and does not 
actually do any useful abstraction. In this case, the arguments of NewCall are 
the same as the arguments of DrigCall, and Constraints is an empty list [] . 
So every different call pattern of Pred is stored in the table. The second kind 
of abstraction is called subsumptive abstraction. In this case, whenever a call, 
DrigCall, of predicate Pred is made, abstract/3 looks up the current subgoal 
table of TPred to see if a more general call than DrigCall has been called before 
(using the projection and entailment checking operations from the constraint 
solver). If there is, then the more general call is returned in NewCall. Otherwise, 
NewCall just takes the arguments of DrigCall, and NewCall is saved into the 
subgoal table. 
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As long as projection and entailment checking operations from the constraint 
solver are correct and complete, these two kinds of call abstraction guarantee the 
correctness and completeness of user’s programs. However, they are not always 
the best call abstraction, and sometimes the user might want to overwrite the 
system defined abstract/3 if she knows more about the call patterns of some 
predicates. This is allowed in our framework, but the user must be aware that 
it is the user’s responsibility to keep the correct semantics and the correctness 
of the programs. 

Having the three interface predicates defined, we can transform the user’s 
program so that it can make more use of the table. The transformation and how 
the interface works can be explained by the following example: 

Example 2. Given a tabled constraint logic program P as shown in Fig.H which 
contains only one tabled predicate p/n and has two clauses for it, we can trans- 
form it into the program shown in Fig.^ Without losing generality, we assume 
XI, . . . , Xn are (attributed) variables. 

In the new program, we introduce a new tabled predicate ’_$tabled_p’/n, 
and rewrite the clause of p/ n, so that the call of p / n is abstracted by abstract/3 
first (line 04), and then the abstracted new call (of predicate ’_$tabled 4 )’/n) 
is called. The constraints abstracted out by abstract/3 are put back into the 
constraint store and solved (by solve/1, line 07) before any answer is returned 
to the original call of p/n. 

The new predicate ’_$tabled 4 )’/n is defined similar to the tabled aggrega- 
tion predicate bagPO/3 in XSB. Lines 10 and 11 are two internal predicates to 
get the return skeleton (the substitution factor) of the current call. The predi- 
cate entail/2 is used as a partial order operator to keep only the most general 
answers in the answer table (some older answers might be reduced by the new 
answer). Also, before a new answer is put into the answer table, the projection 
operation is called (by projection/1, line 25) so that only related constraints 
are stored in the answer table. 

We have to point out that, in some programs, especially those to search the 
optimal solution of some problems, there is only one (i.e. the best) answer for 
a call, which is returned by combining the old answer in the table with the 
new answer. In this case, the predicate ’_$tabled_p’/n can be defined similar 
to bagReduce/4 in XSB ^3, and the interface predicate entail/2 has to be 
substituted by a predicate like reduce/3. 

5 A Real Example 

Based on the above design, we have built a tabled constraint logic programming 
system over the domain of real numbers. The constraint solver is the partially 
ported version of clp(Q,R) written by Christian Holzbaur which is imple- 
mented using attributed variables. 

In this section, by giving the example of the shortest distance problem, we 
show how to write a tabled constraint program in this TCLP system, and how 
the user’s program is transformed. 
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table p/n. 

p(Xl, . . . ,Xn) Bodyl. 

p(Xl, . . . ,Xn) Body2. 



Fig. 3. Original program P 
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table ’ _$tabled_p’ /n . 

p(Xl,...,Xn) 

abstract (p(Xl , . . . ,Xn) , 

’ _$tabled_p’ (NewXl , . . . ,NewXn) , Constraints) , 
’_$tabled_p’ (NewXl, . . . ,NewXn), 
solve (Constraints) . 

’_$tabled_p’ (XI, . . . ,Xn) 

’ _$savecp ’ (Breg) , 
breg_retskel(Breg,n,Skel,Cs) , 

copy_term(p(Xl, . . . ,Xn,Skel) , p(01dXl, . . . ,01dXn,01dSkel)) , 
’_$orig_p’(Xl,...,Xn), 

( (get_returns(Cs, 01dSkel,Leaf ) , 

entail (p(01dXl, . . . ,01dXn) ,p(Xl, . . . ,Xn))) 

-> fail 

; (findall(t(Cs,01dXl, . . . ,01dXn,Leaf) , 

(get_returns(Cs,DldSkel,Leaf ) , 
entail(p(Xl, . . . ,Xn) ,p(01dXl, . . . ,01dXn))) , 
List) , 

member (t (Cs, _ , . . . , _,Leaf ) ,List) , 

delete_return(Cs,Leaf ) , 

fail 

projection( [XI, . . . ,Xn] ) , 
true 

) 

). 

’_$orig_p’ (XI, . . . ,Xn) Bodyl. 

’ _$orig_p ’ (XI , . . . , Xn) : - Body2 . 



Fig. 4. New program transformed from the program in Fig.^ 
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Problem: Given two nodes, X and Y, in the directed weighted graph of Fig. a) 
( each edge is associated with a weight, the distance between the two nodes of the 
edge), find the shortest distance between X and Y. 




Fig. 5. Shortest distance problem 



This problem can be solved by a TCLP program over the domain of real num- 
bers shown inFig.^b) (we omit thefactsof edge/3). A call of sd(+X,+Y,-Dist) 
will return a sequence of answers, D\, . . . , for Dist, where each Dk (1 < 
fc < n) is a constraint of the form Dist >= Nk- Each Nk is the current achievable 
shortest distance from X to Y, so we have Ni > N 2 > . . . > fV„, and finally Nn 
is the shortest distance from X to Y. 

Since the call pattern of sd/3 is general enough (see the second clause of 
Fig.^b), where the third argument D1 is always a free variable), we can simply 
use the variant call abstraction. So the program shown in Fig.^b) is transformed 
to the program shown in Fig.H(tiie clause of ’ _$tabled_sd’ /3 is optimized for 
better performance). 

Some running results of the transformed program are shown in Fig.J We 
can see that the shortest distance from a to c is 3.0, and the shortest distance 
from a to b is 2.0, all returned in the second answer. The shortest distance from 
d to a is 2.3, which is returned in the very first answer. 

6 Conclusion and Future Work 

As presented in this paper, we have introduced attributed variables into XSB 
and extended XSB with the basic mechanism to support constraint solving. By 
changing the data structure of subgoal table and answer table in XSB to support 
attributed variables, constraints can now be copied into and out of tables. 

Based on such fundamental changes to the system, we constructed a general 
framework for building a Tabled Constraint Logic Programming System extend- 
ing the tabling engine of XSB. This framework is domain independent, and it 
provides an interface among the XSB engine, the constraint solver, and the user’s 
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table ’ _$tabled_sd’ /3 . 
sd(X,Y,D) 

abstract (sd(X, Y,D) , ’ _$tabled_sd’ (X, Y,D) , Constraints) , 
"/, For variant abstraction, Constraints == [] 
’_$tabled_sd’ (X,Y,D) , 
solve (Constraints) . 

’_$tabled_sd’ (X,Y,D) 

’ _$savecp ’ (Breg) , 
breg_retskel(Breg,3,Skel,Cs) , 

copy _t erm (p (X , Y , D , Skel ) , p ( OldX , OldY , OldD , OldSkel ) ) , 
’_$orig_sd’(X,Y,D), 

( (get_returns(Cs, OldSkel, Leaf ) , OldX == X, OldY == Y) 
-> (entail(sd(X,Y,D) , sd(X, Y, OldD) ) 

-> delete_return(Cs,Leaf ) 

; fail 

) 

; projectionC [D] ) , 

true 

). 

’_$orig_sd’ (X,Y,D) 

edge(X,Y,D0), 

{D >= DO}. 

’_$orig_sd’ (X,Y,D) 
sd(X,Z,Dl) , 
edge(Z,Y,D2), 

{D >= D1+D2}. 



Fig. 6. Transformed version of the program in Fig.J^b) 



1 ?- sd(a, c ,Dist) . 


1 ?- sd(a,b,Dist) . 


1 ?- sd(d, a, Dist) . 


Dist >= 6.0000; 


Dist >= 3.0000; 


Dist >= 2.3000; 


Dist >= 3.0000; 


Dist >= 2.0000; 


no 


no 


no 





Fig. 7. Running results of the shortest distance program 
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programs. The user’s programs are transformed at the source code level using 
the interface predicates, so that the transformed programs can make more use 
of the tables. Experiments have been done on the domain of real numbers (using 
the clp(Q,R) I), and this framework has been proven to work. 

Future work includes: 

1. Integrate the framework with constraint solvers over other domains; 

2. Explore better ways to represent constraints using attributed variables over 
different domains, so that constraints can be stored more efficiently in tries; 

3. Move some of the program transformation work into the engine level to 
improve the performance; 

4. Apply our system to symbolic bisimulation of infinite-state systems, a formal 
verification problem requiring tabling and constraints Q. 
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Abstract Many applications in Computer Science require to represent 
knowledge and to reason with non normal form formulas. However, most 
of the advances in tractable reasoning are applied only to CNF formulas. 
In this paper, we extend tractability to several classes of non normal 
formulas which are of high practical interest. Thus, we first define three 
non normal Horn- like classes of formulas Fi A F 2 A . . . A Fn where each Fi 
is constituted by a disjunction of two optional terms Fi = NNF~ V : 
the first one is in Negation Normal Form (NNF) composed exclusively 
with negative literals and the second one is a conjunction of positive 
propositions. These formulas codify the same problems that the Horn 
formulas but with significantly, even exponentially, less propositional 
symbols. Second, we define sound and refutational complete inference 
rule sets for each class. Our third contribution consists in the design of 
a sound, complete and strictly linear running time algorithm for each 
class. As a result, the time required by our linear algorithms running 
on the defined non normal Horn-like formulas can be exponentially less 
than that required by the existing linear Horn-SAT algorithms. 



1 Introduction 

In some practical applications of Computer Science, the well-known Normal 
Forms CNF and DNF do not provide a natural framework to represent know- 
ledge and to reason. In fact, performing inferences efficiently with formulas 
whose forms are non restricted to the classical ones is a matter of major in- 
terest in many practical applications inside very heterogeneous areas such as 
Expert Systems, Deductive Data Bases, Hardware Design, Automated Software 
Verification, Symbolic Optimisation, Logic Programming, Automated Theorem 
Proving, Petri Nets, Truth Maintenance Systems, etc. 

However, most of the existing efficient proof methods are designed to work 
with CNF formulas. So, it is a common practice to translate knowledge represent- 
ations from general forms to CNF’s This transformation was originally 

proposed in 1970 by Tseitin who published the first algorithm, later 
included the case for first-order logic, covered the cases for modal and in- 
tuitionistic logics, finally, Hahnle investigated the problem of translating 
arbitrary finitely valued logics to short CNF signed formulas. 

The translation procedure is in polynomial time if auxiliary propositions are 
allowed in the CNF formula but it takes exponential time otherwise. Thus, the 
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principle of transforming a WFF in a CNF formula and then applying a CNF- 
based inference method has two important drawbacks ^3- First, translations 
procedures take several computational steps and easily can create an exponen- 
tial growth of symbols even before inference procedures are applied. Second, 
there exist some efficient transformations methods based on substitutions of 
sub-formulas by literals preserving only the satisfiability relation but no other 
relations of practical interest, e.g. the logical equivalence relation. 

In addition, interesting structures as Horn-like, that could exist in the original 
formulas can be lost in the transformed formula 

1.1 Our NNF Tractability Contribution 

In spite of the large number of potential applications, few attention has been 
devoted to non-clausal reasoning. Thus, we present new results related to this 
field and more precisely to tractability with formulas in Negation Normal Form 
(NNF). 

In this paper, we identify NNF formulas Fi A F 2 A . . . A having a Horn-like 
structure. Each Fi is a disjunction of two optional terms, i.e. Fj = NNF~ V : 
the first one is a NNF formula with only negated propositions, noted NNF~, 
and the second one is a conjunction of non-negated atomic propositions, noted 
C+. 

The three classes of formulas we are proposing vary according to the express- 
iveness allowed to the NNF~ term from the simplest one, where the NNF~ is 
a disjunction of negative literals (clause form), noted D~ , the second, where the 
NNF~ is a disjunction of conjunctions of negative literals, i.e. V ... V or 
DNF~ and the third class, with the NNF~ being a conjunction of disjunctions 
of negative literals, i.e. A ... A D'^ or CNF~. 

The three classes of formulas can arise from an original non-clausal repres- 
entation of the problem. These formulas are compact representations of Horn 
formulas given that they require less symbols than Horn formulas to codify 
identical problems; this reduction can be in an exponential rate. 

Afterwards, we define sound and refutational complete inference rule sets for 
each class of formulas. Finally, we detail algorithms in pseudo-code with suit- 
able data structures to resolve SAT-problems expressed in this kind of specified 
formulas. These algorithms are formally analysed and showed to be sound, re- 
futational complete and a strictly linear running time. They are extensions of 
the pure Horn algorithms such as 

Although one could think that an alternative way to solve Horn problems 
would be to transform the Horn formulas to our class of factorised Horn for- 
mulas and then, to apply the algorithms exposed here, firstly the cost of the 
transformations should be analysed, which is beyond the scope of this paper. 
Thus, we stress the fact that the proposed algorithms are more appropriate for 
many real problems that require a non canonical representation. 

Conversely, one possibility to solve non-clausal Horn-like problems consists 
in introducing artificial literals for transforming original problems in pure Horn 
problems and then applying Horn algorithms. But as mentioned previously, the 
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logical equivalence property is lost and also, the cost of the transformations is 
not warranted to be done in strictly linear time. 

This paper is structured as follows. In the next section we briefly review the 
research about tractable reasoning and related issues. In section three we define 
the (j> class of non normal formulas which is our first extension of the class of 
Horn formulas. In sections four and five we deal with a and u classes which 
include as a particular case the (f) class. For each of the mentioned classes, we 
specify a sound and complete set of inference rules and a strictly linear algorithm 
is detailed. 

2 Related Work 

Next, we revise the main works published concerning tractable reasoning. Thus, 
we review successively the existing results with CNF and NNF formulas. 

2.1 CNF Tractability 

The propositional satisfiability (CNF-SAT) problem is fundamental at the core 
in Computer Science. It was the first NP-complete problem found Since 
then, a rather big effort has been done do determine some CNF-SAT islands of 
tractability with significant repercussions in applications. The most important 
classes that can be resolved in deterministic polynomial time are: 2-CNF, for 
which linear algorithms were designed in and Horn-SAT, that admits 

also linear algorithms as showed in Several variants of the 

Horn-SAT problem have been also found out to be solvable in polynomial time: 
renamable Horn ^^3, extended Horn CC-balanced ^3, SLUR ^3 
q-Horn 

The Horn-SAT problem is polynomially solvable since the work of Karp ^3- 
After that, Henschen and Wos ^3 showed that if a Horn formula is unsatisflable, 
then, there exists a refutation proof employing unit propagation only. Jones and 
Laaser ^3 showed that a direct implementation of this principle leads to an 
algorithm of quadratic complexity. Later, Dowling and Gallier ^3 presented two 
linear algorithms to resolve the Horn-SAT problem: one with a forward chaining 
strategy and the second one based on backward chaining. In ^3 ^3 it is 

proved that the backward algorithm is incomplete and not linear respectively. 

were proposed different linear versions, all of them based on 
a forward chaining strategy. A linear and complete algorithm with backward 
chaining strategy is described in ^3- 

2.2 NNF Tractability 

Several methods have been developed to infer with formulas in NNF. This is the 
case of Matings B, Matrix Connection Dissolution ^^^3i &nd TAS Q. 
These methods give a step forward to show that deduction could be performed 
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on formulas in non-clausal form avoiding thus, the transformation to normal 
forms. However, no studies relative to NNF tractability employing one of these 
methods have been carried out. 

To our knowledge, the first published results concerning non-clausal trac- 
tability comes from where a strictly linear forward chaining algorithm 

to test for the satisfiability of certain NNF formulas subclass is detailed. Such 
a class embeds the Horn case as a particular case. In a linear backward 
algorithm is given for the same NNF subclass of formulas. 

New results concerning NNF tractability are reported in where a method 
called Restricted Fact Propagation is presented which is a quadratic, incomplete 
non-clausal inference procedure. 

More recently, in a significant advance in NNF tractability has been 

accomplished. The author define a class of formulas by extending the Horn for- 
mulas to the field of NNF. Such extension relies on the concept of polarity. A 
method to make inferences and potentially to detect refutational formulas is de- 
signed. In a SLD-resolution variant with the property of being refutationally 
complete is showed but its computational complexity is not studied. In a 
method for propositional NNF Horn-like formulas is described and it is stated 
that the method is sound, incomplete and linear. However, concerning the last 
issue, no algorithm is specified, indeed the steps of the method are described as 
different propagations of some truth values in a sparse tree. Then, although it 
seems that the number of inferences of the proposed method is linear, it is not 
proved the resulting complexity (w.r.t. the number of computer instructions) of 
a linear number of truth value propagations on the employed sparse trees. 

A preliminary version of the contain of our current article has been presented 
in Q. 

3 0-Formulas 

The (/)-formulas are a direct extension of the Horn formulas in the sense that a 
Horn clause (disjunction of negative literals and at most one positive literal) is 
extended to include one conjunction of positive propositions instead of a positive 
proposition. The (()-formulas, permit us to represent a real problem with many 
less symbols, whereas keeping the good computational properties of Horn-like 
structure formulas 

3.1 Syntax and Semantics 

Firstly, we recall the required definitions of classical logic before introducing the 
first non normal class of formulas, denoted (/)-formulas. 

Definition 1. A literal L is either an atomic proposition p G P , noted or 
its negation ^p, noted L~ . 

Definition 2. A classical clause is a finite disjunction of literals: (TiV. . .VLfc)- 
A unit clause (L) includes only one literal. We denote the empty clause by □. 
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Definition 3. A Horn clause is a classical clause with at most one positive 
literal. A Horn formula is a conjunction of Horn clauses. 

Notation. From now on, D stands for a disjunction of literals (Li V ... V Lk) 
and C denotes a conjunction of literals (Li A ... A Lk). D+ and C'+ {D~ and 
C~) include only positive (negative) literals. 

Definition 4. A CNF formula is a conjunction of disjunctions of literals (DiA 
. . . A Dm) and DNF is a disjunction of conjunction of literals (C\ V ... V Cm)- 
Also, CNF'^ and DNF'^ (CNF~ and DNF~ ) includes only positive (negative) 
literals. 



Definition 5. A clause is a disjunction of two optional terms = D~ V 
C~^ : D~ is a negative disjunction and C~^ is a positive conjunction. Glauses with 
only the D~ term are said negative (positive) clauses. 

Remark. A clause = D~ V C~^ is a Horn clause if C~^ = (p). 

Definition 6. A ((-formula is a finite conjunction of clauses C"^. 

An interpretation / assigns to each formula <( one value in the set {0, 1}. 

Definition 7. An interpretation I satisfies: 

— A literal p (^p) ijf I{p) = 1 (I{p) = OJ. 

— A disjunction D = LiV . . .y Lk, iff I (Li) = 1, for at least one L^. 

— A conjunction C = L\ A . . . A Lk, iff I {Lf) = 1 for every Li. 

— A clause = D~ V (7+, iff I (D~ ) = 1 or /(C'+) = 1. 

— A ((-formula if I satisfies all clauses of the formula. 

An interpretation I is a model of a ((-formula if satisfies the formula. We say 
that (( is satisfiable if it has at least one model, otherwise, it is unsatisfiable. 

3.2 Inference Rules 

In this section we introduce the two required inference rules to process ((- 
formulas: The Variable Truth Assignment (VTA) and the And Elimination (AE) 
and we show that both together form a sound and complete logical calculi. 

Henceforth, (( and ((u represent respectively any (()-formula and any (()-formula 
containing the empty clause □. 

Definition 8. Variable Truth Assignment (VTA). 

It consists in assigning true to a variable p. More specifically, if (p) G (( then 
VTA derives a formula <(' obtained from (( by removing {p) and the occurrences 
of^p. 



Definition 9. And Elimination (AE). 

Inference rule AE derives from a positive conjunction clause (pi A . . . A pi A . . . A 
Pn), the unit clauses (pi), . . . , (pi), . . . , (p„). 
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Definition 10. Clause Proof. 

A refutation of a formula 4>, is a succession of formulas < 4>i, (j> 2 , ■ ■ 
that 4>i = 4>,4>n = 4>n and for each 1 < i < n — 1, either = 



= AE{(j)i). 



.,4>n> such 

TVA{(j)i) or 



Example 1 . Let ns (j) = {(pi), (ps), V (p2 Ap4)), hP2'd {piAp5)), {^P2'd 
^Ps)} = {(Pi)) (Ps)) C*!, C2, C3}. The inference chaining to get a formula with the 
empty clause is as follows: 

{(Pi), (Ps), hPi V (P2 Ap4)),C'2,C'3} 

^TVA {{Ps), {P2 A P 4 ), (^ 2 ,(^ 3 } 

^AE {{ps), (P 2 ), (P4), hP 2 V ^P3 V {pi Ap 5 )),C 3 } 

^TVA {(P2), (P4), (^P2 V {pi AP5)),C3} 

^TVA {{P4), {Pl Aps), (^Ps)} 

\~AE {{P4), (pi), (ps), (^Ps)} 

^TVA {{P4), (Pl), n} = (pn 



Theorem 1. Soundness, (p \~vta+ae <P' ^ <P \= <P' ■ 

The proofs of the soundness of each rule are trivial and the proof of the 
theorem follows straightforwardly from those proofs. 

Theorem 2. Completeness. If (p is unsatisfiable then (p \~vta+ae <Pu- 

The proof is by induction on the length of (p, i.e. the number of occurrences 
of literals in (p. The following theorem extends completeness to atomic clauses. 

Theorem 3. Completeness, (p ^ ( L ) (p \~vta+ae {L). 

3.3 Algorithm Description 

Initially, if (p has no positive unit clauses then it is satisfiable because all the 
clauses have at least one negative literal. So, assume that (p) G (p. Thus <p is 
satisfiable \E(p.{p ^ 1} is satisfiable. In other words (p is satisfiable if the formula 
(p' resulting of removing (p) from (p and the occurrences of ^p is satisfiable. This 
operation is performed for each positive unit clause in (p. Now, observe that 
some clauses in the initial formula can become positive because of the removals 
of negative literals. Also due to these removals, a pure negative clause can become 
empty. Thus, at this stage, three situations can arise: 

1. An empty clause is produced. The algorithm ends by determining that the 
original formula is unsatisfiable. 

2. No positive clauses have emerged. The algorithm ends by determining that 
the formula is satisfiable. 

3. A positive clause is produced. Then, the algorithm applies the And-Elimina- 
tion rule and adds new unit clauses to the formula. Thus, a new iteration of 
the described operations above are carried out with these new unit clauses. 
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We begin the description of the algorithm by a very simple version in order 
to help the reader to understand it. Afterwards, we shall advance progressively 
towards the definitive version which is more elaborated but it warrants a strictly 
linear worst case complexity. 

(VTA p): It applies the VTA rule returning the formula (j)' resulting of 
removing from (j) the clause (p) and the occurrences of ~^p and possibly, adding 
some conjunctions among which could be the empty clause □. 

(AE (j) C~^): It applies the And-Elimination rule returning the formula 4>' 
resulting of removing from (/) and adding the unit clauses (p) for each con- 
junct p in C'+. 

Notation. We note <f>'^ the set of positive clauses in (j> which can be empty. 

VTA-AE-Propagation((/)) 

If (^+ = {} then return(sat) 

If □ £ (^ then return(unsat) 

If ip) G 4> then return(VTA-AE-Propagation (VTA (j) {p))) 

If G 4> then return ( VTA- AE-Propagation (AE (j) C’*')) 

End 

Theorem 4. The previous algorithm returns sat iff the input formula (j) is 
satisfiable. 

Theorem 5. The maximal number of recursions is at most in 0{size(4i)). 

The previous algorithm is correct but not very efficient. Its efficiency is similar 
to that of the method proposed in and Although the number of 

recursions is bounded by 0(n), the complexity of each line is clearly not constant 
and so, the algorithm’s complexity measured in computer instructions number 
is not linear. 

One can check that searching for the clauses including some occurrence of 
~^p without a suitable data structure has 0(size((/>)) computational cost. Hence, 
the real complexity of the algorithms in number of computer instructions is at 
least in O(n^). 

To improve this complexity, we shall use the following data structures: 
Neg{p): Set of pointers to the clauses in (f> which include ~^p. 
Neg.Counter{C^)'. it is a counter of the remaining negative literals ^p G C"^ 
such that the corresponding propositions p have not been derived yet. 

With this data structures, the procedure VTA firstly obtains by means of 
Neg(p) the clauses C"^ containing ^p. Then, instead of removing physically ~^p 
in each C"^, the counter Neg.Counter(C"^) is decremented. Thus, although no 
information of which negative literals have been removed from C"^ is maintained, 
the necessary information of how many negative literals there still left in is 
furnished by Neg.Counter(C"^) at each moment of the inference process. If this 
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counter is set to 0 means that a positive conjunctive clause maybe empty, 
has been deduced from the initial clause C^. With the described data structure, 
the procedure VTA is the following. 

VTA (</. (p)) 

Remove (p) from (j) 
for VC"^ € Neg{p) do: 

Decrement Neg.Counter(C"^) 
if Neg.Counter(C"^) = 0 then do: 

Add C+ to (j) 

Return((/)) 

Now, remark that a same proposition p can be deduced in more than one 
conjunction and then the counter Neg.counter(C"^) such that pointer{C^) 
G Neg{p) could be decremented more than once. To disallow these multiple 
decrements, we use a boolean variable as follows: Val{p) = 1 iff p has already 
been derived from <j). So, the truth propagation of variable p is allowed only 
when the flag V al{p) is 0, and once the propagation has been performed, the 
flag is set to 1 disallowing further propagations. Also, a list of non-negated 
propositions in is required. Thus, the procedure AE becomes: 

AE {(j) C+) 

Remove from (j) 

Vp G (7+ do: 

if V al{p) = 0 then do: 

Add (p) to (j) 

Val{p) ^ 1 
Return((/)) 

Following with the improvements of the algorithm, we remark that to know 
whether □ G </) takes a computational cost in 0{\ (f) |). But this cost can be 
reduced if each time that a positive conjunction C'+ is going to be added to (j) is 
tested whether = □ or not. In the affirmative case, the algorithm stops the 
process and it returns ’unsatisflable’. 

A last point consists in avoiding the search throughout the complete formula 
of (1) the unit clauses and (2) the positive conjunction. For this purpose, (1) 
we store unit clauses in a stack and (2) we will call the procedure AE each time 
that a (7+ conjunction is going to be added to (j)- 

In order to get a more efficient algorithm we shall apply iteratively, instead of 
recursively, the VTA and the AE inference rules. Thus the definitive algorithm 
is the following: 

while Stack yf 0 do: 

p ^ pop(Stack) {PROCEDURE VTA} 

for VC"^ G Neg(p) do: 

Decrement N eg .C ounter{C^) 
if Neg .Counter {C’^) = 0 then do: 
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if C~^ = {} return ’Unsatisfiable’ 

Vp e C+ do: {PROCEDURE AE} 

if Val{p) = 0 then do: 

push{p, Stack) 

Val{p) ^ 1 
return ’Satisfiable’ 

The initialisation of the data structures is carried out in the following procedure: 
Stack ^ 0; 

for Vp G Prop((/)) do: Val(p) ^ 0, Neg(p) ^ {}; 
for VC"^ G (j) do: 

If C={} then return(’unsatisfiable’) 

Else C = l^pi, . . .,^pfc,C+} do: 

If fc 7 ^ 0 do: 

Neg.Counter{C^) <— k 

for I < z < fc do: Add C"^ to Negipi) 

Else for Vp G do: 

if Val{p) = 0 then do: Val{p) ^ 1, push{p, Stack) 



Theorem 6. Correctness. The previous algorithm is correct: it returns unsat- 
isfiable iff is unsatisfiable. 



Theorem 7. Complexity. The last algorithm is strictly in 0(size(4>)). 

Proof. 

(1) It is trivial to check that the initialisation of the data structures takes at 
most 0{size{(p)). 

The following two statements derive straightforwardly from the construction 
design of the algorithm: 

(2) Each VTA procedure is done at most once for each proposition. 

(3) Each AE procedure is executed at most once for each positive conjunction. 

(4) By (2), the total number of operations in the VTA procedure is 

«(E I N eg .C ounter{C^) |) < 0{size{4>)) 
pe4> 

(5) By (3), the total number of operations in the AE procedure is limited to 

I I) ^ 0{size{fi)) 

C£<!> 



(6) By (1), (4) and (5), the algorithm is in 0{size{(j))). 
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4 cr-Formulas 

The (T-formulas include (/)-formulas as a particular case. The cr-formulas require 
exponentially less symbols than (/)-formulas to represent the same logical prob- 
lem. 

Definition 11. A clause , is a disjunction of two optional terms = 
DNF~ V = Cf V Cf V ... V C~ V . Two particular cases are noted: 
clauses with only negative (positive) literals are called negatives (positives). 



Definition 12. A a-formula is a finite conjunction of clauses . 

Interpretations, models and other semantic concepts are easily defined from 
the previous class of (/)- formulas and the definition of the cr-language here above. 

As before, a and Uu stand for respectively any cr-formula and any cr-formula 
containing the empty clause □. 

Definition 13. Variable Truth Assignment VTA2. 

V (p) G ^ then VTA2 obtains the formula a' resulting of removing from a, the 
unit clause {p) and the conjunctions {~^p A ^p\ A ... A ^Pk)- 



Theorem 8. Soundness. VTA2 is sound, namely a \~vtA 2 cr' ^ a \= a' . 



Theorem 9. Completeness. If a is unsatisfiable then a \~vtA2+ae ctq . 

The proofs of both theorems are immediate from the same proofs for the 
(/)-formulas and the definition above of the cr-formulas language. 

Example 2. Let the following unsatisfiable formula: a = {(_Pi), (ps), (^PiA^P 2 )V 
(^P3A^P4)V(p5Ape), (^P5A^P6)V(p7Aps), (^PrA^pg)} = {(pi), (ps), C*!, <^ 2 , C 3 } 

A proof sequence of the unsatisfiability of a is: 

{(pi), (P3), hPl A ^pg) V (^P3 A ^P4) V (P5 AP6),C'2,C3} 

^VTA 2 {(Ps), (^P3 A ~^P4) V (P 5 Ape), <^ 2 , C 3 } 

'rvTA 2 {(P 5 A pe),C 2 , C 3 } 

^AE {(ps), (Pe), (^P5 A ^Pe) V (p 7 Aps),C 3 } 

^VTA 2 {(pe), (P7 Aps), (^P7 A ^pg)} 

^AE {(pe), (P7), (Ps), hP7 A ^Pg)} 

^VTA2 {(pe), (Ps), n} = (JQ 

Algorithm’s Principle. The principle of the VTA2-AE-deduction algorithm is 
similar to that of the first VTA-AE-deduction algorithm, namely the rules VTA2 
and AE are applied until giving rise to one of the two following situations: (1) 
the empty clause is derived (the original formula is unsatisfiable), or ( 2 ) no more 
new clauses are derived (the original formula is satisfiable) . 
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Data Structures. The data structures vary slightly. 

(1) Now a Flag First{C~) is associated with each conjunction C~ in the term 
DNF~ = Cf V C 2 V ... V C~ of a clause = DNF~ V (7+. This is due to 
the fact that N eg. counter {C^) now counts the number of negative conjunctions 
(and not atomic literals) C~ in DNF~ not falsified by the propositions p already 
deduced. These conjunctions C~ are falsified as soon as one of the propositions 
in the conjunction is derived. 

But, notice that further deductions of the same negative conjunction must 
not provoke decrements of the counter. Indeed, only one decrement for each 
conjunction can be enabled. Otherwise, the following error could be committed. 
Assume that C"^ = DNF~ V C'+ and DNF~ = Cf V C 2 V . . . C~ V ... V C~. In 
order to have DNF~ falsified at least one proposition pi in each conjunction C~ 
must be deduced. However notice that n propositions deduced, not distributed 
in the n conjunctions, do not falsify DNF~ . 

To ensure that the counter is decremented only once per each negative con- 
junction, we require a flag First{C~) which indicates whether any proposition 
whose negation is in C~ has been already derived. Thus, the meaning of the 
aforementioned flag is First{C~) = F iff no proposition in C~ has been de- 
duced. Once the first proposition is deduced First{C~) is set to T. 

(2) Another small modification is related to the Neg(p) data structure. Neg(p) 
must point to the conjunctions C~ = (^pA^PiA. . .A^pk) containing ^p (instead 
of pointing to the ~^p occurrences themselves). Thus, Neg(p) is a list of couples 
{C~,C^) of pointers to each C~ containing ^p and to the clause containing 

c-r- 

Algorithm. The algorithm for cr-formulas is supported on the same structure 
that the algorithm for the (()-formulas. As AE inference works well for both types 
of formulas no modification of the AE-Deduction is required. Thus, only VTA 
procedure is modified as follows: 

VTA2 (a (p)) 

Remove (p) from a 
for V(C'-,C"") G Neg{p) do: 
if First{C~) = F then do: 

Decrement Neg.Counter{C^) 

First(C-) ^ T 

if Neg.Counter{C^) = 0 then do: 
if = □ return Unsatisfiable 
Else C+ = (pi A p 2 ■ ■ ■ A pn) 

Begin PROCEDURE AE with C+ 

The algorithm VTA2- AE-Deduction is obtained from the VTA- AE-Deduction 
by replacing in it the VTA procedure by the new VTA2 procedure defined here 
above. 

Theorem 10. Algorithm Correctness. VTA2-AE-Deduction(a) returns \]n- 
satisfiable iff a is unsatisfiable. 
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Theorem 11. Algorithm Complexity. VTA 2- A E- Deduction (a) is strictly in 
0{size{a)) . 

Proofs of both theorems follow from the corresponding theorems for (jj-for- 
mulas and the slight differences between ct- formulas and (/)- formulas. 



5 cp-Formulas 

Like cr-formulas, w-formulas includes Horn and (/)-formulas as particular cases. 

Definition 14. A clause C“ is a disjunction of two optional terms C‘^ = 
CNF- V C+: CNF- is a conjunctive normal form with only negative liter- 
als and C~^ is a positive conjunction. A u-formula is a finite conjunction of 
clauses of kind C^ . 

Notation, w-formulas are denoted by oj. Any w-formula containing the 
empty clause will be noted u>u ■ 

Definition 15. Variable Truth Assignment VTA3. If {p) G w then VTA3 
derives a new formula to' resulting of removing from to the unit clause {p), the 
conjunctions {~^p A Df A ... A ) and all the occurrences of ^p. 

Interpretation, Model, other semantic concepts and clause proof definition 
are extended from the (/)-formulas case without difficulty. 

Example 3. Let the unsatisfiable formula u = {(pi), {pf), (((^Pi V ^P 2 ) A (^pa V 
^P 4 )) V (p5 Ape)), ((^P 5 V ^pe) V (pr Aps)), (^Ps)} = {(pi), (P2), Ci, C2, C3} 

A proof sequence of the unsatisfiability of u is: 

{(pi), {P2), (((^Pl V ^P2) A (^P3 V ^P4)) V (P5 AP6)),C'2,C'3} 

'GvTAS, {(P 2 ), ((^P 2 A (^P 3 V ^P4)) V (p 5 Ap 6 )),C' 2 ,C' 3 } 

'^VTA'i {(P5 A pe)), C 2 , C 3 } 

'^AE {(ps), (Pe), ((^P 5 V ^Pe) V (P7 AP8)),C3} 

'^VTAd, {(Pe), (^P6 V (P7 Aps)), C3} 

'^VTA3 {(P7 Aps), (^Ps)} 

'^AE {(P7), (Ps), (^Ps)} 

'^VTAd, {(P7), 1^} = Wd 



Theorem 12. Soundness, lo \~vtA '3 lo' ^ uj \= ui' . 



Theorem 13. Completeness. Let to being an unsatisfiable formula; then 

A! \~VTA3+AE A>u- 

The proofs of both theorems are analogous to the same proofs for the lo- 
formulas. 

The principle of the iterative algorithm for w-formulas is similar to the pre- 
cedent ones. It applies the inference rules while unit clauses (p) are deduced. 
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This process runs until the empty clause is deduced, or no more positive clauses 
are derived. 

The data structures for these new classes of formulas require only one modi- 
fication which is related to the employed counter. Given that the CNF~ term 
of each clause (7“ is a finite conjunction of disjunctions of negative literals, i.e. 
CNF~ = (Dj" A D 2 A ... A 13“ ) we need one counter Neg.Counter{D~) of 
negative literals for each disjunction D~ . All the other data structures defined 
for the (^-formulas are kept for the current algorithm. 

In order to design an algorithm to test the satisfiability of w-formulas we 
need to modify only the procedure VTA associated with the VTA inference rule. 
This procedure is very similar to the previous one. Now, instead of having one 
counter for each clause, we use so many counters as negative disjunctions D~ 
exist in a clause . If one of these counters is set to 0 means that the CNF~ 
has been falsified. Thus, the new VTA3 procedure is as follows. 

VTA3 (w (p)) 

Remove (p) from oj 

for V(Z3“, C'‘^) e Neg{p) do: 

Decrement Neg.Counter{D~) 
if Neg.Counter{D~) = 0 then do: 

if C’*' € C‘^ is C'^ = □ then return ’Unsatisfiable’ 

Else (7+ = (pi A p 2 A . . . A p„) 

Begin procedure AE with C~^ 

The algorithm VTA3-AE-Deduction for the w-formulas is obtained by repla- 
cing the VTA procedure in the algorithm for the (/)- formulas with this new VTA3 
procedure. 

Theorem 14. Correctness. The algorithm VTA 3- A E-D eduction (uj) returns 
unsatisfiable iff uj is unsatisfiable. 



Theorem 15. Complexity. VTA3-AE-Deduction is strictly in 0(size(uj)). 

The Proofs of both theorems are similar to the previous ^Jand^Jtheorems 
for the (7- formulas language. 

6 Conclusions 

On the theoretical side, our contribution described here aims at pushing further 
the frontiers of non clausal tractability. Thus, we firstly have defined three classes 
of formulas in Negation Normal Form having a Horn-like shape. Secondly, we 
have established a set of inference rules which are sound and refutationally com- 
plete for each one of the three classes. In third place, we have designed strictly 
linear algorithms to solve the satisfiability problem in each class of formulas. 

On the practical side, as the formulas keep a Horn-like structure, they are of 
relevant interest in such applications as for instance those based in Rule Based 
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Systems. Indeed, the rules and the questions of many real applications require to 
represent and to reason with a richer language than the Horn formulas language. 
In this sense, the proposed formulas absorb the Horn language as a particular 
case. In addition, the proposed formulas represent logically equivalent pure Horn 
problems but with exponentially less symbols. Hence, as the described algorithms 
runs in linear time on these classes, the gain of time can be of an exponential 
order with respect to the known linear algorithms running on the Horn formulas. 
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Abstract. Many key verification problems such as bounded model-checking, cir- 
cuit verification and logical cryptanalysis are formalized with combined clausal 
and affine logic (i.e. clauses with xor as the connective) and cannot be efficiently 
(if at all) solved by using CNF-only provers. 

We present a decision procedure to efficiently decide such problems. The Gauss- 
DPLL procedure is a tight integration in a unifying framework of a Gauss-Elimina- 
tion procedure (for affine logic) and a Davis-Putnam-Logeman-Loveland proce- 
dure (for usual clause logic). 

The key idea, which distinguishes our approach from others, is the full interac- 
tion bewteen the two parts which makes it possible to maximize (deterministic) 
simplification rules by passing around newly created unit or binary clauses in ei- 
ther of these parts. We show the correcteness and the termination of Gauss-DPLL 
under very liberal assumptions. 



1 Introduction 



In many application areas such as formal verification crypt- 

analysis planning and AI in general mh j the tra- 

ditional formulation of a logical inference problem as a satisfiability problem in clausal 
normal form (CNF) is becoming unsatisfactory. 

“Real world” problems are seldomly formulated in CNF and must always be con- 
verted to it. The natural formulations of real problems make use of many logical connec- 
tives: definitions (e.g. gates in circuit verifications), exclusive or (e.g. Feistel-operations 
in logical cryptanalysis), disjunctions (e.g. non-deterministic actions in planning) etc. 

When such formulae are transformed into CNF the performance of the system is not 
very impressive, unless special heuristic information on the problem domain is used (see 
e.g. on planning and wwi 



on the DIMACS parity bit problems). 



Our motivating applicati on was logical cr yptanalysis, the encoding of cryptographic 
problems as SAT problems ®SS!S viivnii . Known plaintext attacks to the US Data 



Encryption Standard can be encoded as a SAT problem with formulae of increasing 
complexity. The experimental analysis in I showed that the performance 

of state-of-the-art CNF solvers such as reLsat ISSSl, sato ntab ^^^ 9 , and 



' F. Massacci acknowledges the support of a STM CNR grant. 



J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 508 
(c) Springer- Verlag Berlin Heidelberg 2000 



2000 . 








The Taming of the (X)OR 509 



satz degraded as soon as formulae containing exclusive-or appeared in the orig- 

inal formulation. Thus, solving real crypto-problems with CNF-provers looks unlikely. 

A similar si tuation is found in circuit verihcation where the usage of successful 
BDD-packages has proven to be utterly ineffective when coping with fairly 

basics circuits such as multipliers. Parity bit problems, based on logically simple formu 
lae, proved to be extremely hard for CNF based provers ' 



wvfs/ivit, ;^TSPCnn 



“The taming of the xor” has therefore become one of the major research efforts 
in the SAT community to tackle real world applications. The first solution is to cast 
the problem into CNF using advanced translations beyond Teitsin definitional trans- 
lation wi'vi Otherwise one can use a dual-phase algorithm that solves the 

, or more complex algorithms using multiple polynomials 



xor-part se parately 

Other researchers have focused on direct handling of xors as a black box 



VVvIViitl 



subroutine of classical DPLL algorithms 



In the BDD community a number of 



“*DD” (where may be instantiated to almost any alphabetic string) decision dia- 
grams has been proposed to solve this problem ki iwm- i iKhr'>- 



Most of these works start from the observation that satisfiability of affine logic - 
sets of xor-clauses, i.e. clauses made up with xor as the connective - can be decided in 
polynomial time | . In particular, one can use a Gaussian Elimination procedure 



(GE procedure) to decide a given affine logic problems in quadratic time. 

It seems therefore possible to include GE as a black-box subroutine in a procedure 
for a more general logic, and this is indeed done in Oflf‘ wvivmi .We will not 




. This is true for many 



directly do so, because the problems in our application domain (logical cryptanalysis), 
are beyond affine clause logic; after an appropriate transformation we end up with two 
sets of clauses, a set of usual or-clauses, and a set of xor-clauses. Our task is to decide 
the satisfiability of the combined problem, and, if satishable, output a model. 

The experimental analysis reported by wvivhr. showed that incor- 

porating the GE procedure as a black-box subroutine definitely pays off if the affine 
logic part is overwhelming. This is the case for artificial DIM ACS problems such as the 
bit parity problem or Pretolani’s encoding of Urquhart’s formulae 
However, they also all agree that this is not sufficient when the affine logic part is only 
a part of the overall formula. This is indeed the case for DES encodings whereas xor 
clauses are just the hard core part (4% of whole) 
other problems such as model checking 

So we want to have affine-logic reasoning in our calculus and, at the same time, we 
do not want to abandon the good, old and after all extremely efficient DPLL procedure. 
Our contribution is a revised DPLL where or-clauses and xor-clauses mutually co-exist. 

In order to achieve a homogeneous architecture, we treat xor-clauses by more tradi- 
tionally styled inference rules. In this way, the inferences carried out on either or-clauses 
or xor-clauses can heavily influence each other. This allows for performance optimiza- 
tions by passing around newly created unit or binary clauses in the or-clause logic part 
to the xor-clause logic part (and vice versa). In both parts they can be used to simplify 
the currently derived clauses. By giving preference to simplifications, branching of the 
search space due to the or-logic part is delayed until unavoidable or even prevented. 

Of course, our inference-rule based mechanism specializes to a variant of the GE 
procedure when restricted to affine logic. When applied to a pure inclusive-or clause 
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logic problem, the method instantiates to the (propositional version of the) well-known 
Davis-Putnam-Logeman-Loveland (DPLL) procedure This choice is moti- 

vated by the nice properties of DPLL: its conceptual simplicity, space efficiency, few 
inference rules, efficient and adaptable implementations (the most efficient systematic 
propositional methods are based on DPLL and the possibil- 

ity to immediately extract a model in case that no refutation exists. 

The suggested calculus in this paper can also be understood as an attempt to “lift” 
these properties to the case of a combined inclusive/exclusive-or logic. The underlying 
inference rules can roughly be divided in three classes: Resolution-type inferences to 
implement GE (however, one parent clause is always deleted), simplification inference 
rules (which do not cause branching) and the cut rule (aka split) to force a case analysis 
A - ~^A to advance the derivation when other rules are no longer applicable. 

This is only part of the story: one major difference between ours and the classical 
DPLL procedure is that we do not insist on explicitly computing a model; instead, we 
allow our procedure to terminate earlier, once a. functional description of a model is 
computed. For instance, an equivalence like A = 5 is not subject to further case anal- 
ysis to actually compute truth assignments for A and B. Instead it serves a functional 
description of our model. If we really want to have a truth assignment, we can choose a 
random value for, say, B and then the value of A can be easily calculated. 

The rest of this paper is structured as follows: we start with some preliminary defi- 
nitions. Then we introduce the basic ingredients of our calculus (simplihcation and GE 
inference rules). These are then combined with some more inference rules in a single 
calculus called Gauss-DPLL. Finally, we sketch its correctness. 



2 Preliminaries 

We apply the usual notions of propositional logic, in a way consistent to 

An atom is either a propositional variable or the symbol T (“true”). A literal is 
an atom or a negated atom. For a literal L, its complement L is the atom A, if one has 
L = ^A, or else L is ~^L. For a literal L we denote by |L| the atom of L, i.e. |A| = A and 
I ^A| = A for any atom A. 

An assignment is a pair A /L, where A is an atom different from T, and Lisa literal. 
An or-clause is a possibly empty multiset {L\, . . .,L„} of literals, usually written 
as Li V • • • V L„ if n > 0, and □ if n = 0. Similarly, a xor-clause is a possibly empty 
multiset {Li, . . .,L„} of literals, usually written as Li © • • - 0L„ if n > 0, and □ if n = 0. 
The atoms of a clause C, denoted by |C| are computed in the obvious way as |C| = 
{|L| : L G C}. A clause refers to an or-clause or a xor-clause. 

Remark 1 (Special Cases). A clause with exactly one literal (i.e. a unit clause) can be 
seen as an or-clause, as a xor-clause or as an assignment where the value T or is 
assigned to the atom of the literal according the sign of the literal in the obvious way. 
A xor-clause with two literals can also be seen as an assignment. For instance ^A can 
be seen as the assignment A/^T, whereas A © ~^B can be seen as the assignment B/A 
or the assignment A/5. The calculus below contains rules for such transitions. 

In the sequel we use A,B,... for atoms, K,L,... for literals and C,D,... for clauses. 
The calligraphic letters R, C and X are reserved to denote sets of assignment, sets of 
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or-clauses, and sets of xor-clauses, respectively. When writing down or-clauses, we use 
the notation L V C to denote {L} V C, and C V Z) to denote C U Z) (and similarly for 
xor-clauses by using ©). Also, we write “C, C” instead of “{C} U C”, where C is a 
(x)or-clause set. 

Literal occurrences in xor-clauses can be flagged as selected. Selection is indicated 
by underlining, as in L© C. The purpose is to state C as a “definition” of L. 

Quite frequently, we need the set of selected atoms ofX, which is sel(A) = {|£/| | 
L is selected in C, for some C G X}. 



Translation to normal form. We have a strict separation in our clause sets: in the one 
part, only “V” occurs, and in the other part only “©” occurs. Treating arbitrary propo- 
sitional formulae is conceivable as well. However, due to the presence of xor-clauses, 
we can transform the initial formula into two separate sets, in a much simpler way than 
with CNF transformations. 

For instance the formula A VZZV (C©ZZ©Zs) can be transformed into the two clauses 
Ay By F and ~^F © C © Z) © £ introducing the new symbol F. It is easy to see that this 
is a satisfiability preserving transformation. Even with optimized CNF transformation 
we cannot get away with less than 6 clauses. 

In our target application v 'vn we have only formulae of the form L ^ Li © ■ • ■ © 
L„ or L — L\y ■ ■ - y L„. So, a transformation into normal form will be definitely easy. 
Hence we assume as given a clause-normal-form transformation that transforms the 
given formula tp (containing arbitrary connectives) equivalently Into a set of or-clauses 
and a set of xor-clauses (read conjunctively). 



3 Simplification by Boolean Reduction 

Simplification by boolean reduction means to transform a clause into normal form by 
exploiting trivial boolean reductions. This is achieved by the inference rules %ooi shown 
in Figure H they are also used in the preprocessing step of the encoding of DES in 
, and they extend to the xor-case the rules given in [ vi hsv.> . 

More precisely, reduction of a clause C by the %ooi inference rules means to repeat- 
edly replace C by the result of a single application of an inference rule from %ooi to C, 
resulting finally in a normal form of C. 

Proposition 1. The reduction of a clause C by the %ooi inference rules terminates. 

The proof is straightforward and is omitted (the proof of LemmaJ below makes the 
ordering explicit that guarantees termination). 

Remark 2 (Transparent Selection). In the reduction process, the inference rules are ap- 
plied to xor-clauses transparently wrt. selected literals according to the following rules: 
(i) selection within C (referring to the actual instance of the meta- variable in the infer- 
ence rules %ooi) is preserved, (ii) selection of L, A, ^A, B or ^B carries over to the 
resulting clause, if the respective literal still is present (in complemented form, how- 
ever) in the conclusion. 

The reason to preserve selection is to make in the calculus a re-orientation of a definition 
impossible, where e.g. ~^A is just as good a definition name as A. 



VI IVII H 
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Elimination of logical constants Elimination of redundancies 

L©L©C^C 

L©T ©C ^ L©C 

A©-.A©C ^ T©C 

-iT ©C ^ C 

-.A©-.B©C ^ A©B©C 

TVC ^ T 

LVLVC ^ LVC 

^TVC ^ C 

A V -lA V C ^ T 

Fig. 1. The inference rules %ooi for boolean reduction; in “tp ^ v|/” the left hand side tp 
is the premise and the right hand side vp is the conclusion. The case C = □ is permitted 
in all rules, except of T V C ^ T. 



In general, a normal form derived in the way just described is not unique. Still, all 
normal forms are logically equivalent and this is what we are interested in. Thus we let 
C I denote some arbitrary normal form of C. 

For instance, ^A0 has three normal forms and ^A0 | may be 

A 0 B 0 ~^C (notice how selection carries over). The single normal form of A 0 A 0 Z? is 
B (however, such cyclic definitions are impossible to construct in the calculus). 

4 Simplification by Boolean Assignments 

The device introduced here is comparable to the uniform substitution rule by Teitsin. It 
has been already introduced in . 

Remark 3 (Assumptions about Sets of Assignments). From now on, when considering a 
set Si of assignments, we insist that whenever A/ LG Si and A /K G fF then L = K (func- 
tionality), and whenever A/L G SI then \L\/K A, for every literal K (idempotency). 
Notice that idempotency guarantees in particular A/A ^ A and A/^A A. 

Definition 1 (Simplification by Assignments). The simplification of a clause C by a 
set of assignments A = {A\/L \ , . . .AnjLn\, denoted by C jj A, is obtained by simultane- 
ous substitution of each occurrence of Ai ( resp. ^Ai) in C by Li ( resp. Li), for \ <i<n. 

Simplification is applied transparently to selected literals in a “destructive” way: if A 
(or ^A) is selected in a xor-clause C and a simplification C//{A/L, . . .} is performed, 
the literal occurrence L (resp. L) in the resulting clause does not get selected. 

Definition 2. An atom A is defined in a set of assignments A iffA/L G A, for some 
literal L. It is undefined iff it is not defined. 

Definition 3 (Extending a Set of Assignments). Let A be a set of assignments and 
A jL be an assignment such that both A and |L| are undefined in A. Then, the extension 
of A by A/L, denoted by Ao (A/L), is the set of assignments {B/{K//{A/L}) \ Bj 
K G f?} U {A/L}. In this definition the literal K is read as a unit clause. 

If the atom A is undefined in A, then AoA — Ao (A/T), and Ao^A = Ao (A/^T) 
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Lemma 1 (Preservation of Properties). IfR is functional and idempotent, then, under 
the conditions stated in both Jio (A jL) and iAoL are functional and idempotent. 

Proof. (Sketch) Consider the general case SI o (A/L). Since A is undefined in SI and 
only the right hand sides are modified by extension, functionality is preserved. SI o 
{A/L) is idempotent because the right hand sides in Si are subject to substitution by 
the new assignment A/L and that |L| is undehned in Si. This makes non-idempotency 
impossible. 

5 Gauss Resolution Rules 

The Gauss Elimination (GE) procedure can be represented by two resolution-like rules; 

_ _ L0C L©D , L©C L©D 

Gauss Gauss^ 

C©D T©C©D 

Eor the Gauss^ rule, we say that C©D is the Gauss-resolvant ofL®C on L intoL®D, 
and similarly for Gauss+ rule. 

As for resolution, these rules are sound, i.e. the conclusion is a consequence of 
the premises. However, in sharp contrast to resolution, in both rules each premise is a 
consequence of the conclusion and the other premise: 

Proposition 2. All of the following hold: 

1. {L®C,L®D}^C®Dand{L®C,C®D}^L®D 

2. {L©C, L©D} ®C®D and{L®C, T©C©D} |=L©D 

Using propositionHwe can delete one of the premises once the Gauss-resolvant has 
been added to the xor-clause set without loosing completeness, because it is an equiva- 
lence preserving transformation. The intuition is that the deleted clause can always be 
restored by applying the inference rules. Thus one can avoid the exponential explosion 
of resolution: the number of clauses never grows more than the initial set of clauses. If 
we apply boolean reduction rules, one can eliminate duplicated literals in a clause, and 
hence the length of each clause never exceeds the number of available atoms. 

These two rules, together with a deletion strategy, describe a Gauss-Elimination 
procedure as known from high- school which has a quadratic complexity. Take the given 
xor-clauses X = {C\, . . .,C„} as a system of linear equations in a boolean ring ©Ci = 
1, . . ., ©C„ = 1, where each variable is assigned a value 0 or 1, © is addition modulo 2, 
and ^A is A © 1 . In this view, the overall strategy to determine whether X is satisfiable 
is hrst to derive (if possible) a triangular form of X. Eor this, select a clause with a 
literal, say L, and eliminate with the two rules all occurrences of L and L from the 
remaining clauses. This is possible by design of the inference rules, as the conclusion 
contains neither L nor L. If necessary, we apply boolean reduction rules until each clause 
contains at most one occurrence of L or L. Next, the clause containing L is put aside and 
the variable elimination process continues in this way until all clauses are processed. 

If the empty clause comes up, the xor-clause set is unsatishable. If a triangular 
matrix results, a unique model can be computed by propagating the assignments forced 
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by the shorter clauses towards the longer clauses. For a non-triangular form, the system 
is under-determined and more than one model exists. 

Unfortunately, unrestricted application of the Gauss^ and Gauss+ rules to a set of 
xor-clauses may be a non-terminating process. The system might cycle among a finite 
set of logically equivalent forms without reaching a fix point. 

As an example consider A = {A © C, © Z)} . Resolving A © C on A into ^A © D 
yields A' = {A © C, C© D}. Next, resolving A © C on C into C © Z) results in X again 
(after reduction). 

This problem is solved by using the strategy described above to derive a triangular 
form. It would be acceptable if the xor-clause set is fixed, hut this is not our case: first, 
new unary or binary xor-clauses may come up as the derivation proceeds, and it can he 
advantageous to delay the decision on the variables to eliminate. Second, the initial xor- 
clause set is undetermined in most cases and the value of many “independent” 

variables is determined only by the constraints expressed by the or-clauses. 

6 Gauss-DPLL 

In this section we introduce the inference rules which are at the basis of a generalization 
of the Davis-Putnam-Logeman-Loveland Procedure, which we call Gamjj- DPLL. 

The inference rules, but one, are of the form 



where Jl is a set of assignments, C is a set of or-clauses, A is a set of xor-clauses, 
possibly with some selected literals. The primed versions are the sets derived by the 
rule. 

The intuition is that in JF we store the definitions A jL which say how to set the value 
of an atom A on the basis of the value of another atom or a logical constant. The sets C 
and X contain the (x)or-clauses that have not been completely processed yet. 

The main idea behind selected literals is that a xor-clause C containing a selected 
literal L can be seen as a definition of the corresponding atom |Z,| in terms of the value 
of the other literals of C. For the whole system to be consistent, the clause C can only 
be used as the definition of only one atom. Further, the calculus achieves that there is 
only one such definition - be it in just one single xor-clause or as an assignment. 

The twist to implement the GE procedure in this way is, that, when no rule is ap- 
plicable, the set X and the selected literals in it implicitly describe a triangular form of 
the linear modulo 2 equations in X. For instance, if X = {A©ZI, C©ZI} this implicitly 
describe a triangular form which is (partly) undetermined: A and C have been “solved” 
as functions of B. In terms of linear equation this is obvious: we have two equations and 
three variables. 

We are now turning to the inference rules of Gauss-DPLL. 

The following inference rules are used to reduce clauses; to avoid trivial loops, the 
applicability condition C ^ C J, is assumed: 



C X 



Name 



^ c X' 



Condition 
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The following inference rules simplify a clause by the current assignments; the appli- 
cability condition C ^ Cjj is assumed: 



... 

V-Simp — 



C, C X 

C//J1, C X 



0-Simp — 
A 



C C, X 
C C//JT, X 



An inference rule for the simplification of A wrt. A is not necessary, because A is 
both functional and idempotent (cf. RemarkH as being constructed. 

Now we turn to the inference rules to implement the GE procedure as described in 
Section^ First, we need a rule to select a literal L for elimination. 

^ ^ JT C L0C,A fifsel({L0C}UA)natoms(L0C) = {} 

C L0C,A \and|L|^T 



The intuition behind the applicability condition is that we can use a xor-clause as 
definition of only one literal at a time, i.e. sel (L 0 C) n atoms(L 0 C) = { } . To guarantee 
that no trivially cyclic definition as in A0A0B comes up, the 0-Red inference rule 
must be preferred to Select (all the required preferences are stated in Def.Hbelow). The 
subcondition sel(A) n atoms(L0C) = {} states that the new definition must not depend 
from other definitions. If it were absent, a cyclic situation as in {A0fi, A0^R| comes 
up easily. 

Then we have the proper Gauss-Resolution rule: 

^ C L0C, D, X f jf jy js Gauss resolvent of L 0 C 
C L®C,iy,X lonLintoZ) 

Intuitively, this rule says that we take L0 C as a definition of L and replace in D the 
literal L (or L) by its dehnition. To guarantee that there is no occurrence of L (or L) left 
in Z)', the 0-Red inference rule must be preferred to Gauss. The Gauss rule is applied 
transparently wrt. selected literals, i.e. a possibly selected literal in D remains selected 
in D' (the literal L (or L) in D' cannot be selected anyway, cf. invariant (ii) in LemmaH. 

Example 1. Consider the following derivation where JT and C have been removed for 
readability and numbers are for reference: 



(1) 


A0R0E, A0C, B0C 


start 


(2) 


A0B0E, A0C, R0C 


by Select 


(3) 


C050E0T, A0C, 50Cby Gauss+ of A0C onA into A050E 


(4) 


^C050£, A0C, 50C 


by 0-Red onC0R0£0T 


(5) 


^C0R0£, A0C, B®C 


by Select 


(6) 


B®B®E, A0C, R0C 


by Gauss+ of 5 0 C on C into ~^C 0 5 0 £ 


(7) 


E, A0C, 50C 


by 0-Red on 5 0 B 0 £ 


(8) 


E, A0R0T, R0C 


by Gauss+ of B 0 C on C into A 0 C 


(9) 


E, A0^R, R0C 


by 0-Red on A0B0T 


(10) 


E, A0^5, 50C 


by Select 



Now we can apply neither Gauss, nor Select, and indeed we terminated with an unde- 
termined set of equations where A and C are defined in terms of B. 
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This example explains well the importance of giving precedence to the 0-Red rule 
over the Gauss rule. Consider step (6): without simplifying the two Bs we will not be 
able to eliminate them: Gauss alone will introduce two Cs, or two As etc. 

To see the importance of the applicability condition of Select, let us look at the last 
step. Without it, we could have continued as follows: 

(11') E, A(B^B, B(BC bySelect 

(12) £, A0C, 50C byGauss^ 

(13) £, A050T, 50CbyGauss+ 

(14) £, A0^, 50C by0-Red 

So we are using A 0 C sometimes as a definition of A and sometimes as a definition of 
C. This will clearly lead to a non-terminating sequence. 

The rules presented so far constitute the core of the GE procedure as described in 
Section^ The next set of inference rule transforms unit (x)or-clauses into assignments, 
with the purpose to trigger new simplification steps. 



V-Unit 

JloL 



L, C 
C 



X 



0-Unit 

JloL 



C L, X 

~c F" 



Here, L may or may not be selected. 

Remark 4. Since we give preference to Red and Simp over the Unit rules, the extension 
of 31 to 3^0 L is defined, i.e. |L| is undefined in 31. Thus, functionality and idempotency 
are preserved by LemmaH ™d the set of assignments strictly increases. 

Now, the well-known DPLL splitting rule is introduced. The purpose is to advance 
a derivation once no other rule is applicable. 

H C X 

Split if A G atoms(C), for some C G C 

3loA C X 31o^A C X 



This is the sole rule with two consequences. Observe that the splitting in the two cases 
A and ^A is expressed in our notation as two respective assignments A/T and A/^T. 

Remark 5. Once again we have no condition such as “A is undehned in 31” because 
we give preference to Red and Simp over Split, and therefore the same reasoning as in 
Remarkjapplies. 

The applicability condition in Split is not necessary for completeness, but is useful 
for stopping the search without going to compute explicitly any of the models that 
would be possible by assigning all combinations of T and to the “independent” 
atoms occurring in definitions represented by the X. However, for the atoms occurring 
in C, applying Split is mandatory as the last resort to make progress in processing C. 

Remark 6 (Explicit Models). If we arrive at a stage where no rule is applicable, and 
the empty clause has not been found, we have a functional description of a model. To 
obtain a model as a set of assignments of logical constants to atoms, we can add to 31 an 
arbitrary truth value assignment for each atom that is not selected in a xor-clause in X. 
The exhaustive application of the Simp, Red and Unit rules leads to the desired result in 
31 then. 
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The next rules for equivalences are not necessary for completeness but they allow 
for a substantial speed-up as they correspond to powerful forms of pruning: some hard 
DIMACS problems are solved by using rules of equivalent form alone in 



V-Eqv-1 



V-Eqv-2 





AVfi, ■ 


^A V C 


X 


Jlo(A/^B) 




c 


X 




< 

J 


-^AVB, C 


X 


Jlo(A/fi) 




C 


X 



if5^ sel(A) 



if5^ sel(A) 



JT C A0T, a II / / f \ 

0-Eqv ; — — if L 4 sel({A0L}UX) 

i?o(A/L) C X I I ^ VI I j 



Remark 7. Similarly as said above in Remarkjfor the Split rule, we insist to prefer the 
Simp and Red rules over the Eqv rules. Therefore, all stated extensions of JT in the Eqv 
rules are defined, thus both functionality and idempotency are preserved (cf. LemmaJ, 
and also A is undefined in Jl. 

To avoid loops, the turning of (x)or-clauses into assignments by the Eqv rules must 
not contradict the implicit ordering of literals as determined by the selected literals in 
X (this ordering is made explicit in the proof of Lemma^. This is what the stated 
applicability conditions are good for. 

The 0-Eqv rule is formulated general enough, because any binary xor-clause of the 
form ~^A 0 ~^B can be turned into A 0 by boolean reduction. 



7 An Effective Calculus for Proof Search 

Finally, it has to be said how to combine the inference rules of Section^ 

Definition 4 (Affine Logic Tree (ALT)). Wfe consider ( incomplete) binary trees where 

every node N is labelled with a tuple (M, C,X). The label ofN is denoted by T(N). 
Affine logic trees, ALTs, for C and X, where C (resp. X) is an or-clause set (resp. 

xor-clause set) are defined inductively in the following way: 

Initialization Step: the tree ‘T consisting of a root node N only and such that T(N) = 
({} , C,X) is an ALT for C and X. 

Non-branching Extension Step: ifN' is a leaf of an ALT ‘T' for C and X, and one of 
the non-branching inference rules is applicable to 'LfN'), then ‘T is an ALT for C 
and X, where ‘T is obtained from ‘T’ by attaching one new child node N below N', 
and L(N) is obtained by a single application of one of the non-branching inference 
rules to T(N'). Applicability of these inference rules is given preference as follows: 

- 0-Simp and 0-Red must be applied before Gauss and Select 

- 0-Simp and 0-Red must be applied before 0-Unit and 0-Eqv 

- V-Simp and V-Red must be applied before V-Unit, V-Eqv-1 and V-Eqv-2. 

Branching Extension Step: ifN' is a leaf of an ALT “T' for C and X, and non-branch- 
ing extension steps are not applicable to N' , and Split is applicable to then 

‘T is an ALT for C and X, where “T is obtained from ‘T’ by attaching two new 
child nodes N[ and below N', and L(Ni) and L{Nr) are obtained by a single 
application o/Split to TiN'). 
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We abbreviate “ALT for C and A” as “ALT” if context allows. 

Definition 5 (Open, Closed, Derivation, Finishedness, Fairness). A branch ® in an 
ALT ‘T is closed ijffor some node N of “B it holds □ G C U A, where L{N) = 

Otherwise it is open. An ALT ‘T is closed iff every branch of ‘T is closed, otherwise 
it is open. The branch B is finished iff B is closed or no extension step is applicable 
to the leaf of B. An ALT Tf is finished iff every branch of ‘T is finished. The term un- 
finished means not “not finished” . A derivation D (for given C and X) is a sequence 
tZo, of ALT s, such that Tq w obtained by an initialization step, and for 

i > 0, is obtained by an extension step applied to ‘Ti-\. A derivation D is fair iff it 
does not end in an unfinished ALT 

Remark 8. The ALTs are the objects that are actually computed with. Observe that a 
fair derivation either ends in a closed ALT (which means that the set CUX is unsatis- 
fiable), or ends in an open ALT with at least one open and finished branch (which, as 
will be shown, represents a functional description of a model for C U X), or does not 
terminate (which will he shown to be impossible in Lemma^. 

An effective proof procedure can be constructed by the simplest greedy strategy: 
start with an ALT for C and X by an initialization step, and apply extension steps as 
long as possible. Thereby, one would actually pursue only one branch at a time, not 
further extend closed branches and delete closed branches from memory as soon as 
derived. Under these regime, only polynomial space is consumed. 

We do not specify a sophisticated proof procedure here, in particular since the de- 
sign of an efficient proof procedure that takes advantage of good strategies for the un- 
specified parameters (selection of literals, actual preference of inference rules) depends 
from practical experiments which have not been carried out yet. For instance, it seems 
natural to choose, among the possible selections of literals in xor-clauses, those that 
maximize the future application of the Eqv or Unit rules. Fortunately, the correctness 
proof in the next section guarantees that any setting within the inference rule prefer- 
ences stated in Definitiorflis complete. 

8 Correctness 

The soundness proof - that any closed ALT for C and Vindicates unsatishahility of 
CUV - is done by standard means and is omitted. To show completeness, we first show 
that exhaustive application of the inference rules always terminates: 

Lemma 2 (Termination). Any derivation D for given C and X is finite. 

Proof. It suffices to show that no branch can be endlessly extended. At the heart of this 
proof are well-founded, strict partial orderings on clauses associated to the nodes N 

of the constructed ALTs. As a preliminary step, let be a binary relation over atoms 
associated to node N, which is defined inductively as follows: 

{ {(A, T) I A is an atom}, if N is the root node 

U {(A/L) I (A/L) G 

U {(|V|,|Li|),...,(|V|,|L^|) |V©Li0---©L^GV} , 
where LfN) = (PL, C, V), if N has the immediate ancestor node N'. 
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That is, >N starts in a trivial way, and gets enlarged as new assignments come up or 
selections are done when going down the branches. An important detail is that >N 
monotonically increases in this process. 

The transitive closure of >at is denoted by In order to compare clauses take the 
usual multiset extension of the literal ordering in which L\ is strictly greater than 
Z .2 iff \L \ I >N IT 2 I or else L\ = ^Z .2 (i-C- is greater than A). It is well-known that if 
is a strict, well-founded ordering (on atoms), as will be shown below, so is (on 
clauses). 

We need several invariants to hold for each node N, where X{N) = (JT, C,X): 

(i) If lA"! >N |L|, then (a) lA"! is the left hand side of an assignment in JT, or (b) K or K 
is the selected literal in some xor-clause in X. 

(ii) For each selected atom A G sel(A) there is exactly one xor-clause C G X such that 
A or ^A is a selected literal in C. Furthermore, this literal is the only selected literal 
occurrence in C. 

(iii) If N has an immediate ancestor node N' and sel(A) C sel(A'), where = 

(Ji', C',X'), then either the 0-Simp rule or the 0-Unit rule or the 0-Eqv rule is 
applied to N' to obtain N (but no other rule). That is, if a selection is lost, these are 
the only possible sources. 

(iv) The relation 0 at is a strict partial ordering on atoms. 

(v) If A has an immediate ancestor node A' and Seiect is applied to A', then >ivD >n/. 

The proof of the invariants is omitted here for space reasons; it can be found in the full 
version. They are used now to argue for termination. We feel no need for a completely 
formal presentation of the lexicographic ordering underlying the following argumenta- 
tion. 

Suppose, to the contrary, there is an infinite sequence of branches 2^, . . . such 

that, for j > 0, 'Bj is a branch of some % of the given derivation (written as in Def.H, 
and that an extension step is applied to the leaf of Bj, and Bj^i is a branch result- 
ing from this application. We are now investigating possible sources for this branch 
sequence to be infinite. 

First, from some point in time on, the >A?-relation is the same (referring to the leaves 
of the branches in the considered branch sequence), because only finitely many literals 
are at disposal, and >Nj C >Nj+i by construction of >n, where Nj is the leaf of Bj. 

Consequently, together with invariant (v), the Select rule is applied a last time along 
the considered branch sequence. 

Second, each of V-Unit, 0-Unit, and Split is applied a last time, because each of them 
strictly increases the set of assignment it modifies. This was argued for in Remarks J 
andQ Clearly, this strictness suffices as a proof for the claim. 

Third, each Eqv rule is applied a last time. The arguments are the same is in “sec- 
ond”, by using Remark^ 

Fourth, the rules mentioned at “second” and “third” are the only ones to extend 
assignments. Hence, from some point in time on, the set of assignments is the same in 
each leaf of the considered branch sequence. 

Fifth, from “fourth” and the idempotency of assignments (cf. again Remarks^! 
and Q it follows immediately that the Simp rules are applied a last time. 

Sixth, hence, only the Gauss and Red rules remain as sources for infiniteness of the 
branch sequence. To show this impossibility, observe that with “first” the ordering 
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is the same from some point in time on (invariant (iv) guarantees that is indeed 
a well-founded, strict partial ordering). Further, the ordering is made such that 
the Gauss and Red rules both work strictly decreasing. More precisely, the Gauss rule 
refers to the Gauss^ and Gauss+ rules. These are applied with a left premise, in which 
L is the only selected literal (cf. the applicability condition of Gauss and invariant 
(ii)) and which is strictly larger than each of the rest literals (by construction of the 
ordering). Flence, the right premise strictly decreases wrt. For the Red rules it is 
straightforward to check that they work strictly decreasing wrt. provided they are 
applicable. An important detail is to make ~^A bigger than A. 

Hence, in sum, with Gauss and Red working strictly decreasing wrt. which is 
the same from some point in time on, both of them are applied a last time. 

All inference rules are now shown to be applied a last time along the considered 
branch sequence. Hence it must be hnite, and thus the lemma is proven. 



Theorem 1 (Completeness). Let D be a fair derivation for a set of or-clauses C and 
a set of xor-clauses X. Then, D is finite, and if the last ALT ‘T in T> is open, then CU A 
is satisfiable. 

This is our main result. Observe that in the contrapositive direction it just expresses 
refutation completeness. 

Proof. Finiteness of D is given by LemmaH Therefore suppose that T is the last ALT 
in D, and that T is open. We are concentrating on an open and finished branch ® in “T, 
which must exist according to Remark^ Let N be the leaf of !B, and L(A^) = , C, A) . 

The first observation is that C = {} or C = {T} (which is equivalent). The proof is 
by contradiction: the case that C contains the empty clause is impossible, because then 
® would be closed. Also, if C would consist of clauses containing the symbol T only 
(with the single exception of the clause T), it would would have been simplified to 
either C = {}, C — {T} or C = {□} (contradicting the hnishedness of “B). Hence C 
contains at least a clause with a literal different from T. Let L be such a literal. But 
then. Split with |L| would have been applied, contradicting hnishedness of B again. 
This completes the proof that C={}orC = {T}. 

Thus, to construct a model, we have to consider TL and X only. We use the strategy 
indicated in Remark^ we give an arbitrary value to the variables that are not selected 
in X, and we show how to extend to a model. 

Fact: in each clause C G X there is exactly one occurrence of a selected literal, and 
all the selected literals are pairwise different (modulo sign). This is due to invariant (ii) 
in the proof of Lemma^ and the hnishedness of B. For, if in some C € X no literal 
would be selected, and Select is not applicable to C, then some literal in C is selected 
in a different clause (modulo sign), and thus Gauss would be applicable, contradicting 
hnishedness. 

Now take any literal L occuring in X but such that |L| ^ sel(A) . Add it as an assign- 
ment |L|/T (or |L|/^T) to SI. ST must still be idempotent and functional, because as a 
consequence of hnishedness, |L| must be undehned in ST, and so Lemmajis applicable. 
Repeat this, until all non-selected literals receive an explicit (arbitrary) truth value in ST. 

Finally, only the selected literals in X do not have explicit truth values in ST. Since 
each of them occurs only once in a clause in X (by the above /act), their truth values can 
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be chosen locally to the containing clauses as the appropriate parity for the rest clause, 
which has been completely specified hy the arbitrary assignments. Furthermore, by the 
fact again, this can be done for every xor-clause in X. Hence, for each such selected 
literal L and its appropriate truth value, add a respective assignment \L\/T (or \L\/^T) 
to JT. This is possible, because, by finishedness again, L must be undefined in JT (by 
the 0-Simp rule). Finally, explicit truth assignments for all the literals occuring as right 
hind sides in JT are added arbitrarily. This procedure results in a functional assignment 
to either T or for all atoms, which is just a model. 



9 Conclusions 



In this paper we have presented a decision procedure called Gauss-DPLL for combined 
clausal and affine logic (i.e. clauses with xor as the connective). 

We have argued that procedures to solve such problems are needed to efficiently de- 
cide respective problems, which occur frequently in real-world applications like circuit 
verification and logical cryptanalysis. Gauss-DPLL is a tight integration in a unifying 
framework of a Gauss-Elimination procedure (for affine logic) and a Davis-Putnam- 
Logeman-Loveland procedure (for usual clause logic). 

The main ideas, which distinguishes our approach from other approaches in the 
literature, are the following; at first, we provide a coherent approach of the treatment 
of both or and xor-clauses which specialized to optimized decision procedures when 
the input is restricted to either of them. Second we allow for a heavy interleaving of 
the two parts with the purpose to maximize (deterministic) simplification by passing 
around newly created unit or binary clauses in either of these parts. Last, but not least, 
we are able to stop the search and output a functional description of the model rather 
than a completely specified model. 

As noted in the explicit handling of equivalences makes it possible to trans- 

form exponentially long proofs of hard DIMACS benchmarks by Dubois and Pretolani 
using classical DPLL into short polynomial proofs. This result is accom- 






plished by Li using rules corresponding to restricted versions of boolean reduction, 
simplifications and equivalences. The Gauss-DPLL procedure also inherits that speed- 
up over classical DPLL. 

The calculus is not implemented yet, but we plan to do so in the near future. 
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Abstract. A new deduction-based procedure is presented for non-Horn, 
so-called DR-sequents with repetitions of a restricted first-order linear 
temporal logic with temporal operators “next” and “always” . The main 
part of the proposed deductive procedure is automatic generation of the 
inductive hypothesis. The proposed deductive procedure consists of three 
separate decidable deductive procedures replacing the infinitary omega- 
type rule for the operator “always”. These three decidable parts cannot 
be joined. Therefore the proposed deductive procedure (by analogy with 
oJ-completeness) is only w-decidable. The specific shape of DR-sequents 
allows us in all the three parts of the proposed deductive procedure 
to construct: (1) a deduction tree in some linear form , i.e., with one 
’’temporal” branch; (2) length-preserving derivations, i.e., the lengths of 
generated sequents are the same. 



1 Introduction 



Temporal logic has been found valuable for the specification of various computer 
systems and multi-agent systems (see, e.g., [3]). To use such specifications, how- 
ever, it is necessary to have techniques for reasoning on temporal logic formulas. 
Model-checking methods are effective and automatic for temporal formulas that 
are propositional. For more complex systems, however, it is necessary or con- 
venient to employ a first-order temporal logic {FTL, in short). FTL is a very 
expressive language (see, e.g., [1]). Unfortunately, FTL is incomplete, in general 
(see, e.g., [1, 10]). But it becomes complete (see, e.g., [5, 11]) after adding an 
w-type rule (which we present in the sequent version): 



F^ A,A;...;F^ 

F ^ A,aA 






where O^A means ”fc-time next A”. So, FTL is w-complete, in general. In some 
particular cases, the FTL (and, of course, in the propositional case) is finitary 
complete and/or decidable (see, e.g., [4]). 

The deductive procedure Sat,^, proposed here, is based on a revised version 
of saturation- type [6, 7] calculi devoted to consider some complete classes of 
FTL. The object of consideration of Sat^ is the so-called DR-sequents with 
repetitions, that are a certain skolemized version of M. Fisher’s normal form [2]. 
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The shape of Di?-sequents allows us to construct decidable “loop-free” calculi 
for “induction-free” DR-sequents, i.e., without positive occurrence of □ and for 
Di?-sequents “with induction”, i.e., containing positive occurrence of □. The 
proposed deductive procedure Sat^i for DR-sequents consists of three separate 
decidable parts. The goal of the first part of Satui is to obtain (from a given DR- 
sequent S) a so-called elementary DR-sequent S* . The problem of generating 
an elementary DR-sequent is decidable, i.e., after the finite number of steps we 
get either Satui b S* (if the given Di?-sequent S is valid) or Satui S* (if S 
is invalid). The goal of the second part of Satui is to construct the so-called 
similarity substitution a (each component of which is periodic, for example, 
X* <— fi{. . ,{fn{x*)) . . .) and the sequent Sp, which is identical to S*a where 
S*a differs from S* only by values of the variables, which are determined by the 
similarity substitution a. The problem of generating the similarity substitution 
a and the sequent Sp such that Sp = S*a is decidable, i.e., after the finite 
number of steps we get either Satuj b Sp (if the given DR-sequent S is valid), or 
Satui S* a (if S is invalid). With the aid of the obtained similarity substitution 

a the inductive hypothesis of the shape S*a'^{n G to) is constructed directly. 
Then the generated inductive hypothesis S*a'^ is verified, i.e., it is checked that 
Satui b {n G ijj). This verification is carried out by induction on n. The 

basis case, i.e., that Satui b S*a, is the same as the second stage of Satuj. The 
step of induction, i.e., that Satuj b Satuj b is realized in the 

third stage of Satuj. If all the three parts are successful, then Satuj b S, i.e., 
the given DR-sequent S is valid. The second and third parts of Satui cannot be 
connected: we cannot deduce the sequent S*a^. We can only automatically test 
that from the assumption S*a^ it is possible (or not) to deduce a sequent Sp 
such that Sp = S*o''^~^^. The second and third parts make up the main stage 
of the proposed deductive procedure Satui- In common they replace the w-rule 
(^ D,^) for DR-sequents. The specific shape of DR-sequents enables us in all the 
three parts of Satui to construct: (1) a deduction tree in some linear form , i.e., 
with one ’’temporal” branch; (2) length-preserving derivations, i.e., the lengths 
of generated sequents are the same. These properties demonstrate a high degree 
of mechanization of the proposed deductive procedure. Since all the three parts 
of Satui are decidable (but not joinable!), by analogy with the w-completeness, 
we can say that the deductive procedure Satui is w-decidable. 

In general, we call a deductive procedure for an u-complete logic to-decidable, 
if it consists of n > 1 separate, not joinable, decidable deductive procedures. 
Let Pui be an w-decidable deductive procedure and Du, be the objects (sequents 
or formulas) of consideration of Pu,- Then Du, compose an u>- decidable class. 
Therefore, the w-decidability is a natural extension of the traditional decidability 
which is applied to a complete logic or a subset of the complete logic. 

The paper is organized as follows. Section 2 introduces a loop-free infinitary 
(i.e., with the w-rule (^ D;^)) calculus containing instead of the traditional 
loop rule (□ ^) a non-traditional, nonlocal loop-free rule and an induction-free 
(i.e., without the w-rule {-^ Doj)) decidable calculus G* . The infinitary calculus 
is sound and complete with respect to DR-sequents. In section 3, the three 
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separate decidable parts consisting of the proposed deductive procedure Sat^ are 
described and founded. The equivalence between the proposed procedure Satui 
and the infinitary calculus is sketched. In section 4, conclusions, related 
works and future investigations are described briefly. 

2 Infinitary Calcnlus and Induction- Free Calculus G* 

The proposed deductive procedure Sat^^ is founded using the infinitary, loop- 
free infinitary calculus G*j^^ containing a non-traditional, non-local loop- free rule 
instead of the traditional loop rule (□ ^). Since of the objects of consideration 
of the calculus G*^^ are DR-sequents (see below), the calculus G*^^ does not 
contain any logical rules. For simplicity, we consider only one-place predicate 
and function symbols, also, we assume that all the predicate symbols are flexible 
(i.e., change their value in time), and all function symbols are rigid (i.e., with 
time-independent meanings). We consider only skolemized formulas. 

In the first-order linear temporal logic we have that o{A Q B) = qA © 
0 B{Q G {d,A,V}) and QaA = aoA{a G {->,□, Va;, 3a;}). Relying on these 
equivalences we can consider occurrences of the ” next” operator © only entering 
the formula O^E (where E is an elementary formula, i.e., the expression of the 
shape P{t), where P is a predicate symbol, t is a term). For the sake of simplicity, 
we ’’eliminate” the ’’next” operator and the formula o’^E is abbreviated as 
(i.e., as an elementary formula with the index k). We also use the notation A’^ 
for an arbitrary formula A in the following meaning. 

Definition 1 (Index, Atomic Formula). 1) If E is an elementary formula, 
i,k G u), fc yf 0, then (P*)^ := (P° := E); E^{1 ^ 0) is called an atomic 

formula, and E^ becomes elementary if I = 0; 2) {A © P)^ := © B^ if 

© G {D, A, V|; (ctA)^ := aA^ if cr G {□, Va;, 3a;}. For example, the expression 
yx{P^{x) D Q^{f{x))Y means the formula Va;(P^(a;) D Q^{f{x))). 



Definition 2 (Sequent). A sequent is an expression of the form P ^ A, where 
we assume that P, A are arbitrary finite multisets (i.e., not sequences or sets) of 
formulas. 



Definition 3 (Kernel Formula). Formulas of the shape o\/x{Q’'{f{x)) D 
E^{x)) are called the kernel formulas, if E^{x) is an atomic formula without 
function symbols (called the conclusion of the kernel formula); if k = 0, then 
the kernel formula is called the elementary one; Q^{f{x)) is an atomic formula 
(called the premise formula of the kernel), where f{x) = /i (/2 ■ ■ - ifnix )) . . .), 
(fi ^ i ^ n) is one-place function symbol) called an eigen-term of the kernel 
premise. 



Definition 4 (DR-Sequents, Induction-Free DR-Sequents, Elementary 

DR-Sequents). A sequent S is a DR-sequent if S has the shape af2 

a^A, where G {0, □}; E = 0 or consists of elementary formulas, 11^ = 0 or 
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consists of atomic formulas of the form {I > 0) is the parametrical part 

m 

of a DR-sequent); oD consists of kernel formulas; A = 3yi, . . . , V ^Eifyi) 

i—1 

(m ^ n), where Eifyi) is an atomic formula. If cfi = 0, i.e., if S = of2 
S, n^, A, then S is called an induction-free DR-sequent. A DR-sequent is an 
elementary one if all kernel formulas are elementary ones. We assume that all 
eigen-terms of kernel premises are different. Besides a DR-sequent must satisfy 
the following conditions: 

(1) let E^ he a parametrical formula, then E^ = E\{fi{x*)) , where E^{fi{x)) 
is the premise of a kernel formula and I < k (saturation condition); 

(2) for any kernel formula n\/x{Q’'{f{x)) D E^{x)) there must he k < I 
(kernel index condition); 

(3) for each kernel conclusion there exists a kernel premise having the same 
predicate symbol and vice versa (hounded connectivity condition); 

(4) there exist at least two kernel conclusions with the same predicate symbol 
(kernel conclusion repetitions condition). 

From the bounded connectivity condition and the notion of sequent we get 
the following 

Lemma 1. Let S = of2 —> E, iT^, oA be a DR-sequent, then the kernel of2 can 
be “ordered” in the following way (/i (a:i)) D E’‘^{xi)), a\/x 2 

{E 2 ^{f 2 {x 2 )) A E[^{x2)), . . . ,a\/Xn{E^’'{fn{Xn)) A E’))_ .^^{x „)) ki > k, 1 ^ i ^ U 
and E = 



Remark 1. (a) Since we consider DR-seqaents with repetitions (see the ker- 
nel conclusion repetitions condition), the same DR-sequent might have dif- 
ferent ordered kernels. For example, let = :Aixi{E^{f{xi)) D E^{xi)), 
uNx 2 {E‘^{h{x 2 ))) A E'^{x 2 )), o'ix^{E^{g{xs)) A E'^fx^)). The kernel has 
the shape indicated in Lemma 1, therefore is an ordered kernel. It is easy 
to present another ordered kernel of the following shape: n'dxi{E'^{f{xi)) D 
E^[xi)), D\/x 2 {E^{g{x 2 )) A E^{x 2 )), D\/x 3 {E''^{h{x 3 )) D E^{x 3 )). It should be 
stressed that, if we choose some ordering of the kernel, then this ordering must 
be fixed forever, i.e., after fixed ordering we consider the kernel oI2 not as a 
multiset but as a list. 

(b) A Horn-like version (so-called D-sequents) of DR -sequents is of the 
following shape E, 11^ , ufi a'^A, where E{II^) consists of elementary (atomic, 

respectively), formulas, e {0, □}; A = 3j/i, . . . , V Ei{yi) {m < n) {Ei{yi) 

i—1 

is an atomic formula); the kernel nfi consists of formulas of the shape nM x{E^ {x) 
D Q^{f{x)f), where k < 1. The w-decidable deductive procedure for Horn-like 
D-sequents is described and founded in [9] . 



Definition 5 (Fixed-Ordered I?i?-Sequents: EODR-Sequents). A DR- 

sequent with a fixed ordered kernel is a fixed-ordered DR-sequent (in short: 
EO DR- sequent). 
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Definition 6 (Compatible Kernel and Parametrical Formulas). Let S = 

□17 ^ E,n^,aA be a FODR-sequent and Gl7 = (/i(xi)) 

D a\fx2{E^Hf2{x2)) D E[^{x 2)), o\fxi+i{E'tl\\fi+,{xi+i)) D 

El^'^^Xi+iJ), . . GVa;„(F;^”(/„(a;„)) D (where E = E„). Let I ^ i ^ 

n — 2 , Ei{fi{x*)) he any elementary formula from E, then the elementary kernel 
formula D\/xi+l{E^f('f (fi+i{xi+i)) D Ei{xi+i)) is compatible with Ei{fi{x*)). 
The elementary kernel formula a'ixi{E'(^ {fi{xi)) D E(xi)) is compatible with 
En{fn{Xn)) (whcrc £„ = E). 

Definition 7 (Operation (+)). Let S = Gl7 — > E,LI^,a^A be a FODR- 
sequent. Let Ei{fi{x*)) (where he any elementary formula from 

E and the elementary kernel formula cNxi+i{E^fff {fi+i{xi+i)) D Ei(xi+i)) 
from the sequent S is compatible with Ei{fi{x*)) . Then operation (+) is defined 
as follows: {Ei{fi{x()))~^ := ^ {fi+i{x*_^_i)) (where x(_^_i is a new variable 

such that x*_^_i ^ fi{x*). Let i = n, i/ien_(i?„(/„(a;*)))+ := Ff"“^(/i(a;*)), 
where x\ is a new variable such that x\ ^ /„(a;*). Let E = Ei{ti), . . £^„(t„), 
then (r)+ := (£ii(ti))+, . . . , (K(in)) + . 

Example 1 . Let E = E{f{x\)), E^h^x^)), E{g{x^)); Gl7 = GVa;i(ii^^(/(a;i)) D 
E{xi)), ayx2{E^{h{x2)) D E{x2)), ayxsiE^lglxs)) D E{x3)). Then E{f{xD) 
is compatible with the elementary kernel formula a\/x2{E^{h{x2)) D E{x2))', 
E{h{x2)) is compatible with the elementary kernel formula a'ix3{E^{g{x3)) D 
E^xs)); E{g{x’^)) is compatible with the elementary kernel formula GVa;i 
{E‘^{f{xi)) D £^(a;i)). Therefore (17)+ := E‘^{h{x2i)), E^{g{x3i)), E^{f{xn)), 
where X21 ^ f(xl), X31 ^ ^.(a;^), xn ^ g{xl). 

Derivations in the calculus G*j^^ are constructed in the bottom-up manner 
in the form of an infinite tree. The values of variables in the separation rule 
(LSLF) (see below) will be indicated alongside with the premise of the rule in 
the form of substitutions x* <— t, where x* is a new variable, t is a corresponding 
term. According to that, the axiom of the calculus will be enriched by the 
corresponding substitution. The shape of EODR-sequents allows us to specify, 
in a simple way, the axiomatic substitution using the matching methodology 
which is more efficient than the universal unification methodology. To specify 
the axiomatic substitution, let us introduce the following definitions. 

Definition 8 (Solution of the Substitution). Let a := {xn <— fn{xn-i)] 
Xn-i <— fn-i{xn-2); ■■■'jXi <— /i(a;o)} • Then the substitution a* := {xn <— 

fn{fn-l 

(. . . (fi{xo )) . . .))} is called the solution of the substitution a. 

Definition 9 (Superterm of a Term). Let p = /i(. . . (/i . . . {fn{x )) ...)...) 
(where x is a constant or a variable) and q= fi{. . . {fi{y)) ■ ■ ■) (y is a variable) 
(1 ^ ^ n) (in a separate case, n = 0), then the term p is called a superterm of 

the term q (in symbols p E q). 
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Definition 10 (Matching Terms). Letp,q be terms, a be a substitution. We 
say that the term p matches the term q if pa ^ q. 



Definition 11 (Calculi G*). The calculus G}^^ is defined by the follow- 

ing postulates. 



The axiom (3) : af2 T, Ei{f{x*)),3yi, . . . ,y^ V ^Ej{fj{yj)) (m < n, 

i=i 

m ^ 0, 1 ^ z ^ n), where f{x*)a* ^ fjiVj); a* is the solution of a\, where 
a\ starts from the substitution x* <— t and a\ G a, a is the list of substitution 
obtained during the generation of the axiom (3). 

The rules consist of the uj-type rule: - — (^ n^) and the fol- 

1 ^ 

lowing (loop-free) integrated separation induction-free rule: 



dg,dgi^ ‘ 



fc > 0, 



where E = 0 or consists of elementary formulas; (T')+ means the same as in 
Definition 7; iT^ = 0 or consists of atomic formulas of the shape E^ {I > 0); 
□17 = 0 or consists of elementary kernel formulas; af2^ = 0 or consists of 

m 

non- elementary kernel formulas; B = 3yi , . . . , V ^Efiyf) (m ^ n), Efiyi) is 

i—1 

an atomic formula. 

The calculus G* is obtained from G)^^ by dropping the oj-type rule (^ Go;). 



Analogously as in [5], using [8], we get the following 



Theorem 1. The calculus G)^^ is sound and complete for EODR-sequents. 



Lemma 2. The calculus G* is decidable. 

Proof. Follows from the decidability of the axiom (3) and the shape of the rule 
{IS IE). 

Remark 2. The saturation and bounded connectivity conditions are non-essential 
for the construction of the proposed deductive procedure Sat^j. The restrictions 
that only a one-place predicate and function symbols are considered and that 
a conclusion of the kernel formula does not contain function symbols are also 
non-essential. All these restrictions allow us only to simplify the components 
of Satuj. But the kernel index condition is essential for correctness of the rule 
(ISIE). Indeed, let S = gVx(P^(/(x)) D P{x)), o'iy{P{g{y)) D P^{y)) — *■ P{c), 
3y^P^{f{g{y))). For the sequent S the kernel index condition is destroyed. It is 
easy to verify that G* F S, but G F S' (where G is obtained from G* replacing 
the rule (ISIE) by traditional loop-rules (□ ^), (V ^)). 
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3 Description of the Deductive Procedure Sat^^ 

Let us define the generalized integrated separation rule (GIS) which is the main 
tool of the proposed deductive procedure Satui and which is applied to any non- 
induction-free FODR-sequent. 

Definition 12 (Generalized Integrated Separation Rule: (GIS), 

Successful Application of (GIS)). Let S = — > E,II^,aA be a 

FODR-sequent. Let (if)+ mean the same as in Definition 1, then the general- 
ized integrated separation rule (GLS) is as follows: 

□12, ^E,n\ B- nn, Df2i ^ (r)+ , 77, aB 

If the left premise of (GIS ), i.e., the sequent Si = g12, ufi\ E, iT^, B is such 
that G* h Si we say that bottom-up application of (GIS) is successful. 

To define the first deductive procedure of Satui, let us define the kernel con- 
clusion complexity of FO_Di?-sequent S : n{S), which serves as a halting test for 
the first deductive procedure of Satuj. 

Definition 13 (Kernel Conclusion Complexity of FODi?- Sequent S : 
71(5), Elementary FODi?- Sequent). Let S = Gl7, g12( — > E,LI^,uB be a 
FODR-sequent, where af2 (g12() consists of elementary (non- elementary, re- 
spectively) kernel formulas. Let Pi , . . . , F,J" be the list of all kernel conclusions, 
then the kernel conclusion complexity of the FODR-sequent S (denoted as tt{S) ) 
is defined as max(fci, . . ., fc„). If tt{S) = 0, then the FODR-sequent S is an ele- 
mentary one. 

Now, let us define the first deductive procedure of Satu,, named the prelimi- 
nary fc-th resolvent (denoted by PRe’^(S)). The aim of PRe^{S) is to generate 
(from a given FOFF-sequent S) the elementary FOFF-sequent S* . 

Definition 14 (Preliminary fc-th Resolvent: PRe’^(S)). Let S be a FODR- 
sequent, then the preliminary k-th resolvent of the FODR-sequent S (in symbols: 
PRe^{S)) is defined in the following way: PRe^{S) = S. Let PRe^{S) = Sk = 
uQ,ufi\ E, ,aB. Then PRe^~^^{S) is defined in the following way: 

1. Let us bottom-up apply the rule (GIS) to Sk and Ski,Sk 2 be the left and 
right premise of the application of (GIS). 

2. IfG* F Ski, then PRe^~^^{S) = T (false) and the calculation of PRe^~^^{S) 
is stopped. 

3. Let G* h Ski (i.e., the bottom-up application of (GIS) is successful), then 
PRe’^+^iS) = Sk2- 

4 . If PRe^^^{S) = Sk 2 and k+1 = tt{S), then the calculation of PRe^^^{S) 
is finished. 



Using the decidability of the calculus G* we get the following 
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Lemma 3. For a given FODR-sequent S the problem of generating the elemen- 
tary sequent S* is decidable. 

Example 2. Let S = — > E‘^{f{x\)),E^{h{x 2 )),E^{g{x 2 )),E'^{g{x\)),aA, 

where is the same as in Remark 1(a), i.e., nfi^ = u\/xi{E^{f{xi)) D 
E'^{xi)),a'dx 2 {E'^{h{x 2 )) D E'^{x 2 )),a'ix 3 {E^{g{x 3 )) D A = By(^B(y)V 

-^E^(y) V ^E^(y)). Let us construct the elementary FOHi?-sequent S* using 
the procedure PRe^{S). Since Sn = — > E‘^{f{xD), E^{h{x 2 )), E^{g{x’^)), 

A is the axiom (3), G* h S'!!. Therefore, by definition, PRe\S) = S* = 
□17 — > E^{f{xl)),E'^{h{x 2 )),E^{g{x^)), oA which is the elementary FODR- 
sequent, where Gl7 = GVa;i(i3^(/(a;i)) D E{xi)),a\/x 2 {E^{h{x 2 )) A E{x 2 )), 
a'ix3{E'^{g{x3)) A E{x3)). 

Now we are going to define the basis part of Satui - the saturated fc-th 
resolvent (in symbols: SRe’^ (S*)). The aim of SRe'^{S*) is to generate (from the 
elementary FODR-sequent S* obtained, by means of PRe’^{S*)) the similarity 
substitution a and an elementary FODR-sequent Sp such that Sp = S*a, i.e., 
Sp is coincidental with S*a, where S*a differs from S* only by the values of 
the variables which are determined by the “similarity” substitution a. To define 
SRe’^(S), let us define the halting test for SRe’^{S*), namely, the similarity 
index. 

Definition 15 (Similarity Index). Let S = Gl7 ^ be an elemen- 

tary FODR-sequent and pi, . . . ,pn be indices of kernel premise formulas of S. 

n 

Then p{S) = '^Pi is the similarity index of S. For example, let S* be the 

i—1 

elementary FODR-sequent obtained in Example 2, then p{S*) = 2 + 3 + 4 = 9. 

Definition 16 (Saturated fc-th Resolvent: SRe^{S*)). Let S* be an ele- 
mentary FODR-sequent. Then the definition of SRe'^{S*) is obtained from the 
definition of PRe^{S*) replacing PRe^{S*) by SRe^{S*) and replacing the point 
(4) by a new point (4): If SRe^~^^ (S*) = Sk 2 and fc + 1 = p{S*), then the calcu- 
lation of SRe^~^^{S*) is completed. 

The notation SRe'^{S) yf + {k G oj) means that all the possible bottom-up 
applications of (GIS) in constructing SRe^{S) are successful. 

Lemma 4 (Composition of SRe'^{S)). Let SRe'^(S) = 5„, S'i?e'"(S'„) = S* 
and SRe^{S) yf+, SRe'^{Sn) y^T {n,m G eS), then SRe^{S) = S* , where 
I = n -\- m. 

Proof. By induction on 1. 

Lemma 5 (Decomposition of SRe’^iS)). Let SRe^+^{S) = S'* and 
Si?e”“*'™(S) yf+, then for each n and m there exists a sequent S„ such that 
SRe"(S) = S„ and SRe^{Sn) = S*. 



Proof. By induction on n + m. 
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Lemma 6 (’’Length-Preserving” of SRe’^(S)). Let S be an elementary 
FODR-sequent, i.e., S = Dl? ^ and SRe'^{S) = S* , then S* = 

af2 El, Ill^aA, where IL", iT^| = |i7i,iT(|, i.e., the lengths of parametrieal 
parts of S and S* are the same. 

Proof. By induction on fc. If fc = 0, then S = S* . Let fc ^ 1 and let us 
consider the construction of SRe^{S) = Si. Let uQ = □Va:(iff’(/i(a;i)) D 
E{xi)), . . . ,u'ixi{E’f^{fi{xi)) D Ei_i{xi)), n'ixi+i{E'ff^f{fi+i) D Ei{xi+i)), . . . , 
□Va;„(if^”(/„(a;„)) D where En = E. Let us consider an atomic for- 

mula E^ from the parametrical part of S. Assume E^ G 7T^ (where ^ > 0), then 
by definition of (GIS) we have that the descendant of the atomic formula 
in Si is of the shape E^~^ . Let E^ = Ei{f{x*)) G E (where 1 < z < n -I- 1), 
then, by definition of the operation (-I-), see Definition 7, the descendant of the 
elementary formula Ei{fi{xi)) in is of the shape iff^+’~^(/j+i(a;t_|_i)) (where 

x*+i ^ fix*)); if z = n, then E^f+f~\fi+iix*^^)) = E'l^~\fiix*i)). There- 
fore S'! = af2 Ell, n\i,aA, where \En,n\i\ = |A, 7T^| (*). If fc = 1, then 
S* = S'!- Let fc > I, then, relying on Lemma 5, we get SRe^~^{Si) = S* . 
Using the induction hypothesis we have that S* = D17 ^ Ei, Il\,uA and 
|Ai,iT(| = I All, iT(^|(**). Using Lemma 4 and (*), (**) we get SRe^{S) = 
S* = an ^ Ei,n\,aA and |Ai,iT(| = |A,7Ti|. 

Lemma 7 (Accessibility of a Kernel Premise). Let S = nfi — > E,LL^,uA 
he an elementary FODR-sequent, where dD is a fixed ordered kernel of the 
shape a'ix{E'^^{fi{xi)) D E{xi)), . . . ,a\/xi{E^*{fi{xi)) D Ei_i{xi)), nVxi+i 
(E'ifffifi+i) D Ei{xi+i)), . . . ,a'dxniE^^{fn{xn)) D En-i{xn)), where E = U„. 
Let E\ifiix*)) (1 ^ z ^ zz) &e any member of the parametrical part E,LI^, 
i.e., A = E\ifi{x*)), Ai, where A = E,LI^; let SRe^{S) yf _L(fc G co). Then 
SRe'^iS) = an ^ E'tffff~^ifi+^ix*_^_^)), A*i,aA, where 1 if m ^ n - i, if 

i<n;ifi = n, then m = 0 and ifi+rnix*_^_Jn)) = Ei^~^ifiix*i)); more- 

over, q = I + ki+i -I- ... -I- ki+m-i + 1 if m > 1, and q = I + 1 if m Gi 1; besides, 
<- gi{x*), where gi{x*) = gni. . . igin{x*) . . .)), gir = fjr (1 < r < n) and 

fjr G /i(l < J < n). 

Proof. By induction on m. Let m = 0, i.e., i = n. Since SRe’^iS) yf _L(fc G 
Lv), applying (GLS) q = (I + l)-time we get SRe'^iS) = U^’“^(/i(a;i)), where 
x\ ^ fn{x^). Let m = 1. Since SRe^{S) yf _L (fc G uf), applying (GLS) (I + 1)- 
time we get (S') = Si = an E^fff~^ifij^iix*j^i)),An,aA (where 

x*_|_i ^ fi{x*). i*)). Let m > 1. Since Si?e^(S) yf _L (fc G u>), we have that 
Si?e^(Si) yf _L (fc G oj). Applying the induction assumption to the sequent Si, 
we get SReP{Si) = an ^ Af|)^“^(/i+m(a;*^„)), A*i,aA, where p = fci+i - 1 + 

. .. + ki+m-i_+l and ^ (fci«+i)(**)(fci(a;*+i) = fcii(. . . «+i)) . . .) hir = 
fjr, fjr G fj, 1 ^ J ^ n). Applying Lemma 4 to (*), (**) we get Si?e^(S) = 
□ 17 ^ E'tlff‘~'^{fi+rn(x*+.,n)), ^ 1 , q=l+l + p= l+ fci +1 -f . . . -f 

fci+„_i-f 1 , x*_^_^ ^ hiifiix*)), and hiifi{x*)) = gii^t) = dni- ■ ■ idinix*)) ■ ■ ■) , 

9ir = fjr, l^rifn. 
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Lemma 8 (Generating a cr-Similar Sequent). Let S* be an elementary 
FODR-sequent, SRe^{S*) 7 ^ _L (fc G u), p = p{S*) be the similarity index 
of S* , then SReP{S*) = Sp such that S*a = Sp, where a is called the similarity 
substitution and the sequent Sp is called a-similar to S* . 

Proof. Let S* = nfi be an elementary FODR-seqneni, where 

□17 = n'ix{E\^{fi{xi)) D E{xi)),. . .ayxi{E^^{fi{xi)) D Ei^i{xf)), GVa;i+i 
{fi+i) D Ei{xi+i)), . . . ,a'ixn{E’f''{fn{xn)) A En-i{xn)), and En = E. 
Let 1 ^ z ^ n — 1 and E\{fi{x*)) be any member of the parametrical part 
E,n^, i.e., Z\ = El(fi{x*)), Ai, where A = Let us take z = z + m, 

n = i + m and apply Lemma 7 to the sequent S*: we get SRe'^{S*) = Sq = 
□17 ^ Aiq, aA (where q = I + ki+i + ••• + fc„_i + 1 and 

^ 9i{^i)) (*)• Since SRe’^{S*) yf _L (fc G w), we can successfully continue 
the calculation of SRe’^{S*). Applying (GIS) fc„-time from the sequent Sq, we 
get SRe'^^{Sq) =_Sq,, = g17 ^ L;f^“^(/i(a;*)), Aiq^, dA (where qi = kn, xl ^ 
/„(x*) = X* <— fn{gi{x*))) (**). Let us take z = l,z+ m, and apply Lemma 7 
to the sequent Sqi'. we get SRe'^'^{Sq^) = Sq.^ = Gl7 ^ E^*~^ {fi{x*p)), Aiq.^,uA 

(where 92 = fci-l + fc 2 H hfci_i + l and x*^ ^ hi{x*) = x*p ^ hi{fn{gi{x*)))) 

(* * *). Applying Lemma 4 to (*), (**), (* * *), we get S'i?e® (S'*) = S^g = Gl7 — > 
Ei* ^ ifii^ip))i ^ 1 ®) where qs = q + qi + q 2 = I + fcz+i + • • • + fcn-i + 1 + 
kn k I — 1 + A;2 + • • • + ki—i + 1 = I ki ki—i H- kiA^i H- • • • H- kn 1 

(+). Applying (GIS) {ki — I — ^)-time beginning with the sequent we get 
Si?e««(S 53 ) = g17 ^ A((/i(x*i)), A^, aA (where q^ = h- 1 - 1 (++). Applying 
Lemma 4 to (+), (++) we get SReP{S*) = Gl7 ^ E\{fi{x*.p)), A*, aA, where 
p = ki + ■ • • + kn = p{S*) (i.e., the similarity index of the sequent S*) and 
®ip ^ ^i{fn{gi{x*))) 0. The substitution 0 expresses the relation between the 
variable x* G S* and the variable x*p G Sp and this relation is got from the 
substitutions obtained during the calculation of SReP{S*) by eliminating inter- 
mediate variables between x* and x*p. Adding the equality x*p = x* to 0, we 
get the substitution x* ^ hi{fn{gi{x*))). 

Now, let us consider the transformation of the parametrical formula of the 
shape if(j(/„(x*)) (i.e., the case where z = n). Since SRe^{S*) yf _L (fc G w), we 
can successfully apply {GIS) {I + l)-time and get Si?e^+^ (S*) = Si = aI2 — > 
Ei^~^ {fi{xD), All, oA (where x\ ^ /„(x*)) (*). Let us now take z = 1, 
i + m = n and apply Lemma 7 to the sequent Si: Si?e^(Si) = S 2 = af2 — > 

En"~^ifri{Xni)), ^ 12 , oA (where q = fci-l 0 fc 2 -l hfc„_i 0 l = fciH hfc„_i; 

x*ni ^ hn{xl) = x*i = hn{fn{Xn))) (**). Applying {GIS) {kn - I - 0 -time 
from the sequent S2, we get SRe'^^{Si) = S3 = aG A(j(/„(x* 1)), Ai2,gA 
(where qi = — 1 — ^) (* * *). Applying Lemma 4 to (*), (**), (* * *) we 

get SReP{S*) = aG if(j(/„(x* 1)), A*, aA, where p = l + l + q + qi = 

I + 1 + ki + ■ ■ ■ + kn-i + kn — I — I = ki + \- kn= p{S*) (i.e., the similarity 

index of the sequent S*) and x*p ^ (z„ {fn{Xn)) 00- Adding the equality 
Xnp = Xn to 00 , we get the substitution x* ^ (z(/„(x*)). 

Therefore, we get that each parametrical member E\{fi{x*)) (1 ^ z ^ zz) 
after p = p{S*) steps is transformed into the atomic formula E\{fi{x*jf)), where 
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x*p <— gi{x*) (+*). The substitution (+*) expresses the relation between the 
variables x* G S* and x*^ G Sp and this relation is got from the substitu- 
tions obtained during the calculation of SReP{S*) by eliminating intermedi- 
ate variables between x* and x*p. Adding the equality x*p = x* to (-1-*) we 
get the substitution x* <— gi{x*). Therefore, S*a = SReP{S*) = Sp, where 
a := {x* <— 3 i(x*); . . .x* <— g„(x*)}. Hence, after p = p{S*) steps, we get the 
sequent Sp such that S*a = Sp. The Lemma is proved. 

The proof of Lemma 8 presents an implicit way for constructing the similarity 
substitution a. Now we present the explicit way for constructing the similarity 
substitution a. 

Algorithm (SS) (algorithm for constructing the similarity substitution). 

Let S* = ^ Ei{xl), . . . , Er{x*),aA be an elementary FODi?-sequent 

and let p{S*) = n, and SRe^{S*) = S„ = Ei{xn,i), ■ ■ ■ , En{xn,r), oA. Let 

(Ti be a sequence of substitutions obtained during the construction of SRe’^{S*) = 
Snj i.e., (7 1 — Xii ^ tll(X]^), . . . , Xrl ^ irl (^r ) 7 • • ■ ) ,r — 1 ^ tl,r—l(.^l,r— 2 \ • • •: 

Xj'^j. — ]_ ^ t'T.T — — 2)5 ^ 1 ,T ^ tx^ 7 ’(X]_^ 7 ’ — 1)5 ■ * *; ^T,T ^ ,T T ,T — l)' Lct US, SUb— 

sequently, eliminate from cti the intermediate variables Xji, . . .Xi_r-i(l ^ ^ f), 

i.e., replace these variables by the corresponding values. Continue these trans- 
formations until the sequence a„ that contains r substitutions of the shape 
Xni ^ tni{. ■ .{tii{x*)) . . .){1 < z < r) is obtained. Add the equalities of the 
shape Xni = x* (1 ^ z ^ r) to <t„. Then the desired similarity substitution a has 
the shape a := {x* ^ t„i(. . . (tii(x*)) x* ^ t„r(- ■ ■ (iir(a;*)) ■ ■ ■)}• 

Lemma 9 (Correctness of the Algorithm (SS)). Let S* be an elementary 
EODR-sequent, and SReP(S) = Sp, where p = p{S*) , then, using the algorithm 
(SS), we can construct a substitution a such that S*a = Sp. 

Proof. Using Lemma 8 and decidability of G* . 

Lemma 10 (Decidability of Sa). The problem of generating a a -similar se- 
quent Sa is decidable. 

Proof. Using Lemma 8 and Algorithm (SS). 

Now we present examples showing how simply the sequent Sp (cr-similar 
to the given elementary EODR-sequent S*) and similarity substitution a are 
generated. 

Example 3. (a) Let S* be the same elementary FODi?-sequent as in Exam- 
ple 2, i.e., S* = aO E^{f{xl)),E'^{h{x 2 )),E^{g{x^)),DA, where dD = 
□Vxi(U^(/(xi)) D E{xi)) ,o\/x 2 {E^{h{x 2 )) D U(x 2 )), □Vx 3 (E'‘(g(x 3 )) D U(x 3 )); 
A = 3y{^E{y) V ~^E^{y) V ^U^(y)). The similarity index p{S*) = 2-|-3-|-4 = 9 
and the construction of SRe^{S*) stops when fc = 9. It is easy to verify that all 
the applications of (GIS) are successful, therefore we indicate only the tempo- 
ral branch of application of (GIS) and the substitutions generated by means of 
operation (-I-) (see Definition 7): 

3^13 ^ 5(a;32) 

3^23 ^ f (xi 2 ) 

Sg= OG ^ E'^{f{xi3)),E‘^{h{x23)),E^{g{x33)),aA] X33^h{x22) 
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on E{g{x 32 )) , E{f{xi2)) , E{h{x22)) ,oA] 
an E'^{g{x32)), E'^{f{xi2)), E'^{h{x22)),OA-, Xi2 ^ g{x3i) 
an E'^{g{x32)),E{g{x3i)),E'^{h{x22)),oA-, X22 ^ f{xii) 

an E^{g{x32)), E^{g{x3i)), E{f{xii)),aA-, X32 ^ h{x2i) 
an E{h{x2i)),E'^{g{x3i)),E^{f{xii)),aA; xn ^ g{x*3) 
an E'^{h{x2i)),E^{g{x3i)),E{g{x*3)),aA-, X31 ^ h^x^) 
an E'^{h{x2i)),E{h{x*2)),E'^{g{x*3)),aA-, X21 ^ f(x*) 
an ^ E(f(x*,)),E^(h(x*2)),E^(g(x*3)),aA 

S*= an ^ E^(f(xi)),E^(h(x*2)),E^(g(xl)),aA 

Let us construct now the similarity substitution a. First, we construct a sub- 
stitution of the shape {xi3 ^ ri(a;*); X23 <— T2(x2); X33 <— T3(x 3)}, where Tj 
(1 < i < 3 ) is a sequence of function symbols /, h, g, i.e., expressing the relations 
between the variables from Sg and that from S* . Let cti be a sequence of substi- 
tutions obtained during the construction of SRe^{S*), i.e., cti = X21 ^ f{xl); 
a; 3 i ^ HX2); xii ^ g{xl); X32 ^ h{x2i); X22 ^ fixn); X12 ^ g{x 3 i)', 
3^13 ^ 5(3:32); X23 <— f{xi2); X33 ^ h{x22)- Let us eliminate intermediate vari- 
ables Xi2 (1 ^ z ^ 3 ) replacing the variables xa by the corresponding values 
of these variables. So instead of the sequence a\ we get U2 = X13 <— g{h{x2i))] 
X23 <— f{g{x3i)); X33 ^ h{f{xii)). In the same manner, let us eliminate the 
variables xn (1 < z < 3 ). So instead of (T2, we get a = 3:13 <— g{h{f{xl))); 
X23 ^ f{g{h{x2))y, X33 ^ h{f{g{xl))). Now, by adding x* = xa {1 < i < 3 ) 
to (J3, we get the desired similarity substitution a := {a;* ^ g{h{f{xl)))] xj <— 
f{g{h{x2)))', X3 ^ h{f{g{x3)))} . 

(b) Let SI = an if^(/(x*)), E'^{h{xy)), E^{g{xy)), aA, where A is the 
same as in part (a) and an = □Va;i(if^(/(a:i)) D E{x\)), a\/x2{E'^{g{x2)) A 
E{x 2)), ayx3{E^{h{x3)) D E{x3)). It is easy to see that the sequent S'* is equiv- 
alent to the sequent S* from part (a) of the example. The similarity index 
p(S*) = 24 - 3 - 1-4 = 9 and the construction of Si?e^(S*) stops when fc = 9 . As in 
part (a), all the applications of (G/S) are successful, therefore we indicate only 
the temporal branch of application of (G/S) and the substitutions generated by 
means of operation (-I-) (see Definition 7 ): 

a;i 3 ^ h{x 32 ) 

X23 ^ f(xi2) 

Sg = an ^ E^{f{xi3)),E‘^{h{x33)),E^{g{x23)),OA] X 33 ^g\x 22 ) 

an E{h{x32)), E{g{x22)), E{f{xi2)),aA-, 

an E^{h{x32)),E^{g{x22)),E^{f{xi2)),aA; X12 ^ h{x3i) 



( 9 ) 

(8) 

( 7 ) 

(6) 

( 5 ) 

( 4 ) 

( 3 ) 

(2) 

( 1 ) 



( 9 ) 

(8) 

( 7 ) 
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□ 17 - 


E‘^{h{x 32 )),E‘^{g{x 22 )),E{h{x 3 i)),DA] X32 


^ g(.x2i) 


□ 17 - 


E{g{x2i)),E^{g{x22)),E^{h{x3i)),aA-, X22 • 


^ f{xil) 


□ 17 - 


E^{g{x2i)), E{f{xii)), E‘^{h{x3i)),aA; X31 


^ g(.x*2) 


□ 17 - 


E‘^{g{x2i)), E^{f{xii)), E{g{x2)),aA; xn <- 


- Kxl) 


□ 17 - 


E'^{g{x2i)),E{h{x*3)),E'^{g{x*2)),aA-, X21 ^ 


m) 


□ 17 - 


-^E{f{x\)),E\h{x*3)),E\g{x*2)),aA 




S( = an- 


^E\f{x\)),E\h{x*3)),E\g{x*2)),aA 





(6) 

( 5 ) 

( 4 ) 

( 3 ) 

(2) 

( 1 ) 



Analogously as in part (a) of this example, we find the similarity substi- 
tution of the following shape a* := {a;* ^ X 2 ^ 

X 3 <— g{f{h{xl)))}. Therefore, in spite of the fact that the FODR-seqnent S'* 
is equivalent to the FODR-sequent S* from part (a) of this example, we get 
different similarity substitutions, i.e., a ^ a* . 



Therefore, using the elementary sequent S*, the similarity substitution a 
(generated by means of calculation of Si?e^(S*) and Algorithm (SS), we can 
construct the sequent Sp such that Sp = S*a. Let us construct the substitution 
(t” in the following way. Let a = {x* ^ . . . , <— fmi^rn)}j then ct” = 

^ ^ 7Z(x*m)}, where 7i(x*) = 0; = 7^(7" ^(x*)). 

Therefore = 0 and cr^ = a. For example, if <t = x* <— f{g{x*)), then 
ct 2 = X* ^ /(g(/(g(x*)))). 

We want to use the calculation of elementary fc-th resolvents to deduce (from 
sequent S*(t”) the sequent Sp such that Sp = S*(t”+^ (for each n G oj). The 
foundation of this possibility is carried out by induction on n. The basis case 
(i.e., when n = 0) is carried out by calculating SReP{S*) and by Algorithm (S' S'). 
To found the step of induction, let us introduce the notion of a hypothetical k- 
th resolvent of the elementary FODR-sequent S*: HRe^{S*). The deductive 
procedure F[Re^{S*) is the third part of Satuj. The aim of F[Re^{S*) is as 
follows: assuming that we can generate an elementary FODi?-sequent S*(j”, to 
verify the possibility of deducing the elementary FODR-sequent Sp such that 
Sp = S*(t”+^. The halting test of HRe^{S*) is the same as for Si?e^(S*), namely, 
the similarity index of the elementary FODR-sequent S* . 



Definition 17 (Hypothetical fc-th Resolvent: F[Re^{S)). Let S he an ele- 
mentary FODR-sequent, a - the similarity substitution, m be an arbitrary nat- 
ural number, then F[Re^{S) = Sa^. Let HRe^{S) = Sk, then HRe^~^^{S) is 
defined in the following way. 1. Let us bottom-up apply (GLS ) to Sk and Ski, Sk 2 
be the left and right premise of the applieation of (GLS). 2. Lf G* F Ski, then 
HRe^~^^{S) = T (false) and the calculation of HRe^^^{S) is stopped. 3. Let 
G* h Ski , then HRe^+^{S) = Sk 2 - I If HRe’^+^S) = Sk 2 and k + 1 = p{S), 
then the calculation of HRe^'^^{S) is finished. 



Just like in Lemma 10 we get the following 
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Lemma 11 (Decidability of HRe^{S)). Let HRe'^{S) = Sa™, then the prob- 
lem of generating the sequent Sp such that Sp = is decidable. 

Now we can define the proposed deductive procedure Sat^. 

Definition 18 (Deductive Procedure Satui, FODi?- Sequent Derivable 
by Means of Satui). The deductive procedure Satui consists of three decidable 
procedures: (1) PRe^{S) (where S is a given FO DR-sequent); (2) SRe^{S*) 
(where S* is an elementary FODR-sequent obtained by means of PRe^{S)); 
(3) F[Re^{S*). FODR-sequent S is derivable using Satui (in symbols: Satui h 
S) if three conditions are satisfied: (1) PRe^{S) = S* (where n = Tr(S'), Tr(S') 
is the kernel conclusion complexity of S); (2) SRe^^S*) = Sp = S*a (p = 
p{S*), p{S*) is the similarity index of S* ; a is the similarity substitution); (3) 
p[Re°{S) = S*a"^ F[ReP{S*) = Sp = (m is an arbitrary natural 

number); otherwise, Satui ^ S. 

Example )■ Let S be the FODR-sequent from Example 2. In Example 2, the 
sequent S was reduced by means of PRe{S) to the elementary FODi?-sequent 
S* . In Example 3(a), the similarity substitution a was constructed and the se- 
quent Sq generated such that Sq = S*a. Now, using F[Re^{S) let us verify the 
possibility to generate (from S*a™) a sequent Sp such that Sp = S*a™~^^. So, 
assume that F[Re^{S*) = S*a^. Analogously as in Example 3(a), we get that 
F[Re^{S*) = Sg = S*a'^~^^ . Therefore Satui b S*a^^ {k G oj) and hence Satui b S. 
In the same way we get Satui b S{a*^ {k G w), where S')" and a* are the same 
as in Example 3(b). 

Remark 3. The procedures SRe’^(S) and F[Re^{S) of Satu, cannot be joined: 
we cannot deduce the sequent S'cr”. We can only test that from the assumption 
S'cr” it is possible (or not) to generate the sequent Sp such that Sp = . 

Lemma 12. Let S be a FODR-sequent and Satui b S' = dD E, LI^ ,dA, 
then G* ^ b S. 

Proof. From Satui b S it follows that all the possible bottom-up applications of 
(G/S) in all the three parts of Satui are successful. From this fact (and using 
admissibility of the rule (G/S) in G^^), by induction on n we can prove that 
G* b S„ = nO S, LI^,A^ (n G iv). Applying (^ n^^) to S„, we get b S. 

Lemma 13. Let S be a FODR-sequent and Gf^ b S, then Satui b S. 

Proof. From Gf^ b S we can prove that all the possible bottom-up applications 
of (G/S) in all the three parts of Satui are successful. Using this fact we can get 
Satui b S. 

From Lemma 12, 13 we get the following 

Theorem 2. Let S be a FODR-sequent, then Gf^ b S Satu, b S. 

Having in mind the definition of w-decidability (see the end of Introduction), 
using Remark 3, Theorem 2 and Lemmas 3, 10, 11, we get the following 

Theorem 3. The deductive procedure Satu, is ui-decidable and FODR-sequents 
compose an ui-decidable class. 
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4 Conclusions, Related Works, and Future Investigations 

We have presented the new effective deduction-based w-decidable procedure Satui 
for the Di?-sequents of a restricted first-order linear temporal logic with temporal 
operators O ("next”) and □ (’’always”). The DR-seqnents allow us to express a 
variety of safety properties of programs. The objects of consideration of Satui are 
non-Horn DR-seqnents. The calculus Sat^i consists of three decidable parts (that 
replace the infinitary rule Doj)) possessing a high degree of mechanization. 

There are few interesting results (see, e.g. [4]) referring to traditional de- 
cidability of fragments of FTL. As far as we know, the proposed deductive 
procedure Satui and deductive procedure described in [9] are the first results on 
w-decidability of a restricted FTL. 

DR-seqnents are a certain skolemized version of M. Fisher’s normal form [2]. 
Basing on the seminal paper [2], an interesting project “Mechanizing First-Order 
Temporal Logic” is realized at the Manchester Metropolitan University (Depart- 
ment of Computing and Mathematics). 

In future investigations we are going to extend the proposed w-decidable 
procedure for more general sequents than DR-seqnents, including also other 
temporal operators and other temporal models, e.g., past\branching time cases. 
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Abstract. In this paper, a logical representation of object code pro- 
grams is presented. The coding is particularly well-suited for mechaniza- 
tion, and it enjoys interesting properties with respect to some relevant 
approaches to program synthesis, program derivation and formal verifica- 
tion The paper describes both the 

representation with its properties, and a tool which permits to translate 
object programs for the MC68000 microprocessor into the formalism of 
the Isabelle logical framework. 



1 Introduction 

In a verification system it is very important to be able to mechanically repre- 
sent programs in the formal language used to reason on them. In fact, if the 
representation of code is left to the human verifier, there is no guarantee that 
the represented program and the original code describe the same computational 
process. In this paper, object code programs are considered because they consti- 
tute an important area in the application of formal methods as remarked, e.g., 
in 

A logical representation of an object code program should meet three condi- 
tions with respect to the formal verification task: 

— it must be faithful, that is, it has to admit a standard interpretation which 
maps to the same computational process as the original code; 

— it must be meaningful, that is, it has to allow the full exploitation of the 
power of the formal system used to reason about programs; 

— it must be intelligible, so that the relation between the original code and its 
representation is as plain as possible. 

The first point reduces to say that the represented code is equivalent to the 
original program; to meet this goal, usually, one requires that the representa- 
tion has to be as close as possible to the original program, under the standard 
interpretation. Hence, one uses the third point, intelligibility, in addition to the 
formal semantics of the logical system, to fulfill the requirement for a faithful 
representation. In this case, simplicity of representation is not a fault, but, on 
the contrary, it is a benefit because it highly enhances the confidence in the 
formal proofs. 
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The second requirement, significance, has the same importance as the others, 
in fact, a poor representation of object code does not permit to use the formal 
system to its full power, with the result that a correctness proof is harder to 
obtain, and it appears longer and trickier than necessary. 

The proposed representation is very simple, and very close to the description 
of the MC68000 assembly language one can find in the data book of the micropro- 
cessor, thus clearly meeting the requirements of intelligibility and faithfulness. 
Moreover, the proposed representation admits a standard schema for correctness 
proofs, which inductively unfolds the possible computations of the program; this 
fact shows that the representation is meaningful. Furthermore, the proposed rep- 
resentation assumes a distinguished relevance when coupled with a constructive 
formal system. 

In this respect, it is worth noticing that most correctness proofs have been 
developed using higher-order classical logic, e.g., 

or using first-order classical theories extended by computational logics, see, 

e-g., 



However, as one can easily check by looking 
at the previously mentioned proofs, most formal verification tasks are developed 
according to constructive guidelines: as a matter of facts, most correctness proofs 
do not focus on showing that a program cannot produce but the intended behav- 
ior, but, on the contrary, they prove that a program computes a specification. 

The idea is to assign a meaning to specifications as requests for computations. 
Nevertheless, this view is reductive: the meaning of a specification may also be 
prescriptive, that is, the specification acts like a constraint the program is not 
allowed to violate. These different meanings of specifications are referred to with 
the words liveness for the computational reading, and safety for the constraint- 
oriented view, as customary in the field. 

In a constructive approach, the computational reading of a formula is defined 
by induction on the structure of the formula: 



vuRiiiiis ipjim BiraKw rftiiSR 



— every atomic formula represents a request for an elementary computation; 

— the formula Af\B represents a request for a computation which satisfies both 
A and B, thus, it represents a request for both the computations represented 
by A and B; 

— the formula A \/ B represents a request for a computation which decides 
between A and B, that is, a computation for A\/ B is either a computation 
for H or a computation for B; 

— the formula A^ B represents a request for a computation which translates 
any computation for A into a computation for B] 

— the formula V x. A{x) represents a request for a computation of A(t) with an 
arbitrary input t; 

— the formula 3 x. A{x) represents a request for a computation of an output t 
which satisfies the computation requirement represented by A(t). 

A definition of the negation case depends on the particular constructive logic: in 
the intuitionistic case, a specification of the form ^A requires that the constraint 
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A is not satisfied by the program, in other words, negation is the way to specify 
safety propertied 

The computational reading of formulas can be developed only in a construc- 
tive framework, because it relies on the ability to formally derive witnesses 
for disjunctive and existential specifications. For a detailed formal treatment 
of the computational readings for formulas and proofs the reader is referred 
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In a very natural way, liveness properties are modeled as theorems of a con- 
structive logical system, since their proofs require the unfolding of the compu- 
tations performed by the examined program. On the contrary, safety properties 
are best modeled in a classical environment, and their proof often requires the 
use of the tertium non datur principle. 

Therefore, the ultimate purpose of this paper is to describe a logical rep- 
resentation for object code programs which is compatible with a constructive 
approach to formal verification, while remaining efficient in a classical approach. 

The requirement of efficiency justifies an analysis of compression techniques, 
which, discarding information which may appear as non relevant to the de- 
velopment of a correctness proof, make the representation more compact, more 
understandable, and thus, more manageable by a semiautomatic theorem prover. 



2 Translating Object Code into Logic 

The notion of object code is slightly ambiguous; in fact, it may be interpreted 
in four different ways: 

1. The object code of a program is the content of the computer memory when 
the operative system passes it the control; 

2. The object code of a program is the content of an executable file; 

3. The object code of a program is the output of a compiler, in other words, 
the content of an object ( . o) file; 

4. The object code is the symbolic representation of the output of a compiler, 
i.e., it is an assembly program. 

All these possibilities are right, to some extent, and all of them are supported 
by the translation tool, OCT (Object Code Translator). 

The OCT tool is divided into two parts, the preprocessor and the translation 
procedure] the former transforms an executable file or an object file into an 
assembly program; the latter takes an assembly program as input and produces 
a logical theory suitable for reasoning with Isabelle 

The preprocessor reconstructs an assembly program where every address is 
resolved, that is, the assembly code is allocated in memory from a given address. 

^ More precisely, one may express a safety property A by means of its double negation. 
To maintain compatibility with the classical interpretation of logical symbols, 
it is necessary to work in Kuroda logic that is, IL (in- 

tuitionistic first-order logic) plus the Kuroda axiom, (V x. -i-iA(x)) ^ x.A{x). 
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Thus, the output of the preprocessor is equivalent to the symbolic (assembly) 
representation of the content of the memory when the program will be executed. 

The translation procedure takes as input an assembly source code where no 
macros are present and where every address is resolved, and it translates this 
code into a logical representation. 

The target assembly language is the one of the MC68000 microprocessor; the 
main reason behind the choice of this particular architecture is that several case 
studies for formal verification problems have been developed starting from the 
MC68000 microprocessor; in particular, the translation tool benefits from the 
good work in where many functions from the standard libc library have 

been proven correct, providing a consistent set of test cases. 

The translation algorithm operates on the language of first-order intuitionis- 
tic logic plus the theory of modular arithmetic where the types byte, word and 
longword are integers modulo 2®, integers modulo 2^® and integers modulo 2®^, 
respectively. Modular arithmetic is available in the Isabelle framework, and 
there are reasoners which can efficiently deal with it, see 

The output of the translation procedure is an Isabelle theory containing 
a series of axioms, one per instruction, encoding the program. This theory file 
inherits the necessary type declarations as well as the constants representing 
registers and memory from the theory of the microprocessor. 

The theory of the microprocessor has three roles: 



— it provides the minimal set of instruments to reason about object code pro- 
grams; 

— it declares the types which are needed to represent the code; 

— it declares the constants which constitute the world the microprocessor op- 
erates on. 



The set of instruments is given by the logical system, the theory of identity, 
the set of provers, such as the Simplifier which allows equational reason- 
ing, the Computer Arithmetic Toolkit to deal with modular arithmetic, 

and the Classical Reasoner to cope with purely logical problems. 

The types byte, word and longword are specializations of modular numbers. 
In practice, both signed and unsigned numbers are used. Their coding is declared 
in the modular arithmetic package. Hence, the microprocessor theory declares 
three versions for every type; for instance, it defines pure bytes, denoted by 
the type byte, which is the set of integer numbers quotiented by the relation 
(mod 2®), signed bytes, denoted by sbyte and representing the range of numbers 
from —128 to 127, and unsigned bytes, denoted by ubyte and representing the 
range of numbers from 0 to 255. 

The type time, following the fact that the microprocessor clock is discrete, 
is equivalent to Int, that is, time is modeled by integer numbers. 

In the microprocessor theory, the constants for memory and registers are 
declared. Specifically, the MC68000 microprocessor provides sixteen 32-bit user 
registers, eight of them (the d registers) being data registers, the others (denoted 

^ The details of the MC68000 architecture can be found in 
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by a) being address registers. The program counter register is indicated with pc. 
Since registers change their values over time, they have been modeled as functions 
from time to values: 



,0 < i < 7 
,0 < z < 7 



is modeled by a set of functions, 

zero *) 

negative *) 
carry *) 

overflow *) 
extension *) 

The memory is represented as a function from addresses and times to values: 
memory: ulongword x time ^ byte 
The general format of the logical representation of an instructions I is 
V t : time. pc(t) = A ^ B A C 

where A is the absolute address of the instruction I, B specifies the value of the 
program counter at time t + 1, and C specifies the value of every register, flag 
and memory cell at time t+1, depending on the instruction operands, the status 
of memory at time t, and the values of registers and flags at time t. 

The format of the B part can be either 

pc(t + 1) = i7(pc(t)) 



di : time slongword 
&i : time ^ slongword 
pc: time ^ ulongword 



A particular case is the status register which 
for each flag in the register: 


Zflag 


time - 


^ bool 


(* 


Nflag 


time - 


^ bool 


(* 


Cflag 


time - 


^ bool 


(* 


Vflag 


time - 


bool 


(* 


Xflag 


time - 


^ bool 


(* 



or 



(/W ^ Pc(t + 1) = i7i(pc(t))) A (^/(t) ^ pc(f + 1) = i72(pc(t))) 

where H , Hi and H 2 are arithmetical expressions depending on the current value 
of the program counter and calculating the address of the next instruction to 
execute; f{t) is a formula, depending on the time t, and usually, it is a literal 
representing a flag, but, in general it may be a conjunction of (negations of) flag 
predicates. 

For example: the instruction 



64: MOVE #l,do 
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which puts the value 1 into the do registe^ is translated into 

V t. pc(t) = 64 ^ pc(t + 1) = pc(t) + 2 A 
A do(t “t“ 1) = 1 A 

A di(t + 1) = di(t) A ... A d7(t + 1) = d7(t) A 
A ao(t + 1) = ao(t) A ... A + 1) = &7(t) A 
A ^Vf lag(t + 1) A ^Cf lag(t + 1) A ^Zf lag(t + 1) A 
A ^Nf lag(t + 1) A ^Xf lag(t + 1) A 
A Va. memory(a, t + 1) = memory(a, t) . 

Also, the instruction 



72 : BEQ 8 

which represents a conditional branch 8 positions forward if the zero flag is set, 
is translated into 

V t. pc(t) = 72 ^ (Zf lag(t) — !■ pc(t + 1) = pc(t) + 8) A 

A (^Zf lag(t) ^ pc(t + 1) = pc(t) + 2) A 
A do(t + 1) = do(t) A ... A d 7 (t + 1) = d 7 (t) A 
A ao(t + 1) = Sio(i) A ... A ar(t + 1) = a7(t) A 
A (Vf lag(t + 1) Vf lag(t)) A 
A (Zf lag(t + 1) e-> Zf lag(t)) A 
A (Nf lag(t + 1) Nf lag(t)) A 
A (Cf lag(t + 1) Cf lag(t)) A 

A(Xflag(t+l) Xflag(t)) A 

A Va. memory(a, t + 1) = memory(a, t) . 

Some remarks on the proposed representation are needed: 

— The simplicity of the representation makes evident its correctness, since it is 
very adherent to the description found in the data book. 

— The preprocessor takes care of eliminating the dependency on the system 
architecture. Then the translation procedure transforms a symbolic equiva- 
lent of the memory image of the program into a logical representation which 
is faithful. Thus, the result is really equivalent to what will be executed. 

— The theory of the microprocessor and the output of the translation procedure 
are Harrop theories. 

An important point, anticipated in the introduction, is that the represen- 
tation naturally imposes a structure on correctness proofs. In fact, in order to 
prove that the program P has the property (j), a proof of (j) which unfolds the 
possible computations of P is required. The general format of that proof is 

P,R 

The set of instructions of the MC68000 microprocessor is documented in 
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where R is the representation of P and P is a, set of assumptions specifying, at 
least, the initial state before the execution of P. 

P,R 

The proof ; has a canonical form, since every step in the computation of 

P can be simulated by a proper application of inference rules; for example, if 
pc(to) = n and n is a location belonging to the program P, then the execution 
of the instruction of P at address n is simulated by the following proof schema 

V t. pc(t) = n — > B{t) A C{t) 

pc(to) = n pc(fo) = n ^ B{to) A C'(to) 

B{to) A C(fo) 

where B(to) gives the possible values of the program counter at time to + Ij and 
C(to) computes the values of registers, flags and memory at time to + 1- 

As soon as no loops are involved, a combination of instances of the preceding 
proof schema and applications of the substitution rule really unfolds any possible 
computation of the program. 

When a loop is present in the program, necessarily there is a branching 
instruction which assigns a value n to the program counter such that the in- 
struction located at n has already been executed. In this case, when composing 
instances of the preceding proof schema, it always appears a schema of the form 

T, i?, pc(t) = n 
pc(t + k) = n 

which naturally suggests to use an induction principle. In the case of structured 
(non-interleaving) cycles, a convenient choice is the bounded chain principl^^ 

[P < b], [P{p)] 

3x. X < b A P{x) By {3y.p <y <b A P{y)) 

B 

which is applied instantiating P{x) to pc(a;) = n, and B io3t. pc(t) = m, where 
m is the location reached when the loop finishes its execution. The bound b 
has to be guessed, and corresponds to an upper bound for the computational 
complexity of the loop. 

It is possible to mechanically generate the proof schema which inductively 
unfolds every possible computation of a program; however, the details of this 
construction, whose pieces have been sketched above, and the proof of its adher- 
ence to the microprocessor’s semantics are too complex to be presented here. 

Essential to remark is the fact that a correctness proof schema can be gen- 
erated for a program either in a constructive logical system, or in a classical 

^ This induction schema formalizes a specialization of the descending chain princi- 
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environment. So, in both cases the representation is really meaningful, provid- 
ing a strong guideline in the development of correctness proofs. 

The importance of being an Harrop theory cannot be appreciated without 
introducing some details on constructive systems. A formal system is said to be 
uniformly constructive when 

— if 7T is a proof of AV B, then either there is a proof 7T' of A, or there is a 
proof U' of B, and B' is an instance of a combination of subproofs of 7T; 

— if 7T is a proof of 3x.A{x), then there is a proof 7T' of Aft), and B' is an 
instance of a combination of subproofs of B. 

When a proof B' is required to be an instance of a combination of subproofs of 
another proof B, it amounts to demand that the conclusion D of B' is implicitly 
proven by B, or, in other words, that D is in the truth content of B . Actually, 
one can prove that the truth content of a proof can be algorithmically generated, 
see for details. 

A well-known fact is that, when a set of Harrop axioms is added to an uni- 
formly constructive formal system, the result is another uniformly constructive 
system, see, e.g., so the discussed representation preserves 

applicability of the instruments that make use of the truth content of a correct- 
ness proof to analyze the corresponding program 

The importance of constructive systems in formal verification appears also 
from the fact that, in an uniformly constructive system, one can assign a eompu- 
tational meaning to specifications as briefly 

illustrated in the introduction. An important consequence of this fact is related 
to the possibility to extract information from correctness proofs by generating 
the associated truth content, and to ensure that the extracted information is 
enough to symbolically compute the program on an input 

Henceforth, the proposed representation takes a deeper meaning in a con- 
structive framework, where it admits a computational reading which formally 
proves that the representation is faithful. 



3 Compressing the Representation 

The representation of object code as described in the previous section is satis- 
factory for the purposes illustrated in the introduction, but it suffers from being 
quite redundant. 

In fact, most of the information contained in the formula which encodes 
an instruction, proves to be useless in practice. For example, considering the 
fragment 

40 : MOVE #7, do 
42: ADD #1, do 
44: MOVE do, (ai) 

when a correctness proof is developed, in most cases, the fragment encoding in 
a logical form can be reduced to 

Vt. pc(t) = 40 — *■ pc(f -I- 3) = 46 A do(t -I- 3) = 8 A memory(ai(f), f -|- 3) = 8 
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In this section some techniques are presented which can be used to mechan- 
ically compress the logical representation. 

The enveloping technique is based on the fact that compilers produce object 
code with a peculiar structure; in particular, a procedure is compiled in a way 
which can be represented as 



C 

E 



the C part is the code which implements the procedure, while the E part, the 
envelope, takes care of retrieving the parameters and returning the result. 

For example, the following function in the C language: 

int f ( int x ) 

{ 

return (x + 1) ; 

} 

is compiled by the gcc compiler into the following object code 



0 


LINK 


o' 


2 


MOVE 


0(a7), do 


5 


ADD #l,do 


7 


MOVE 


do, — 8(a7) 


10 


UNLK 


ae 


12 


RTS 





the parts which constitute the body of the function and its envelope are marked. 

The envelope compression technique takes apart the representation for the 
envelope, proves that it correctly passes through parameters, and proves that it 
correctly returns the result; these proofs are routine and they can be efficiently 
mechanized. In such a way, the human verifier has only to prove that the body 
of the procedure is correct. 

The drawback of the enveloping compression technique is that it requires 
that the object code is organized according the envelope pattern, which is not 
always the case for human-produced or highly optimized code. 

Very important to remark is the fact that this compression technique does 
not discard information, thus, when applicable, it is safe. 

The analysis of the flow of control of a program is probably the most im- 
portant technique for compressing the logical representation. It is based on the 
grouping of sequential blocks of instructions. 

The algorithm which performs this kind of compression is complex because of 
the amount of details, but its main structure can be described as a transformation 
on graphs: given an assembly program P, a graph is constructed whose nodes are 
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the instructions of P and whose directed edges are drawn from an instruction 
I to any instruction J which may be executed just after I. The compression 
of sequential blocks can be formulated as a transformation on this graph which 
collapses two nodes A and B if there is an edge from A to B, and no edges of 
the form A to C, or C to B, for any node C. 

For example, the fragment of code at the beginning of this section, after the 
compression, is represented by the formula 

V t. pc(t) = 40 — > pc(t + 3) = pc(t) + 6 A 
A do(t “t“ 3) = 8 A 

A di(t + 3) = di(t) A . . . A djit + 3) = d7(t) A 
A ao(t + 3) = ao(t) A ... A a,7{t + 3) = &7{t) A 
A ^Vf lag(t + 3) A ^Zf lag(t + 3) A 
A ^Nf lag(t + 3) A ^Cf lag(t + 3) A ^Xf lag(t + 3) A 
A memory(ai (t) , t + 3) = 8 A 

A V a;, = ai (t) — > memory(a;, t + 3) = memory (a;, t) . 

An important point about the compression of sequential code is the fact that 
the compressed representation is again an Harrop theory, thus preserving uniform 
constructivity and, more general, the benefits of the chosen representation. 

Moreover, the algorithm which generates the compressed representation can 
be easily employed to compute a proof schema for the program, starting from 
the general correctness proof schema and reducing it to use just the compressed 
representation. 

However, although the compression of sequential code does not reduce the 
amount of information about what the original program computes, it destroys 
the information on the order in which sequential computations are performed. 
Occasionally this matters, especially when dealing with safety properties. Nev- 
ertheless, if (/) is a formula which does not contain explicit references to values of 
time not appearing in the compressed representation, and, moreover, if (/) does 
not contain existentially quantified subformulas over time variables, then the 
following theorem holds in CL (classical first-order logic) : 

Theorem 1. Let R be the theory which contains the representation of a program 
P , let Rc be the theory containing the representation of P where sequential blocks 
are compressed, and let (f be a formula as above, then, if CL, R, P \- (p, then 
CL,Rc,P^ (j). 

This theorem constitutes a preservation result for a large subclass of liveness 
specifications, remarking the importance of the compression algorithm. The 
proof of the theorem is laborious, so it is omitted for the sake of brevi ty; it is 
based on the subformula property of the normalization theorem for CL 

The previous theorem can be strengthened when working in a constructive 
system which contains the intuitionistic logic plus the Kuroda principle: in that 
case, in fact, the formula (p is required not to contain explicit references to values 
of time not appearing in the compressed representation, and, p is required not 
to contain an occurrence of an existentially quantified subformula 3 1. A(t) over 
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a time variable t, unless the witness A{t) appearing in the truth content of 
IL, R, r \- (j) meets the conditions on (p, too. In practice, most of the times, it 
is evident form the program that a witness A(t) exists and that t is in the time 
domain of the compressed representation. 

The analysis of the flow of control of a program naturally gives raise to 
another compression technique: the idea is to maintain in the representation just 
what is or was or will be changed inside the program. In practice, the equalities 
stating that a register (memory cell, flag) retains the same value since it is neither 
read, nor written by the program, are deleted from the representation. 

The algorithm which performs the compression of equalities is a variant of 
the algorithm which compresses sequential blocks. In fact, it is modeled by a 
transformation on a labelled version of the graph of a program as previously 
defined. Being G the graph associated to the program P; every node N is labelled 
with the set Cn of registers, flags and memory cells that are changed by the 
execution of the instruction the node represents; moreover, every node N oi G 
is labelled with the set Rn of registers, flags and memory cells which are read 
by the instruction in N, that is, the registers, flags and cells which are on the 
right-hand side of equalities whose left-hand side is in Gn- The transformation 
that performs the compression operates as follows: let N and M be two nodes 
connected by an arc from N to M, the labels of N are updated as (7)^ = GnURm 
and = RnL>{Rm\Gn). The least fixed point of this transformation produces 
a graph G* such that, for every node TV in (7*, the label Gn contains exactly 
the left-hand side of the equalities which must be retained in the compressed 
representation of the instruction associated with TV. 

Furthermore, the two compression techniques derived from the analysis of 
the flow of control may be combined in a single compression algorithm. In the 
example from the beginning of this section, the combined algorithm produces 

V t. pc(t) = 40 ^ pc(t -I- 3) = 46 A do(t -I- 3) = 8 A memory(ai (t) , t -|- 3) = 8 
for the whole sequential block. 

As before, the result of the compression of equalities, as well as, the result of 
the combined algorithm, is an Harrop theory, thus preserving significance of the 
representation. Moreover, as before, a correctness proof schema for the program 
can be generated by the compression algorithm. 

On the other hand, the compression of equalities discards more information 
than the compression of sequential blocks, and, as a result, the previous preserva- 
tion theorem does not hold anymore. Still, there is a characterization of formulas 
whose provability is preserved under the compression of equalities. However, the 
combined compression algorithm is usually preferred, hence a preservation result 
for the single compression technique is not shown, in favor of a characterization 
of the formulas preserved by the combined transformation. 

Let (p he a, formula such that: 

® Being constructive, the system guarantees the appearance of such a witness in the 
truth content of the proof, see 
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1. it does not contain explicit references to values of time non appearing in the 
compressed representation; 

2. it does not contain occurrences of timed registers, timed flags and timed 
memory locations non appearing in the compressed representation; 

3. it does not contain existentially quantified subformulas over a time variable; 

then, the following preservation theorem holds 

Theorem 2. Let R be the theory which contains the representation of a program 
P, let Rc he the theory containing the representation of P compressed according 
to the combined algorithm, and let (j> be a formula as above, then, if CL, R, P\- 4>, 
then CL, Rc, P \~ 4>. 

The proof follows the same pattern as the previous preservation result, thus, it 
heavily uses the subformula property and the normalization theorem for CL. 
As in the previous case, the conditions on (j) can be relaxed in Kuroda logic, 
allowing existentially quantified subformulas on time, whose witnesses are in the 
time domain to the compressed representation. 

It is evident that the class of formulas whose provability is preserved by the 
combined algorithm is a proper subclass of those preserved by the compres- 
sion of sequential blocks. In this respect, the combined algorithm is stronger, as 
remarked before. 

On the other hand, it should be clear that the class of formulas preserved 
by the combined algorithm is natural, since the requirements it has to satisfy 
is, intuitively, that the formulas do not contain references to objects (registers, 
flags, memory cells and times) which have been discarded in the compression 
process. 

An apparently interesting variation on the previous combined algorithm is 
given by considering a specification S of the form 3t.pc(t) = x f\ A, which con- 
stitutes an usual pattern for liveness properties, and compressing the code with 
respect to S, that is, to keep in the representation only the objects (registers, 
flags and memory cells) which are referred in S. 

The algorithm which computes a compressed representation for a program 
P, according to this requirement is a variant of the algorithm which performs 
the compression of equalities: being G the labelled graph for the program P 
constructed as above, being S the specification, which, by assumption, has the 
form 3 1. pc(t) = x A A, and calling N the node corresponding to the instruction 
at the address x, a new labelled graph G' is constructed, where G' is equal to 
G except for the node N, where the label Gn is substituted with the set of all 
registers, flags and memory cells occurring in S. The result of the compression 
algorithm is the result on running the combined compression procedure on G". 

It is evident that the result is a representation which is the minimal one 
computing just the values mentioned in the specification. But the resulting rep- 
resentation may be (and it is often the case) too poor to allow to prove the 
specification itself. 
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In fact, no natural preservation result is known at the moment being, and 
there is the strong belief that no reasonable preservation theorem can be proven. 
In fact, characterizing the class of formulas whose provability is preserved by this 
kind of compression procedure appears to be hopeless. However, it is possible to 
describe some restricted classes of formulas which enjoy the mentioned preser- 
vation property, but none of them is significantly large, or representative of a 
wide class of specifications. 

However, although in general the previous claim holds, in a constructive 
setting some preliminary results give an hope. Precisely, a compression algorithm 
which operates as above, but takes additional information on unsuccessful proof 
attempts in account is currently being studied. This approach uses information 
extraction algorithms from a partial proof, the failed attempt, to analyze the 
lack of information which prevented the completion of the correctness proof. 
The lacking information, which is part of the full representation of the program, 
is added to the set of objects the compression algorithm has to retain, and 
the partial correctness proof is redone, up to the point where it failed; since 
new information is available, new inference steps can be performed, and more 
chances for a success are gained. Unfortunately, no definitive result on what is 
preserved by this approach is currently available. 

4 Conclusions 

In this paper a simple way to represent object code programs has been intro- 
duced, and it has been made clear that it is suitable for mechanization. Moreover, 
the chosen representation can be compressed with various techniques, without 
affecting the provability of wide classes of specifications. 

The novelty of the contribution lies in three points: 

1. A general proof schema for correctness proofs can be generated along with 
the representation. It corresponds to a proof by induction on the paths of 
computation of the represented program. 

2. The provability in both classical and Kuroda logic of a wide class of specifi- 
cations is not affected by two important compressions of the representation 
of a program. 

3. In a proper constructive framework, the addition of the theory of the micro- 
processor and the theory containing the program representation generates 
an enlarged logical system which is still constructive. Moreover, in a con- 
structive system the preservation results on the compression algorithms can 
be slightly extended. 

About the last point, it is worth remarking that, although constructive sys- 
tems are not usually employed in formal verification, most correctness proofs 
have a constructive flavor, because this is what a human reader asks for to 
be convinced by the proof itself. More important, proving techniques based on 
constructive methods allow deeper kinds of analysis of the resulting correctness 
proofs, as discussed in Thus the presented work is also a first effort to 

introduce these novel techniques to the formal verification community. 
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Abstract. Boolean circuits offer a natural, structured, and compact 
representation of Boolean functions for many application domains. In this 
paper a tableau method for solving satisfiability problems for Boolean cir- 
cuits is devised. The method employs a direct cut rule combined with de- 
terministic deduction rules. Simplification rules for circuits and a search 
heuristic attempting to minimize the search space are developed. Ex- 
periments in symbolic model checking domain indicate that the method 
is competitive against state-of-the-art satisfiability checking techniques 
and a promising basis for further work. 



1 Introduction 

Propositional satisfiability checkers have been applied successfully to many in- 
teresting domains such as planning and model checking of finite state sys- 
tems The success has built on recent significant advances in the perfor- 

mance of SAT checkers based both on stochastic local search algorithms and on 
complete systematic search. 

In this paper we are interested in developing SAT checking methodology 
especially for symbolic model checking purposes. Most work on symbolic model 
checking Q has been based on binary decision diagrams (BDDs) Q. However, 
BDD-based methods suffer from the fact that a BDD representation of a Boolean 
expression can require exponential space. Recent research has shown that this 
problem can be overcome by using state-of-the-art SAT checking methods which 
work in polynomial space in the size of the input 

Most successful satisfiability checkers assume that the input formulae are in 
conjunctive normal form (CNF). This sometimes makes efficient modeling of an 
application challenging because natural non-clausal formalizations can lead to 
significant blow-up when the formulae are transformed to CNF. An example of 
the CNF transformation problem is a formula of the form 

(PiAQi)V---V(P„AQ„) 

whose equivalent CNF is of exponential size. If it is enough to preserve satisfia- 
bility, the size of the CNF can be decreased to linear by introducing a new atom 
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for each conjunction and transforming the formula to 

(i?l V • • • V Rn) A (i?i <->■ (Pi A Ql)) A • • • A {Rn <-*■ (Pn A Qn)) 
whose CNF is 

(Pi V • • • V Rn) A • • • A {Rn V -^Pn V ~^Qn) A (^P„ V Pn) A (^P„ V Q„) . 

Notice, however, that now the number of atomic formulae has increased by n 
and the search space (and running time) of typical SAT checkers could increase 
exponentially. 

In this paper we study an alternative approach to solving propositional sat- 
isfiability problems which is not based on representing the input in CNF but as 
a Boolean circuit. This allows a compact and natural representation in many do- 
mains. Using Boolean circuits as the input format makes it possible to simplify 
the representation by sharing common subexpressions and by preserving natural 
structures and concepts of the domain. 

Our idea is to combine advantages of a compact representation based on 
Boolean circuits and polynomial space requirements of CNF-based search pro- 
cedures and devise a satisfiability checking algorithm for Boolean circuits, i.e., a 
procedure for finding truth assignments for a circuit given some constraints on 
its output values or for determining that none such exists. 

There is a lot of previous research on theorem proving and satisfiability check- 
ing methods working with arbitrary (non-clausal) formulae. The work is mainly 
based on tableaux and sequent calculi, see e.g. ^3 for a technique to make this 
approach more amenable to real applications using simplification methods. A 
commercial SAT-checking system, Prover 3, is also working with non-CNF in- 
put. Also SAT checking systems basically working with CNF input have been 
extended to handle more general formulae. This has been done both for complete 
SAT checkers, e.g. in 3, as well as for local search methods 

In this paper we develop a tableau method that works directly with Boolean 
circuits. Instead of standard (cut free) tableau techniques we employ a direct cut 
rule combined with deterministic (non-branching) deduction rules. The aim is to 
achieve high performance and to avoid some computational problems in cut free 
tableaux Q. In order make the method more efficient we devise simplification 
rules and a search heuristic which attempts to minimize the search space of the 
algorithm. The heuristic is inspired by the search technique used in a system 
for computing stable models ^3^3. Experimental results indicate that the cut- 
based tableau method combined with suitable deduction and simplification rules 
and the search space minimizing heuristic has promising performance, e.g., in 
symbolic model checking applications. 

The rest of the paper is structured as follows. We start by introducing 
Boolean circuits. Then we develop a tableau method for circuits. In Section 3 
we identify transformation rules for simplifying circuits and then we describe an 
experimental implementation of the tableau method. Section^provides a simple 
translation of circuits to CNF used in the experiments presented in the following 
section where our tableau method is compared to state-of-the-art satisfiability 
checkers using symbolic model checking benchmarks. 



Towards an Efficient Tableau Method 



555 



2 Boolean Circuits 

A Boolean circuit C is an acyclic directed graph where the nodes are called the 
gates of C. The gates with no outgoing edges are the output gates and the gates 
with no incoming edges and no Boolean function are the input gates of C. Each 
non-input gate is associated with a Boolean function and “calculates” its value 
from the values of its children. In this paper we represent Boolean circuits as 
Boolean equation systems. Such systems offer a convenient way of writing down 
circuits and of describing transformations on them. For more on Boolean circuits, 
see e.g. IfH . 

Given a finite set V of Boolean variables, a Boolean equation system (a system 
for short) S over V is a set of equations of the form v = /(ui, . . . , Vk), where 
f , ui, . . . , ffc G V and / is an arbitrary Boolean function. Boolean circuits can be 
seen as Boolean equation systems of a certain form where each variable has at 
most one equation and the equations are not recursive. More precisely this can 
be characterized as follows. Given a Boolean equation system S over V such that 
for each variable v G V there is at most one equation in S, we define the directed 
graph G{S) = (V, E), where E = {(u', v) \ v = f{. . . , v' , . . .) G S} C V x V . The 
graph G{S) describes the variable dependencies in S and if G{S) is acyclic, then 
G{S) can be seen as a Boolean circuit. See Fig.Jfor an example. The variables 
of S correspond to the gates of the circuit and the variables for which there is 
no equation are the input gates of the circuit. A variable defined by an equation 
of form V = T (u = T) in turn corresponds to a constant gate “true” (“false”). 




Fig. 1. A system over {m, . . . , ue} and the corresponding Boolean circuit. 



A truth valuation for 5 is a function r : V ^ {true, false}. Valuation r is 
consistent if r(u) = /(r(ui), . . . , T{vk)) holds for each equation v = f{vi , . . . , Ufc) 
in S. A system S is satisfiable if there exists a consistent valuation for it. The 
question of whether a system is satisfiable is obviously an NP-complete prob- 
lem under the plausible assumption that each Boolean function appearing in 
the system can be computed in deterministic polynomial time. However, note 
that each Boolean equation system describing a Boolean circuit has exactly 2" 
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consistent truth assignments, where n is the number of input gates in the cir- 
cuit (the system only describes the structure of the circuit). Therefore, in case 
of Boolean circuits, we are interested in the constrained satisfaction problem: 
given that variables in c’*' C V must be true and those in c“ C V false (the con- 
straints), is there a consistent valuation that respects these constraints? Again, 
this is obviously an NP-complete problem. 

In the rest of the paper we consider the class of Boolean circuits where the 
following Boolean functions are allowed in the gates (equations) . 

— T (a constant function) is always true. The constant T is always false. 

— equiv(ui, . . . , Vn) = true iff all Vi, 1 < i < n, are true or all Vi, 1 < i < n, are 
false. 

— or(ui, . . . , Vn) = true iff at least one Vi, 1 < i < n, is true. 

— and(ui, . . . , Vn) = true iff all Vi, 1 < i < n, are true. 

— even(ui, . . . , Vn) = true iff an even number of ViS, 1 < i < n, are true. 

— odd(ui, . . . , Vn) = true iff an odd number of ViS, 1 < i < n, are true. 

— not(u) = true iff v is not true. 



3 A Tableau Method 

In this section we develop a tableau method for solving satisfiability problems for 
constrained Boolean circuits. A straightforward approach would be to interpret 
each equation v = f{vi , . . . , Vk) as an equivalence v ^ f(vi , . . . , Vk)- We could 
thus use a traditional tableau method Q by setting (i) for each equation v = 
/(t>i, . . . , Vk) in S an entry T(u ^ f{vi , . . . , Vk)) and (ii) for each constraint 
V G c~^ (v € c~) an entry Tu (Fu) in the tableau root and then applying the 
standard tableau rules. 

However, standard (cut free) tableau methods suffer from some computa- 
tional problems B. In order to overcome these we use a tableau system that has 
an explicit cut rule while all the rest of the rules are deterministic. The basic rules 
are shown in Fig.^ Note that the versions of rules obtained by commutativity 
of the operations are not shown, e.g., the following is a rule: 

V = odd(m, ...,Vk) 

Tui, . . . , Tvj-i, Tvk, j is even 

Fvj, . . . , Fnfc-i 

Fu 

Given a system S, the root of the tableau consists of the equations in S and the 
constraints. The rules appearing in Fig. | are then applied as in the standard 
tableau method. A branch in the tableau is contradictory if it contains both Fu 
and Tu entries for a variable in u G V. A branch is complete if it contains an Fu 
or Tu entry for each u G V and no application of rules in Fig.Hb)-(f) leads to 
contradiction. 

Theorem 1. The above tableau system is sound and complete in the sense that 
a complete branch gives a satisfying truth assignment for S while the absence of 
a complete branch indicates that the system is unsatisfiable. 
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V = not(vi) V = not(vi) 

V € V V = T V = -L Fui Tui 

Tn|Fi; Tn Fn Tn Fn 

(a) The explicit cut rule (b) Constant rules (c) Negation rules 

V ^ or(vi, . . . ,Vk) V ^ and(vi, . . . ,Vk) v = or{vi, . . . ,Vk) v = and{vi, . . . ,Vk) 

Fui, . . . , Fvk Tui, . . . , Tvk Tvj, i G {1, . . . ,k} Fvj, i £ {1, . . . , fc} 

Fii Tu Tu Fu 

(d) “Up” rules for or and and 



V = equiv(ui, 
Tui, . . . , Tiifc 

Tu 



V = equiv(ui, 
Fui, . . . ,Fufc 

Tv 



V = equiv(ui, .. .,Vk) 
Tvi, i G {1, . . . , A:} 
Fvj, i£ k} 

Fv 



(e) “Up” rules for equiv 



V = even(ui, . . . ,Vk) 
Tui , . . . , Tiij , j is even 
Fuj+i , . . . , Fvk 



Tv 



V = even(ui, . . . ,Vk) 
Tui , . . . , Tiij , j is odd 
Fuj+i, . . . , Fvk 

Fv 



V = odd(ui, ...,Vk) 
Tui , . . . , Tvj , j is odd 
Fuj+i , . . . , Fvk 

Tv 



V = odd(ui, . . . ,Vk) 
Tui , . . . , Tvj , j is even 
Fuj+i, . . . , Fvk 



Fu 



(f) “Up” rules for even and odd 
Fig. 2. Basic rules. 



Notice that for Boolean circuits it would be sufficient to apply the cut rule to 
the input gates only: other gates are functionally fully dependent on input (and 
constant) gates. Therefore the values of all gates can be evaluated by using the 
rules in Fig.5b)-(f) once the values of input gates are assigned. 



The size of a tableau depends essentially on the branching of the tableau, i.e., 
on the number of times that the cut rule in Fig. Ha) is applied. In order to avoid 
the use of the cut rule we devise a set of additional rules which complement the 
basic rules. These rules given in Fig.flcan be used in the tableau construction 
without affecting its soundness or completeness. In the following, the rules in 
Fig.Hb)-(f) and Fig.^E^re called the deterministic deduction rules. 
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V = not(iii) V = not(iii) 

Tn Fn 

Fni Till 

(a) “Down” rules for not 



V = or(m , . . . ,Vk) 

Fv 

Fvi, . . ,,Fvk 



V = equiv(m , . . . ,Vk) 
n = and(m, . . . , life) Tvi, i G {1, . . . , k} 
Tn Tn 

Tui, . . . , Tiifc Tui, . . . , Tiifc 

(b) “Down” rules for or, and and equiv 



V = equiv(m , . . . ,Vk) 
Fvi, i e {1, . . . , fc} 

Tn 

Fni, . . . ,Fnfc 



V = or(m, . . . , life) 
Fni, . . . , Fnfc_i 

Tn 



Tiifc 



V = equiv(m, . . . , life) 
Tni, . . . , Tiifc-i 



Tn 

Tnfc 



n = equiv(m , . . . ,Vk) 
Tni, . . . , Tnfc-i 

Fn 

Fnfc 



n = and(m, . . . ,Vk) 
Tni, . . . , Tnfc-i 

Fn 

Fnfc 



n = equiv(m , . . . ,Vk) 
Fni, . . . , Fnfc-i 

Tn 

Fnfc 



n = equiv(m , . . . ,Vk) 
Fni, . . . , Fnfc-i 

Fn 



Tnfc 



(c) “Last undetermined child” rules for or, and and equiv 



n = even(m , . . . ,Vk) 
Tni , • • • , Tnj , j is even 
Fnj+i, . . . , Fnfc-i 



n = even(m , . . . ,Vk) 
Tni , • • • , Tnj , j is even 
Fnj+i, . . . , Fnfc-i 



n = odd(m, . . . ,Vk) 
Tm , . . . , Tnj , j is odd 
Fnj+i, . . . , Fnfc-i 



Tn 



Fn 



Tn 



Fnfc 



Tnfc 



Fnfc 



n = even(m , . . . ,Vk) 
Tvi , . . . , Tnj , j is odd 
Fnj+i, . . . , Fnfc-i 



n = even(m, . . . ,Vk) 
Tm , . . . , Tnj , j is odd 
Fnj+i, . . . , Fnfc-i 



n = odd(m, . . . , nfc) 
Tm , . . . , Tnj , j is odd 
Fnj+i, . . . , Fnfc-i 



Tn 



Fn 



Fn 



Tnfc 



Fnfc 



Tnfc 



n = odd(m, . . . , nfc) 
Tm , . . . , Tnj , j is even 
Fnj+i, . . . , Fnfc-i 

Tn 

Tnfc 



n = odd(m, . . . , nfc) 
Tm , . . . , Tnj , j is even 
Fnj+i, . . . , Fnfc-i 

Fn 

Fnfc 



(d) “Last undetermined child” rules for even and odd 
Fig. 3. Additional deduction rules. 
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Example 1. Consider the circuit in Fig.Jand the constrained satisfaction prob- 
lem where variable v\ must be true. Below is a tableau solving this problem 



1. vi = and(u2, U3) 

2. V2 = not(u4) 

3. U 3 = or(u 4 , t> 5 , ue) 

4. U6 = -L 

5. Tui 

6. Fu6 (4) 



7. Tu 4 (cut) 

9. Fu2 (2,7) 

10. Fui (1,9) 

X (5,10) 



8. Fu 4 (cut) 

11. Tu2 (2,8) 

12. Tu3 (1,5,11) 

13. Tu5 (3,6,8) 



where expressions 1-4 represent the circuit and expression 5 the constraint. For 
each other expression we give in parentheses the expressions from which it is 
derived using the tableau rules. Notice that the left hand branch (1-7,9,10) is 
contradictory and does not provide a solution but the right hand branch (1- 
6,8,11-13) is complete and yields a satisfying truth assignment where t(ui) = 
t{v 2 ) = t{v^) = r(us) = true and t{v 4 ) = t{vq) = false. 



The use of the cut rule can be further limited by employing stronger determin- 
istic deduction rules. There is an interesting trade-off between the computational 
complexity involved in implementing a deduction rule and its ability to derive 
further truth values. We consider as an interesting compromise a deduction rule 
that we call one-step lookahead. 

One-Step Lookahead: Consider a branch B and an expression Tu (Fu). If a 
complementary pair of variables Tw, Fw can be derived using the determin- 
istic deduction rules from B U {Tu} (from B U {Fu}), deduce Fu (Tu). 

For instance, in the example above one-step lookahead could be applied to the 
branch containing expressions 1-6 and for Tv^. Now Ttii,Fui can be derived 
and, hence, Fu 4 can be deduced. After that the branch can be completed us- 
ing the deterministic deduction rules and a solution is found without any cuts 
(branching) . The one-step lookahead rule is similar to the failed literal rule 
in Davis-Putnam procedures for CNF satisfiability checking and the lookahead 
rule in Smodels system computing stable models. Notice that examining 
whether the lookahead rule is applicable for a given expression Tv (Fu) can be 
done in linear time in the size of the branch (given appropriate implementation 
techniques) . Hence, determining the applicability of the rule is more expensive 
than for the other deterministic deduction rules. However, the lookahead rule 
is quite powerful in decreasing the number of cut rule applications needed to 
determine the existence of a solution. Experimental results indicate that often 
the additional overhead is worth the effort. 
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4 Satisfiability Preserving Simplifications 

In order to simplify the structure of a circuit, some efficiently implementable, 
simple satisfiability preserving simplifications can be applied to a circuit. Actu- 
ally, some of these simplifications require that the value of a gate is assigned and 
should thus be applied to a constrained circuit (where Tu and Fu provide the 
information) . 

1. Common subexpressions can be shared, i.e., if a system has two similar equa- 
tions, V = f{vi ,...,Vk) and v' = f{vi ,...,Vk), then v' = f{vi ,...,Vk) can 
be removed from the system and all the occurrences of v' are substituted 
with V. 

2. If a gate has a child whose value is determined, the connection to the child can 
be removed by the rewriting rules shown in Fig.^b)-(c). Figurejalso shows 
some other simplification rewriting rules. One simplification that deserves 
special attention is the “input gate under true equivalence” -simplification in 
Fig-Hd). It can detect that an input gate is functionally fully depended on 
other gates and removes it. 

3. A cone of influence reduction can be performed: if a variable is not con- 
strained and no other equation refers to it (i.e. it is an output gate in the 
circuit), it can be removed, that is, gates that cannot influence constrained 
gates can be removed. 



5 An Experimental Implementation 

We have made an experimental implementation called BCSat Q of the tableau 
method described in Sec.^for Boolean circuits. In the following we briefly discuss 
the implementation. 

After parsing in the circuit, some simple preprocessing steps are applied to it. 
First, we set the constraints in the tableau root. We then apply the deterministic 
deduction rules, one-step lookahead and the satisfiability preserving simplifica- 
tions of Sec.Juntil nothing new can be deduced. Naturally, if any step here leads 
to a contradiction, the circuit is unsatisfiable and the procedure is stopped. 

After this the tableau is built one branch at a time using a chronological 
backtracking procedure. At each search level, we first apply the deterministic 
rules and the one-step lookahead rule as long as they produce new information. 
We then choose the next undetermined cut variable for which the cut rule is 
applied, after which the search branches to the next level. The cut variable is 
selected by using the following heuristic. For each undetermined variable v the 
following question is considered: if v is set to false (true), how many values of 
other undetermined variables can be deduced by using the deterministic rules? 
Call these numbers and , respectively. A variable for which minlu-*-, is 
largest is then selected as the cut variable. The reasoning behind this choice of 
cut variable is that choosing a maximum of the minimum minimizes the sum of 
the remaining search space (the number of still possible variable assigments) left 
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II 

II QJ 


V = or() 
V ~ ± 


V = 
V 


equiv() V — even() v = odd() 

= T ii = T n = T 


V — and(n' 


) V — or(v') 


V = equiv(u') v = even(ii') v — odd(u') 


V = v' 


V = v' 


V = 


= T V = not{v') V = v' 


( 


a) Simplificat 


ion rules for 0-ary and 1-ary gates 


V = or(m, . . . , Vi-i,Vi, Vi+i, . 
Fvi 


■■,Vk) 


V = or(m, . . . , Vi+i, ...,Vk) 

Tvi 


o 

II 


, Vi — 1, Vi-j-l , . . 
Fvi 


■,Vk) 


v = T 
Tvi 


V = and(iii, . . . , 


Tui 




V = and(m, . . . , Vi+i, ...,Vk) 

Fvi 


V — and(iii, . . . 


■ , Vi — 1, Vi-\-i , . 
Tvi 


■■,Vk) 


V = j- 
Fvi 


V — even(vi, . . . , 


Vi — l , Vi, Vi-\-i . 
Tvi 


. . . ,Ufc) 


V = even(m, . . . , Vi+i, ...,Vk) 

Fvi 


V — odd(vi, . . . 


■ , Vi — 1, Vi-\-i , . 
Tvi 


■■,Vk) 


V = even(ni, . . . , Vi-i,Vi+i, ...,Vk) 
Fvi 


V — odd(iii, . . . , 


Vi — 1, Vi, Vi-\-l , 
Tvi 




V = odd(m, . . . , Vi+i , . . . , life) 

Fui 


V = even(vi, . . 


• 5 Vi — 1, Vi-\-l , . 
Tvi 


■■,Vk) 


V = odd(ni, . . . , Vi-i,Vi+i , ...,%) 
Fui 


(b) “Determined child”- 


simplification rules for or, and, even and odd 


V = equiv(iii, . . . . 


) Vi — 1, Vi, Vi-\-l . 
Tvi 


,---,Vk) 


V = equiv(m, U2, . . . , n„) 

Tv 

vi is an input gate 
V 2 is an input or a constant gate 
V = equiv(u 2 , . . . ,v„) 

Tv 

Vl = V2 


V = and(ui, . . . 


, Vi — 1, Vi-\-l , . . 
Tvi 


■,Vk) 


(c) A “determined child” -simplification (d) “Input gate under true equivalence” - 
rule for equiv simplification 


V — not(ii') 
v' = not(ii”) 


V = and(. 
Ul 


= not(ii' 


,vi,...) v = or(...,v',...,vi,...) 

) Vl — not(n') 


V = v" 
v' = not(i?^^) 


r>i 


V = ± 

= not(i?^ 


v^T 

) Vl — not(u') 



(e) Double negation and “v/^v” simplifications 



Fig. 4. Satisfiability preserving simplification rewriting rules for constrained cir- 
cuits (an equation of form v = v' means that occurrences of v are substituted 
with v'). 
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in both search branches: if the number of undetermined variables is N, then after 
the cut and deterministic rules the search space left is +2^“*' ). This is 

minimized by our heuristic and we have thus chosen a balancing heuristic rather 
than a greedy one. As a small improvement we do not count the determined not- 
gates into or since not is a fully deterministic operation w.r.t. to its only 
argument. Our experiments so far indicate that counting in all the variables 
when computing and leads to smaller tableaux than when considering 
only the undetermined input variables. 

The lookahead and computation of and are implemented simply by 
first assigning an undetermined variable v to false and then applying the deter- 
ministic rules. The number is then stored and the effects of the assignment 
and application of deterministic rules are undone. The same procedure is re- 
peated for true. If it is found out that assigning a variable to false (true) leads to 
a contradiction but assignment to true (false) does not, the variable is assigned 
to true (false), and the deterministic rules are applied. If both assignments lead 
to contradiction, backtracking to the previous search level occurs. This kind of 
lookahead and its use was inspired by the one used in the Smodels system 

6 Translating Circnits into CNF 

In order to compare our tool to some satisfiability checkers requiring the input 
to be in CNF, we now present a very simple translation from Boolean circuits 
to CNF. We do not treat here equiv-, even- or odd-gates with more than 2 
inputs (this would require more than a linear number of clauses or additional 
variables). Furthermore, the experimental cases we consider do not have such 
gates. The CNF translation is the conjunction of clauses obtained from the gates 
by the translation rules in TableJ Input gates (variables with no definitions) are 



Table 1. Boolean circuit to CNF translation rules. 



Gate 


CNF clause(s) 


= T 
= T 

V — not(vi) 

V = or(wi, ...,Vn) 

V = and(ni, 


V 

-iV 

(v V vi) A (“'ll V “iiii) 

(ii V -'ll!) A • ■ • A (ii V -'iin) A (“'ll V i>i V • • • V V2) 
(“'ll V Hi) A ■ • • A (“'ll V v„) A (h V “ini V • • • V “1112) 


V — even(vi, V2) and 

V — equiv(iii, V2) 


(v V vi V V2) A (h V “iHi V “iii2)A 
(“'ll V Hi V “iH2) a (“iH V “iHl V H2) 


V — odd(iii, V2) 


(h V Hi V “iH 2 ) a (h V “iHl V H 2 )A 
(“iH V Hi V H2) A (“iH V “iHl V “iH2) 



translated into {v\/ ->v). The constraints in the constrained satisfaction problem 
are simply translated into corresponding unit clauses (like the constant gates). 
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7 Some Experiments 



We use the bounded model checking examples of Biere et al For each problem 
instance we use two different input sources. First one is the DIMACS CNF output 
produced directly by the bounded model checker tool BMC We will call this 
format BMC-CNF. We were also able to reconstruct Boolean circuits from the 
Prover output format files produced by BMC. These circuits were used as such 
or translated into CNF as described in Sec.J 

We used the following solvers: BCSat described in this paper, CGrasp 
Satz and Sato ^ 3 . BCSat and CGrasp both work on Boolean circuit in- 
put formats (we made a straightforward translation from our format to that of 
CGrasp). These tools were thus ran only on the Boolean circuit input. Since 
Satz and Sato expect DIMACS CNF as input format, we ran these tools in 
both BMC-CNF and CNF translated from circuits. All solvers were used “as 
is”, no engineering work was put on trying to find suitable parameter settings. 
Unfortunately, we did not have access to the Prover tool Q. 

The tests were run on 450 MHz Pentium machines running the Linux op- 
erating system. The times shown are the user times measured with the time 
command. The times do not include neither the generation of input files with 
the BMC tool nor translations between formats. 

As the first test case we used the barrel shifter, with results shown in Tabled 
The parameter |r| in the first column indicates the number of registers in the 
shifter and also the number of time steps in BMC. The next two columns show 
the times of CNF solvers Sato and Satz when ran on BMC-CNF. The next four 
columns show the solver times when ran on unsimplified Boolean circuit input 
(translated into CNF in case of Sato and Satz). The last column shows the 
running time of the BCSat tool when allowed to make simplifications described 
in Sec. Q The striking difference in the performance is due to the “input gate 
under true equivalence” -simplification in Fig.Jd): BCSat finds out during the 
simplification that the circuit is not satisfiable and does thus not perform any 
actual search. This observation also explains the good results of the Prover tool 
as described in Prover simplifies the equivalences, too. 



Table 2. Barrel shifter (|r| = number of registers). 





BMC-CNF 


Circuit, no red 




BCSat 


|r| 


Sato 


Satz 


BCSat 


CGrasp 


Sato 


Satz 


red. 


4 


0 


0 


0 


0 


5 


0 


0 


5 


13 


465 


302 


135 


>lh 


44 


0 


6 


73 


>lh 


>lh 


>lh 


- 


224 


0 


7 


280 


- 


- 


- 


- 


1369 


0 


8 


613 


- 


- 


- 


- 


>lh 


0 


9 


>lh 


- 


- 


- 


- 


- 


0 


10 


- 


- 


- 


- 


- 


- 


0 
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Table^shows our next example in which a counter-example of length k has 
to be found in a buggy design of a mutual exclusion algorithm under fairness. 
Unlike in other examples, the instances here are satisfiable. Again, the solvers 
are run on BMC-CNF, circuit input and then on simplified circuit input (the 
simplification times for solvers other than BCSat are not included in their running 
times). 



Table 3. Counterexample for liveness in a buggy DME with 2 cells. 





BMC-CNF 


Circuit, no red. 




Circuit, red. 




k 


Sato 


Satz 


BCSat 


C Grasp 


Sato 


Satz 


BCSat 


C Grasp 


Sato 


Satz 


10 


0 


1 


104 


17 


1 


1 


4 


4 


0 


0 


11 


1 


3 


3 


28 


3 


>lh 


3 


6 


0 


>lh 


12 


0 


6 


4 


61 


5 


4 


3 


9 


0 


>lh 


13 


>lh 


>lh 


5 


126 


136 


3 


4 


11 


0 


- 


14 


2 


>lh 


6 


152 


6 


3 


6 


23 


0 


- 


15 


249 


- 


223 


150 


152 


4 


6 


21 


0 


- 


16 


>lh 


- 


8 


129 


>lh 


5 


13 


36 


7 


- 


17 


>lh 


- 


8 


178 


>lh 


5 


8 


94 


1 


- 


18 


- 


- 


13 


201 


- 


6 


10 


57 


3 


- 


19 


- 


- 


10 


1255 


- 


7 


19 


99 


4 


- 


20 


- 


- 


14 


445 


- 


8 


514 


110 


23 


- 


21 


- 


- 


16 


369 


- 


8 


13 


161 


1 


- 


22 


- 


- 


22 


1253 


- 


10 


17 


190 


>lh 


- 


23 


- 


- 


24 


412 


- 


11 


15 


210 


3185 


- 


24 


- 


- 


26 


891 


- 


11 


19 


349 


23 


- 


25 


- 


- 


27 


867 


- 


11 


20 


666 


2 


- 


26 


- 


- 


30 


2573 


- 


14 


26 


666 


11 


- 


27 


- 


- 


28 


892 


- 


16 


30 


3091 


>lh 


- 


28 


- 


- 


38 


1356 


- 


24 


34 


2941 


>lh 


- 


29 


- 


- 


34 


937 


- 


35 


34 


2815 


- 


- 


30 


- 


- 


47 


>lh 


- 


46 


38 


3159 


- 


- 



Our two last examples concern the same mutual exclusion algorithm, this 
time a correct one (thus there are no counter-examples and the instances are 
unsatisfiable) . Table O shows results in the case of two users, parameterized 
w.r.t. the number of time steps. This means that we parameterize over the cir- 
cuit depth since the greater the number of time steps, the greater the circuit 
depth. On the other hand. Table H depicts results when the number of time 
steps is kept as 10 but the number of users is parameterized. This corresponds 
to parameterization over circuit width. When comparing these two parameteri- 
zation dimensions, we notice that the circuit depth seems to be a more crucial 
dimension for solver efficiency. 

Admittedly, in order to draw any firm conclusions on the behavior of different 
solvers, more experiments should be conducted, especially on other types of 
Boolean circuits. However, we make some preliminary observations: (i) BCSat 
and Satz seem to work quite similarly: this is probably because they both use 
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Table 4. Liveness in DME with 2 cells, parameterized w.r.t. the number of time 
steps. 





IBMC-CNFI 


1 Circuit, no red. 




1 Circuit, red. 




k 


Sato 


Satz 


BCSat 


C Grasp 


Sato 


Satz 


BCSat 


C Grasp 


Sato 


Satz 


10 


1322 


1 


2 


43 


178 


1 


1 


18 


1 


0 


11 


>lh 


1 


3 


159 


>lh 


1 


3 


17 


>lh 


0 


12 


>lh 


2 


3 


113 


>lh 


2 


4 


48 


12 


1 


13 


- 


5 


5 


193 


- 


3 


5 


68 


7 


1 


14 


- 


15 


6 


280 


- 


4 


6 


72 


27 


3 


15 


- 


52 


9 


380 


- 


8 


8 


95 


6 


3 


16 


- 


>lh 


23 


1859 


- 


10 


12 


105 


159 


7 


17 


- 


>lh 


37 


641 


- 


25 


14 


188 


23 


10 


18 


- 


- 


47 


858 


- 


34 


17 


245 


166 


21 


19 


- 


- 


55 


1010 


- 


78 


343 


428 


>lh 


37 


20 


- 


- 


117 


2010 


- 


32 


524 


400 


>lh 


67 


21 


- 


- 


341 


3457 


- 


211 


1054 


633 


- 


326 


22 


- 


- 


3461 


1682 


- 


>lh 


>lh 


2496 


- 


>lh 


23 


- 


- 


>lh 


3591 


- 


>lh 


>lh 


1274 


- 


>lh 


24 


- 


- 


>lh 


3495 


- 


- 


- 


2254 


- 


- 


25 


- 


- 


- 


2621 


- 


- 


- 


>lh 


- 


- 


26 


- 


- 


- 


>lh 


- 


- 


- 


1962 


- 


- 


27 


- 


- 


- 


>lh 


- 


- 


- 


>lh 


- 


- 


28 


- 


- 


- 


- 


- 


- 


- 


2939 


- 


- 


29 


- 


- 


- 


- 


- 


- 


- 


>lh 


- 


- 


30 


- 


- 


- 


- 


- 


- 


- 


>lh 


- 


- 



Table 5. Liveness in DME with 10 time steps, parameterized w.r.t. the number 
of cells. 





iBMC-CNFl 


1 Circuit, no red. 




1 Circuit, red. 




cells 


Sato 


Satz 


BCSat 


C Grasp 


Sato 


Satz 


BCSat 


C Grasp 


Sato 


Satz 


2 


1322 


1 


2 


43 


178 


1 


1 


18 


1 


0 


3 


>lh 


4 


4 


82 


>lh 


2 


4 


36 


1 


1 


4 


>lh 


18 


7 


340 


>lh 


4 


8 


59 


124 


1 


5 


- 


73 


13 


364 


- 


5 


14 


125 


>lh 


1 


6 


- 


>lh 


20 


691 


- 


7 


20 


129 


25 


2 


7 


- 


>lh 


28 


1058 


- 


13 


34 


88 


>lh 


6 


8 


- 


- 


35 


1891 


- 


10 


39 


204 


>lh 


3 


9 


- 


- 


47 


1678 


- 


16 


50 


166 


- 


4 


10 


- 


- 


67 


2053 


- 


20 


63 


178 


- 


5 


11 


- 


- 


81 


2567 


- 


22 


83 


381 


- 


5 


12 


- 


- 


93 


>lh 


- 


31 


98 


416 


- 


7 


13 


- 


- 


101 


>lh 


- 


26 


107 


781 


- 


7 


14 


- 


- 


119 


- 


- 


46 


126 


872 


- 


19 


15 


- 


- 


139 


- 


- 


43 


165 


817 


- 


9 


16 


- 


- 


160 


- 


- 


44 


183 


926 


- 


15 


17 


- 


- 


192 


- 


- 


56 


218 


1059 


- 


12 


18 


- 


- 


232 


- 


- 


94 


239 


1035 


- 


13 


19 


- 


- 


242 


- 


- 


85 


260 


584 


- 


42 


20 


- 


- 


275 


- 


- 


112 


295 


1653 


- 


19 




566 



Tommi A. Junttila and Ilkka Niemela 



lookahead and their heuristics are somewhat similar, (ii) All solvers seem to be 
a bit input syntax sensitive: there are cases when simplifications help but also 
counter-cases. 

Finally, note that since our Boolean circuits were reconstructed from the 
output generated for the P rover tool, the circuits are probably not equal to 
those that would be generated should the BMC tool support Boolean circuit 
formalism directly. However, we assume that the circuits we have are quite close 
to those. 

8 Conclusions 

We have developed a tableau method for solving Boolean circuit satisfiability 
problems. The method works directly on Boolean circuits and does not require 
any clausal form translation of the circuit. Our method differs from standard 
tableau techniques. It uses an explicit cut rule together with deterministic (non- 
branching) deduction rules. In addition to typical deduction rules propagating 
truth values, our method employs a one-step lookahead rule which is compu- 
tationally more expensive than standard propagation rules but which enables 
stronger propagation and reduces the need to use the cut rule. Furthermore, 
we identify simplification rules which preserve satisfiability but reduce the size 
and the form of a circuit. We have developed a prototype implementation of the 
method which applies the simplification rules and builds a tableau one branch 
at the time using backtracking search and a search heuristic based on the looka- 
head rule. We have tested the method on symbolic model checking benchmarks 
against state-of-the-art satisfiability checkers. The experiments indicate that the 
tableau method provides a promising basis for solving Boolean satisfiability prob- 
lems. Interesting topics of further research include the development of refined 
search heuristics that take better into account the circuit structure, intelligent 
backtracking methods and simplification techniques. 
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Abstract. We use Kleene algebra with tests to verify a wide assort- 
ment of common compiler optimizations, including dead code elimina- 
tion, common subexpression elimination, copy propagation, loop hoist- 
ing, induction variable elimination, instruction scheduling, algebraic sim- 
plification, loop unrolling, elimination of redundant instructions, array 
bounds check elimination, and introduction of sentinels. In each of these 
cases, we give a formal equational proof of the correctness of the opti- 
mizing transformation. 



1 Introduction 

Kleene algebra (KA) is the algebra of regular expressions. It was first introduced 
by Kleene in 1956 | and further developed in the 1971 monograph of Conway 
Q. It has reappeared in many contexts in mathematics and computer science; 
see B and references therein. 

In an extension of KA called Kleene algebra with tests (KAT) was in- 
troduced. This system combines programs and assertions in a simple, purely 
equational system. In it was shown that KAT strictly subsumes proposi- 
tional Hoare logic, is of no greater complexity, and is deductively complete over 
relational models (Hoare logic is not). Moreover, KAT requires nothing beyond 
the constructs of classical equational logic, in contrast to Hoare logic, which 
requires a specialized syntax involving partial correctness assertions. 

KAT has been applied successfully in various low-level verification tasks in- 
volving communication protocols, basic safety analysis, source-to-source program 
transformation, and concurrency control useful feature of KAT in 

this regard is its ability to accommodate certain basic equational assumptions 
regarding the interaction of atomic instructions. This feature makes KAT ideal 
for reasoning about the correctness of low-level code transformations. 

In this paper we show how KAT can be used to verify a variety of common 
compiler optimizations: dead code elimination, common subexpression elimina- 
tion, copy propagation, loop hoisting, induction variable elimination, instruction 
* 
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scheduling, algebraic simplification, loop unrolling, elimination of redundant in- 
structions, array bounds check elimination, and introduction of sentinels. In each 
of these cases, we give a formal, machine-verifiable equational proof of the cor- 
rectness of the optimizing transformation. 

The verification of compiler optimizations is more than just a theoretical 
exercise. We were led to these investigations by recent work in typed assembly 
language (TAL)^H, proof-carrying code (PCC) and efficient code certi- 
fication (ECC) ^TThese are systems that provide a means for an untrusted 
compiler to convince a trusted verifier that the object code it produces meets 
certain safety requirements. 

PCC is the most powerful of these systems. It is quite flexible in the security 
policies it can express, but a significant problem is the size of certificates 
ECC addresses this issue by taking advantage of compiler conventions, giving 
a significant reduction in certificate size. In ECC, the production and verifica- 
tion of certificates is very efficient and invisible to both the code producer and 
consumer. However, these savings come only at a cost of reduced expressiveness 
and compiler dependence. In particular, whereas TAL and PCC deal well with 
optimizing transformations, ECC, being more dependent on the form of the ob- 
ject code produced by the compiler, is less robust with respect to code motion. 
To verify optimized code, ECC would require the certificate to include a concise 
description of the sequence of optimizing transformations that were performed, 
along with a machine-verifiable justification of these transformations. Such an 
extension might be based on the system KAT as described here. 

In the last section, we discuss an interesting paradox that arises in connection 
with dead variables, those whose current value will never be used. This paradox 
is the source of a potentially dangerous pitfall in informal reasoning. A formal 
treatment in KAT helps to illuminate this pitfall. 

2 Kleene Algebra and Kleene Algebra with Tests 

In this section we briefly review the definitions of Kleene algebra and Kleene 
algebra with tests; see Q for a more thorough introduction. 

2.1 Kleene Algebra (KA) 

The following axiomatization is from Q. A Kleene algebra {K, +, •, *, 0, 1) is 
an idempotent semiring under -I-, •, 0, 1 satisfying 



1 I * * 

I + pp = p 
1+ p p = p 



( 1 ) 

( 2 ) 

( 3 ) 

( 4 ) 




q + rp < r ^ qp* < r, 



where < refers to the natural partial order on K : 




def 
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These axioms say essentially that * behaves like the reflexive transitive clo- 
sure operator of relational algebra or the Kleene asterate operator of formal 
languages. The operation -|- gives the supremum with respect to <. All the op- 
erators are monotone with respect to <. 

Besides basic properties of * such as 1 < a*, a < a*, a* a* = a*, and 
a** = a* , we will And the following two identities particularly useful: 

p{qp)* = {pq)*p (5) 

(p+qf =p*iqp*r = (/g)V. (6) 



These identities are called the sliding rule and the denesting rule, respectively. 
In addition, the following result will prove useful: 

Lemma 1. In any Kleene algebra, xy = xyx xy* = x{yx)* . 



Proof. We show independently that 

( 7 ) 

(8) 



xy < xyx xy* < x{yx)* 
xyx < xy ^ x{yx)* < xy* . 



To show 0, by it is enough to show xy < xyx ^ a; -I- x{yx)*y < x{yx)* . 
Reasoning under the assumption xy < xyx, we have 



X + x{yx)*y = a; -I- {xy)*xy 
< a; -I- {xy)*xyx 
= (1 + i.xy)*xy)x 
= {xy)*x 
= x{yx)* 



by the sliding rule Q 

by the assumption xy < xyx 

distributivity 

by D 

by the sliding rule fl. 



For Q, reasoning under the assumption xyx < xy, we have by distributivity 
that X + xyxy* < x -I- xyy* = x{l + yy*) = xy* , thus by {xy)*x < 



and 

xy* . The right-hand side of ^ then follows from the sliding rule 



2.2 Kleene Algebra with Tests (KAT) 

A Kleene algebra with tests is a Kleene algebra with an embedded Boolean 
subalgebra. Formally, it is a two-sorted structure {K, B, +,-,*, ~, 0, 1) such 
that 



— {K, -I-, •, *, 0, 1) is a Kleene algebra; 

— {B, +, 0, 1) is a Boolean algebra; and 

— B<ZK. 

The Boolean complementation operator “ is defined only on B. 

The elements of B are called tests. We will denote arbitrary elements of K 
by the letters p, q, r, s, t,u,v, . . . and tests by a,b,c,d, . . . . 

When applied to arbitrary elements of K, the operators -I-, •, 0, 1 refer to non- 
deterministic choice, composition, fail and skip, respectively. Applied to tests. 
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they take on the additional meaning of Boolean disjunction, conjunction, falsity 
and truth, respectively. These two usages do not conflict — for example, sequen- 
tially testing b and c is the same as testing their conjunction be — and their 
coexistence permits considerable economy of expression. 

For applications in program verification, the standard interpretation would 
be a KA of binary relations on a set and the Boolean algebra of subsets of 
the identity relation. One can also consider trace models in which the Kleene 
elements are sets of traces (sequences of states) and the boolean elements are 
sets of states (traces of length 0) . 

The encoding of the while program constructs is as in Propositional Dynamic 
Logic Q: 



def 

p; q = pq 

def — 

if b then p else q — bp+bq 
while b do p {bp)*b. 

The following result, also observed in Q, follows directly from Lemma J 
Intuitively, if the execution of the program q does not affect the value of the test 
b, then neither does q* . 

Lemma 2. In any KAT, if bq = qb, then bq* = {bq)*b = q*b — b{qb)* . 

Proof. If bq = qb, then by Boolean algebra bq = bbq = bqb, thus bq* = b{qb)* by 
LemmaO The other equations follow from the sliding rule Q and symmetry. 

2.3 KAT and Hoare Logic 

Hoare logic is a system for deriving partial correctness properties of compound 
programs compositionally from properties of their constituent parts. Tradition- 
ally, these properties are expressed by partial correctness assertions (PCAs) of 
the form {b}p{c}, where b and c are assertions in the underlying assertion lan- 
guage and p is a program. Intuitively, the PCA {b}p{c} says that if the property 
b holds at the start of execution of p, and if p halts, then c must be true in the 
halting state. 

As mentioned in the introduction, KAT subsumes Hoare logic The PCA 
{b}p{c} is expressed bpc = 0, or equivalently, bp = bpc. Intuitively, bpc — 0 says 
that there is no halting computation of p satisfying precondition b and postcon- 
dition c, and bp = bpc says that testing c after executing p with precondition b 
is always redundant. 

In traditional Hoare logic, atomic programs are assignments x := e and the 
only atomic assumption is the assignment rule {P[x/e\\x := e{P}. Hoare logic 
operates by deriving PCAs involving compound programs inductively, using the 
assignment rule as an axiom. The operation of KAT is analogous, except that the 
assumptions and conclusions are equations between programs, and the form of 
the assumptions can be more general. Theorems of KAT are universally quantified 
Horn formulas of the form {/\^Pi = qf) ^ p = q. In our applications below, the 



572 



Dexter Kozen and Maria-Cristina Patron 



Pi = Qi are typically premises that involve atomic instructions and tests that 
are immediately self-evident, and the conclusion p = q is the equivalence of the 
unoptimized and optimized code fragments. 

In our optimization examples, there are certain kinds of premises that occur 
frequently. For example, we often need to know that two atomic instructions 
that do not affect each other can occur in either order. This would be expressed 
in KAT by a commutativity condition of the form pq = qp. We would take 
this assertion as a premise on the left-hand side of the Horn formula above. 
Another common example is the fact that after loading a register with a value, 
that register contains that value. This is expressed by an equation of the form 
p = pa, where p is the load instruction and a is the assertion that the register 
contains the value. This assertion allows us to introduce new assertions into an 
annotated program and delete them when they are no longer needed. As a final 
example, the fact that if a register already contains a value, then there is no 
need to load it again would be encoded as an equation of the form ap = a. This 
premise allows us to delete redundant instructions. 

We use such atomic premises extensively in the derivations of Section ^ 
In all cases the truth of the premise is directly evident. Moreover, it has been 
observed that in the decision procedure for KAT, premises of the form p = 0 can 
be eliminated without loss of efficiency QQ. 

3 Verifying Optimizations in KAT 

In this section we consider several examples of common compiler optimizations 
and show how they can be encoded and verified in KAT. In each case, we give the 
program fragments before and after the optimizations, their translations into the 
language of KAT, and an equational proof that the two fragments are equivalent. 

3.1 Dead Code Elimination 

Dead code elimination is a code transformation that removes unreachable in- 
structions. Let us start with a very simple example. Consider the program 
p; if a then q. This is expressed in KAT as p{aq + a). The d in this expres- 
sion represents the implicit else clause. Suppose we know that the test a is 
always false after the execution of p. This would imply that the test of the if 
statement is false in the program above, so q would never be executed. We could 
remove it to obtain the optimized fragment p. 

The assumption that the test a is always false after the execution of p is 
expressed in KAT by the identity p = pd, or equivalently pa = 0. Intuitively, 
immediately after the execution of p, we must always be in a state in which d 
holds. In this case, executing the guard d after p is always redundant; equiva- 
lently, executing the guard a after p aborts the computation. 

Reasoning in KAT under the assumption p = pd, we have 

p{aq -I- a) = pd{aq -|- a) = pdaq + pdd = pOq + pd = 0 + pd = pd = p. 
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Thus the KAT expressions representing the two program fragments are equal. 

For the case of a while loop, consider the fragment p ; while a do q, which 
is encoded in KAT as the expression p{aq)*a. Again, suppose that the test a is 
always false after the execution of p; that is, pa = p. This means that the while 
loop will never be executed, and we should again be able to obtain the optimized 
fragment p. 

As above, reasoning in KAT under the assumption p = pa, we have 

p{aq)*a = pa{aq)*a = pa{l + aq{aq)*)a = paa + paaq{aq)* a 
= pa + pOq{aq)*a = pa + 0 = pa = p. 



Both of these cases give examples of how assumptions about atomic programs 
and tests (here p = pa) are used to derive the equivalence of the unoptimized 
and optimized programs. We have essentially given purely equational proofs of 
the universal Horn formulas p = pa ^ p{a,q + a) = p and p = pa ^ p{aq)*a = p. 



3.2 Common Subexpression Elimination 



Common subexpression elimination is a code transformation that avoids redun- 
dant evaluation of the same expression by using the result of the first computa- 
tion. For example, consider the program fragment i := expr ; j := expr, where 
expr is an expression not containing i. We wish to show that this can be replaced 
by i := expr ; j := i. 

Consider the following programs and tests: 



def . 

p = I := expr 

def . 

q = J '= expr 



def . 

r = J := I 



w = make ? undefined 

def . 

a i = expr 




We wish to prove that pq = pr. We can postulate the following premises: 



Ip = Ipa 
aq = aqb 
br = b 



r = wr 



qw = w 



atomic PCA {expr = expr} i := expr {i = expr} 
atomic PCA {i = expr} j := expr {i = j} 
there is no need to assign j := i li i = j already 
j is dead immediately before the assignment j '■= i 
an assignment to a dead variable is redundant. 



The first two of these are both instances of the Hoare assignment rule. Under 
these premises, we can reason equationally as follows: 



pq = Ipq = Ipaq = Ipaqb = Ipaqbr = Ipaqr 
= Ipqr = pqr = pqwr = pwr = pr. 
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3.3 Copy Propagation 

Copy propagation is a code transformation that eliminates an assignment of the 
form j := i and replaces all further references to j by references to i. For example, 
consider the program fragment 

i := expr ; j := expr ; k := 4 * j + 2 

where i and j do not occur in expr. By common subexpression elimination 
(Section^J, the second assignment can be replaced by j := i. 

First we argue that we can replace the last assignment by k := 4 * i + 2. 
Letting p, q, r, and s denote the assignments i := expr^ j := i, k := 4* j + 2, and 
k := 4 * i + 2 respectively, we wish to show that pgr = pqs. It suffices to show 
that qr = qs. Consider the program and tests 

4*j + 2 = 4*i + 2 
fc = 4 * i + 2 
make k undefined. 

As above, we postulate the following premises: 

Iq = Iqa atomic PCA {4*i + 2 = 4*i + 2}j:=i{4*j + 2 = 4*i + 2} 

ar = arb atomic PCA {4*j + 2 = 4*z + 2}fc:=4*_;/ + 2{fc = 4*i + 2} 

bs = b there is no need to assign fc:=4*i + 2iffc = 4*i + 2 already 

s = ws k is dead immediately before the assignment k := 4 * i + 2 

rw = w an assignment to a dead variable is redundant. 

The first two of these are instances of the Hoare assignment rule. Using these 
assumptions, we can reason as follows: 

qr = Iqr = Iqar = Iqarb = Iqarbs = Igors 
= Igrs = qrs = qrws = qws = qs. 

Moreover, if we know that j is a dead variable, we can optimize further by 

def 

removing the assignment to j, obtaining the optimized code ps. Letting v = 
“make j undefined” , we wish to show that pqsv = psv. We have sv = vs, since j 
does not occur in s, and qv = v, since if j is dead, the assignment is redundant. 
This allows us to conclude pqsv = pqvs = pvs = psv. 

3.4 Loop Hoisting 

Loop hoisting is a transformation that involves moving code out of loops. It can 
take one of two forms: in the first form, an expression whose value does not 
depend on the number of times through the loop need not be evaluated inside 
the loop, but can be evaluated once before the first execution of the body of the 



def 
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loop. In the second, an expression whose value is not used anywhere inside the 
loop need not be evaluated inside the loop, but can be evaluated once after the 
loop. 

As an example of the first type of transformation, consider the following 
program fragment: 



sum := 1 ; p 

while 1 < i < n do { 

sum := sum + i * expr ; q 

i := i + 1; s 

} 

where expr is an expression not containing i or sum. Let fc be a new variable. 
This fragment is equivalent to the fragment 



sum := 1 ; p 

k := expr ; u 

while 1 < i < n do { 

sum := sum + i * k ] r 

i := i + 1] s 

} 



Formally, “fc is a new variable” is captured by saying that fc does not appear in 
any expression in the first fragment and that fc can be made undefined immedi- 
ately after the execution of the fragment. 

Define the program and tests 



def 




def 
W — 



1 < i < n 
fc = expr 

make fc undefined. 



We would like to show p{aqs)*aw = pu{ars)*aw. Postulating the assumptions 

u = ub fc = expr after fc := expr, since fc does not occur in expr 

b = bu if fc = expr already, no need to assign fc := expr 

bq = qb since sum does not occur in expr 
bs = sb since i does not occur in expr 
br = rb since sum does not occur in expr, 

using LemmaHand copy propagation (Section we can argue as follows: 

pu{ars)* = pub(ars)* = pub(abrs)* = pub(aburs)* 

= pub(abqs)* = pub(aqs)* = pu{aqs)* . 

Now since w commutes with a, a, q, and s, we have by Lemma^that w{aqs)* = 
{aqs)*w. Also, uw = w since there is no need to assign to a dead variable. Thus 

pu{aqs)* aw = puw{aqs)*a = pw{aqs)*a = p{aqs)* aw . 
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In conclusion, pu{ars)*aw = p{aqs)*aw, which is what we had to prove. 

As an example of the second type of transformation, consider the following 
program in which the computation p inside the loop and the test a do not use i: 

while a do { 



i := r ■ u 

p; p 

r := r + 1 ; q 

} 

i := r ] u 



Since i is assigned a different expression each time the loop is executed, the 
previous example does not apply. Nevertheless, since i is not used in the rest of 
the loop, we still obtain the optimized code: 

while a do { 

p; p 

r := r + 1 ; q 

} 

i := r ; u 

We would like to prove {aupq)*au = (apq)*au. Defining the atomic program 

def 

w “make i undefined” , we have the following postulates: 



u = wu 
wpq = pqw 
wa = aw 
wa = aw 
uw = w 



i is dead just before the assignment i := r 
p and q do not refer to i 
a does not refer to i 
a does not refer to i 

an assignment to a dead variable is redundant. 



Reasoning under these assumptions using the sliding rule and LemmaH 

{aupq)*au = {awupq)*awu = {waupq)*wau = w{aupqw)*au = w{auwpq)*au 
= w{awpq)*au = {apq)*wau = {apq)*awu = {apq)*au. 



3.5 Induction Variable Elimination 

This is a loop optimization that replaces multiplicative operations inside the 
loop with less expensive additive ones. This type of optimization might arise in 
matrix algorithms. For example, consider the program 



i := init ; u 

j :=i* expr^ ; q 

while a do { 

i := i + expr^ ; p 

j :=i* expr^ ; q 

} 
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where i and j do not occur in expr^ and expr 2 - Note that whenever i is increased 
by expr^, j is increased by expr^ * expr2- The optimized code is 



i := init ; u 

j :=i* expr2 ; q 

while a do { 

i \= i+ expri ; p 

j := j + expr^ * expr2 ; r 

} 



Using the transformation of Section^3 we can further optimize to obtain 

i •= init ; 
j := i* expr 2 ; 

m := expvi ; 
n := expvi * expr2 ; 

while a do { 

z := i + m ; 
j := j + n ; 

} 



To establish the equivalence of the first two programs, we need to prove 

uq{apq)*a = uq{apr)*a. 

It suffices to prove q{apq)* = q{apr)* . Consider the tests 

, def 

0 J = I expv2, 

b' j + expvi * expr 2 = (z + expvi) * expr 2 

def . , 

c J + expvi * expv2 = expr2 



We have the assumptions q = qb; b = bq; b = b' from basic number-theoretic 
reasoning; cr = crb, an instance of the Hoare assignment rule; and bp = bpc, 
which follows from b = b' and the instance {b'} p {c} of the Hoare assignment 
rule. In addition, we have cq = cr, which is an instance of the property that if 
two expressions have the same value, then the assignment of either expression 
to the variable j has the same effect. This would hold even if j occurred in 
both expressions. Here, j does not occur in the expression z * expr 2 , and using 

def 

w ^1=^ “make j undefined” along with the premises wq = q and rw = w, cq = cr 
can be proved by 



cr = crb = erbq = erbwq = erwq = cwq = cq. 

The property cq = cr holds even in the more general case in which j can occur 
in both expressions. We do not know how to prove this in Hoare logic or Kleene 
algebra from more primitive assumptions without introducing new symbols into 
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the underlying programming or assertion language. However, we are content to 
take cq = cr as a primitive assumption. 

We have bpq = bpcq — bpcqb = bpcrb — bpcr = bpr. Since bpq = bpqb, it 
follows that bapq = bapqb and bapr = baprb. Using the sliding rule Q and 
LemmaJ we then have 

q{apq)* = qb{apqb)* = q{bapq)*b = q{bapr)* b = qb{aprb)* = q{apr)* . 

3.6 Instruction Scheduling 

Unrelated instructions can be reordered so as to maximize the throughput of 
a processor pipeline. For example, p ; q and q ; p are equivalent if there is no 
dependency between the instructions p and q. The nondependency assumption 
is expressed in KAT by the equation pq — qp. These assumptions can be used to 
reorder instructions arbitrarily as long as no dependencies are violated. 

3.7 Algebraic Simplification 

This transformation eliminates statements corresponding to trivial algebraic 
identities, which occasionally arise due to constant propagation and other pre- 
vious transformations. For example, any assignment of the form i := z -|- 0 or 
z := z * 1 can be eliminated. This is simply an application of an assumption of 
the form ap = a and the Kleene algebra axiom Iq — q. 

3.8 Loop Unrolling 

Sometimes it is possible to reduce the number of tests and jumps executed in a 
loop by unrolling the loop. We can unroll the loop while a do p once to obtain 
while a do {p ; if a then p}. We have to prove {ap)*a = {ap{ap + a))*a. The 
following lemma of pure KAT captures the essence of this transformation. 

Lemma 3. In any Kleene algebra, u* = (1-1- u){uu)* . 

Proof. For the direction >, by monotonicity, distributivity, idempotence, den- 
esting Q, and the basic properties of *, we have 

(1 + zz)(zzzz)* = (uu)* + u{uu)* < u*{uu*)* = {u + u)* = u*. 

For the direction <, by Q it is enough to prove H-zz(l-|-zz)(zzzz)* < (l-|-zz)(zzzz)*. 
By Q and distributivity, we have 

1 -I- zz(l -I- u){uu)* = zz(zzzz)* -I- 1 -I- uu{uu)* = zz(zzzz)* -I- {uu)* = (1 -I- u){uu)* . 

We can now prove the equivalence of the two programs using sliding Q, 
denesting Q, the basic axioms, and Lemma^ 

(ap(ap-|- a))* a = (apap-|- apa)*a = {{apa)*apap)*{apa)*a 
= ((1 -I- {apa)* apajapap)* {apa}* a = {apap+ (apa)* apaapap)* (apa)* a 
= {apap)* (apa)* a = {apap)*{l + apa{apa)*)a 
= {apap)*{l -I- apa + apaapa{apa)*)a = {apap)*{l + apa)a 
= {apap)* a + ap{apap)*a = (1 -I- ap){apap)*a = {ap)*a. 
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3.9 Redundant Loads and Stores 

In the instruction sequence load r, i ; store r, i, the store instruction is redun- 
dant, since the first ensures that the value of i is the same as the contents 

dcf 

of register r. We obtain the optimized code store r, i. Letting p = load r, z, 
q store r, z, and a r = i, we can postulate p = pa, since after loading 
z into register r, the test r = z is redundant; and aq = a, since storing r in 
z is redundant if the value is already there. Under these assumptions, we have 
pq = paq = pa = p. 



3.10 Array Bounds Check Elimination 

Consider the following program to initialize the elements of an array: 

z := 0 ; while z < x.length do {x[i] := e(z) ; z := z -I- 1} 

A compiler has to check that array accesses fall within bounds: 

z := 0 u 

a : test z > x.length 

jtrue f3 

compute e(z) p 

if z in bounds then x[i] := e(z) q 
else error s 

z := z -I- 1 V 

goto a 

/ 3 : ... 



The bounds check inside the loop is redundant. The optimized code is 



z := 0 u 

a : test z > x.length 

jtrue f3 

compute e(z) p 
x[i] := e(z) q 

i := i + \ V 

goto a 

/?:... 



Consider also the tests 



a 



0 < z 



b 



c 



def 



z < x.length 

ab <1=^ z is in bounds. 



We have to prove u{bp{cq + cs)v)*b = u{bpqv)*b. We see that if a is true at the 
beginning of the loop, it remains true after one iteration; that is, a{bp{cq+cs)v) = 
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a{bp{cq + cs)v)a. Reasoning under the assumptions u = ua, ab = c, pc = cp, and 
a(bpqv) = {bpqv)a and using dead code elimination (Section^J? Lemmafl 
we have 

u{bp{cq + cs)v)*b = ua{bp{cq + cs)v)*b = ua{abp{cq + cs)v)*b 

= ua{cp{cq + cs)v)*b = ua{pc{cq + cs)v)*b = ua{pcqv)*b 
= ua{abpqv)*b = ua{bpqv)*b = u{bpqv)*b. 

Note that KAT does not contain explicit machinery for number-theoretic 
reasoning; that is a separate issue. However, as shown in this example, it does 
reduce the correctness of the optimizing code transformation to a set of basic 
number-theoretic assumptions on atomic programs and tests that justify the 
transformation . 



3.11 Introduction of Sentinels 



Our last example is also related to arrays. Suppose we want to check if a certain 
element, say T, is among the elements of a nonempty array x of length n. This 
can be done by: 



i:=0; p 

while i < n and x[i] ^ T do { 

i := i+1; q 

} 

if z < n then found = true ; t 

else found = false ; s 



In order to eliminate one of the tests of the while loop, we introduce a sen- 
tinel: we extend the array a; by a new element initialized with T. The optimized 
program is 



x[n] :=T ] u 

i:=0; p 

while x[i] ^ T do { 

z := z -I- 1 ; q 

} 

if z < zz then found = true ; t 

else found = false ; s 



To prove that the two programs are equivalent, consider the tests 



def 

a I < n 
b 44 x[i\ + T 



def 




x[n] = T 
i < n. 



Since x[n] will not be used further in the program, we can also use w 
“make x [zz] undefined” . We want to prove 

p{abq)* ab{at as)w = up{bq)*b{at as)w. 



( 9 ) 
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Since uw = w and u commutes with the programs p, q, s, t and the tests a and 
ab, we can introduce u on the left-hand side of Q and move it to the front of 
the expression using Lemma J It therefore suffices to prove 

up{abq)* ab{at + as)w = up{bq)*b{at + as)w. 

Since u = uc, cp = pc, and p = pd, we have up = upcd, thus it suffices to prove 

cd{abq)* ab = cd{bq)*b. (10) 

Now note that cdb < a, or in other words cdb = cdba, cq = qc, and aq = aqd. 
Then 



cdbq = cdbaq = cdbaqd = ccdbaqd = cdbaqcd = cdbqcd. 

Using LemmaHvariously with x = cd and y = abq and with x = cd and y = bq, 
sliding and the properties cdd < b and cdba = cdb, we have 

cd{abq)* ab = cd(abqcd)* ab = {cdabq)*cd{a + b) = {cdabq)*{cda + cdb) 

= {cdabq)* cdb = {cdbq)* cdb = cd{bqcd)*b = cd{bq)*b. 

This proves 

4 The Dead Variable Paradox 

We conclude with some remarks about an interesting paradox concerning dead 
variables (variables whose values will never be used) . This paradox is the source 
of a potentially dangerous pitfall that can arise when reasoning informally about 
the liveness of variables. A formal treatment in KAT helps to illuminate this issue. 
The reader will have noticed that we have made extensive use of the construct 

w make i undefined, 

along with the atomic assertions pw = w and wp = p, where p is an assignment 
to i of an expression not containing i, and may have wondered why we did not 
use the test 

d i is a dead variable 

• • • dcf 

and the assertions pd = d and dp = p instead. For example, ii p = i ■= 1 and 

dcf • • 

q = j := 2, we could postulate the atomic premises 

p = dp i is dead immediately before the assignment p 

qd = dq the assignment q does not affect i 

pd = d an assignment to a dead variable is redundant, 

then eliminate the first assignment to i in the program z:=l;j:=2; z:=lby 
arguing pqp = pqdp = pdqp = dqp — qdp = qp. 
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The problem is that the proposition “i is a dead variable” is not a property of 
the local state of the computation. It does not commute with other tests involving 
i, which it must do in order to be a Boolean element of a Kleene algebra with 
tests, and its use as a test in the context of KAT can lead to paradoxical results. 

To illustrate, consider the following calculation. Defining a z = 1, we 
have p = pa, since i = 1 immediately after the assignment, and ap = a, since the 
assignment is redundant if z = 1 already. We also have ad = da by commutativity. 
But then pp = padp = pdap = da, which is clearly an erroneous conclusion. 

Our solution to this paradox is to use w instead of d. The program w can be 
regarded as an assignment of an undefined value to z. As such, it is a transforma- 
tion of the local state, much like an ordinary assignment. Since zc is a program 
and not a test, it is not required by the axioms of KAT to commute with tests. 
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Abstract. Semantic resolution refinements are a very efficient way to 
restrict the resolution rule. Their principle is to avoid resolution between 
clauses that are true in a certain interpretation. In this way, the number 
of deduced clauses can be decreased drastically, and deduction can be 
restricted to clauses that are interesting from a semantic point of view. 
In this article, we present a semantic rehnement of a resolution decision 
procedure for formulas of the guarded fragment (without equality). This 
fragment of hrst-order logic was introduced in | in order to explain the 
nice properties (in particular decidability) of propositional modal logics. 
In fact, many modal logics can be translated into the guarded fragment. 
Guarded clauses, defined in are a generalization of guarded formulas 
in clausal form and decidable by resolution. The method presented in 
this article uses a model building procedure for guarded clauses which 
contain a positive maximal literal. A set of such clauses can be derived 
from the guarded clause set under consideration. 



1 Introduction 

Semantic resolution refinements are very efficient refinements of the resolution 
rule as far as the number of deducible clauses is concerned. Their principle is 
to use semantic information about the present predicate symbols in order to 
filter resolution inferences. In general, an interpretation I is given, and then it is 
avoided to resolve two clauses that are both true in I. This idea is due to Slagle 
^3- Examples for theorem provers using semantic approaches are SATCHMO 
Q and SCOTT Another method using semantic reasoning was presented 
in and a framework for semantic resolution methods can be found in 

Since the number of the clauses that can be deduced by resolution from a 
given clause set may drastically decrease if semantic restrictions are applied to 
the resolution rule, such restrictions should allow to find proofs that are easier 
to understand for a human user. Additionally, the deduced clauses are more 
relevant from a semantic point of view. 

If the interpretation / that is used for the restriction is a model for a subset 
of the clause set S under consideration, I can be seen as a model hypothesis 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 583^^ 2000. 
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for 5. If a clause from S is false in /, further resolution steps are performed in 
order to deduce clauses that allow to adapt I. This is the approach we adopted 
in this article to get a semantic refinement of a resolution decision procedure 
for guarded formulas. In order to obtain a model for a subset of S, we must of 
course have a model building procedure at our disposal. Therefore, we will define 
a model building procedure for a certain class of guarded formulas. 

The guarded fragment of first order logic was introduced in []] in order to 
explain the nice properties of modal logics, as for example decidability. In fact, 
many modal logics can be translated into the guarded fragment. Formulas of 
this fragment are called guarded, and it has been shown that every formula of 
the guarded fragment admits a finite model. 

Transformation of guarded formulas into clausal form has inspired the class 
of guarded clauses, whose definition imposes very strong syntactic restrictions on 
variable occurrences: every non-ground functional term that occurs in a guarded 
clause C must contain all the variables that occur in C. Additionally, a guarded 
clause must contain a guard literal, which is a negative literal in which all the 
variables of the clause occur as arguments, and that does not contain any non- 
ground functional term. Sets of guarded clauses are decidable by saturation 
under ordered resolution which has been shown using a non-liftable and a 
liftable ordering 

The model building method we define in this article allows to transform a 
given satisfiable set S of guarded clauses (without equality) in which every clause 
contains a positive greatest literal into a set S' of so-called primitive guarded 
Horn clauses such that the C-least Herbrand model Ais' of S' is a model of S. 
Since it is possible to evaluate guarded clauses in M.s', we consider S' as the 
representation of a (infinite) model of S. 

This article is structured as follows: first, we review some notions in order 
to settle our notation. In Section 3, we review the resolution decision procedure 
presented in Q. In Section 4, we present the model building procedure, and in 
Section 5 we show how to integrate it into the decision procedure for guarded 
formulas. We discuss a generalization of our method in Section 6, and conclude 
in Section 7. 

2 Preliminaries 

We assume the reader to be familiar with the standard logic notions as term, 
formula, clause, Herbrand interpretation, etc. 

Throughout this article, if not stated otherwise, we will mean finite set of 
clauses if we write set of clauses. Furthermore, we will always assume that for 
two different clauses, there is no variable that occurs in both of them. 

We consider clauses over a signature (C,iF,V,V) where C is a finite set of 
constant symbols, IF is a finite set of function symbols, P is a finite set of 
predicate symbols, and V is a countably infinite set of variables. 

We denote by = syntactic equality, i.e. = is always interpreted as equality 
w.r.t the empty equational theory. Syntactic equality will be introduced by a 
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transformation step of our method, and we assume that = does not occur in a 
clause set for which we want to build a model. 

For a literal L, we denote by args(L) the n-tuple of arguments of L, and by 
the complementary of L (so if L = A for an atom A, then = ~^A, and vice 
versa). For a set of literals S, we denote by the set {L° | L G S}. 

A literal L is flat iff all of its arguments are variables or constant symbols. 
A set of literals is flat iff all of its literals are flat. For a set of literals S, S'^ 
(S~) is the set of all positive (negative) literals in S. A clause is a set of literals 
interpreted as disjunction. A clause C for which C = C~^ {C = C~) is called 
positive (negative). A clause C is Horn if \C'^\ < 1. 

Substitutions are defined as usual. For a substitution a, we denote dom((j) 
(resp. codom((T)) the domain (resp. co-domain) of a. A substitution with the 
domain {a;i, . . . , Xn} that maps each Xi to a U is denoted by {xi ^ U \ 1 < i < 
n}. For a set of variables V, we denote by a\v the restriction of a to variables 
in V, i.e. the substitution {x ^ t ^ a \ x & For a substitution a = {x\ ^ 
t\, . . . ,Xn ^ tn\, we denote by eq(a) the set of equations {x\ = t\, . . . , x„ = tn}- 
Let 5 be a set of clauses over the signature (C,iF,V). Then, the Herbrand 
base of S, denoted by HBs, is the set of all ground atoms over (C,iF,V). A 
Herbrand interpretation / for a clause set S is identified with a subset of HBs- 
Then, / ^ A iff A G /, and / \= ^A iff A ^ / for every atom A over (C, IF, V). 

The depth of a term is defined as follows: if t is a constant or a variable, 
then depth(t) = 0. Else, t is a functional term /(ti , . . . , t„), and depth(t) = 
1 -I- max(depth(ti), . . . , depth(t„)). The depth of an atom is the maximal depth 
of its arguments, and the depth of a literal the depth of its atom. 

Let A be an ordering on ground literals. Then, ^ is extended to non-ground 
literals by Li -< L 2 iff Lia ^ L 20 ' for all ground substitutions a. A literal L is 
maximal in a clause C iff there is no L' G C with L ^ L' . L is the greatest 
literal of C iff L' A L for all L' G C \ {L}. 

2.1 Rules 

A rule has the form r = Li, . . . , ^ iLi, . . . , Hm, where the Li are (possibly 

negative) literals, and the Hi are positive literals. We call the set {Li, . . .,L„} 
the body of r and denote it by body(r). The set {Hi, . . H^} is called the head 
of r and denoted by head(r). As usual, the head is interpreted as a disjunction, 
whereas the body is interpreted as a conjunction. If the head of a rule contains 
only one literal, we will identify it with this literal. 

A Herbrand interpretation / is called a model of a set of rules TZ iff for all 
r G TZ and for all ground substitutions a, I \= body(r(j) implies / \= head(r(r). 
A model / of 7^ is called well-supported if there is a literal ordering < such 
that for every ground atom A G I, there is a ground substitution a and rule 
Ai , . . ,,Ai, ^Bi , . . . , ^Bm Cl, . . .Cn GTZ such that A = Ckcr for some k with 
1 < k < n, I ^ {^Ai, . . . , ^Ai, Hi, ... , Bra, Ci, . . . , C„}o- \ {A}, and Aict < A 
for 1 < i < L If we want to make the ordering < explicit, we say that / is a 
<- well-supported model. 
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For a clause C = {^^i, . . . , i?i, . . . , i?m, C'l, ■ ■ ■ C'n} and a literal order- 
ing < such that Ci is <-maximal in C for 1 < z < n and Bi is not <-maximal in C 
for 1 < z < m, we denote by the rule Ai, . . . , Ai, , ^Bm C\, . . . Cn- 

For a set of clauses S, we denote by TZg the set of rules: {tq \ C S 5}. Clearly, a 
well-supported model of TZg is a model of S. We will often write clauses in rule 
form since this allows to make maximal literals explicit. 

2.2 Covering Literals 

A literal L is covering if every functional subterm of L contains all the variables 
in var(L). 

Example 1. P{x, f{x,y),a), Q{f{x,y),h{x,x,y)) and Q{f{a,b),a) are covering 
literals, whereas Q{f{x, y), h{x, y, z)) and R{x, /(a, b)) are not covering. 

For two unifiable covering literals, there exists an mgu that has a special 
form as stated by the following lemma: 

Lemma 1 (Q). Let L\ and L 2 be two non-ground, variable disjoint, unifiable 
covering literals with depth(Li) < depth{L 2 ). Then there exists an mgu a such 
that var(Li) C dom{a) and for all x ^ t G a, 

— if X G var(Li), then var{t) C var{L 2 ), and 

— if X G var{L 2 ), then t is ground or t G var{L 2 ). 

We denote an mgu of two literals L\ and L 2 as in Lemma 1 by mgu(Li, ^ 2 )- 

Corollary 1. Let L\ and L 2 be two unifiable covering literals of the same depth, 
and a = mgu{Li, L 2 ). Then, codom(a) does not contain any functional term. 

2.3 Guarded Clauses 

We adopt the definition of guarded clauses of 

Definition 1. A clause C is called guarded if all its literals are of depth less 
than or equal to 1, and if it satisfies the following additional conditions: 

1. every functional term in C contains all the variables of C , and 

2. if C is non- ground then it contains a negative literal (the guard) which has 
the form ^P(ti, . . . , such that for 1 < i < n, L is a variable or a constant, 
and all variables of C occur among the U. 

Note that this definition implies that all the literals of a guarded clause 
are covering. As shown in Q, every formula of the guarded fragment can be 
transformed into a set of guarded clauses. 

Example 2. The following two clauses are guarded: {^P{x, y),P{x, f{x, y))} and 
{^Q{a, X, y),^P{f{x, y), h{x, x, y)),Q{a, b, a),^P{x, a;)}. 

The clauses {P{x, f{x,y)),^Q{x,h{x,y,x),y)}, {^P{x,y),Q{x,y,h{x,y,z))} 
and {^P{x, y), Q{x, f{a, b), y)} are not guarded. 
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We call the rule r a guarded rule iff (7 = body(r)° U head(r) is a guarded 
clause. 

Definition 2. A Horn clause is a primitive guarded Horn clause if it is ground 
and positive, or it is a guarded clause of form {^P{xi , . . . , Xn), Q(ti, • ■ • , tm)} 
where the Xi are variables, Xi ^ Xj if i ^ j and 1 < i, j < n, and for the positive 
literal it holds that depth{Q(ti, . . . , tm)) > 0. 

Primitive guarded Horn clauses (PGHC) have been introduced in Q in order 
to represent Herbrand interpretations. The interpretation represented by a set 
of primitive guarded Horn clauses is its C-least Herbrand model. 



3 Deciding Sets of Guarded Clauses 

In it is shown that sets of guarded clauses with equality can be decided 
using the superposition calculus defined in Q with an appropriate choice of a 
reduction ordering ^ and a selection function the ordering ^ has to be an 
admissible literal ordering (see Q for details) in which the term ordering is a 
lexicographic path ordering based on a precedence ^ for which P ^ c ^ f for all 
P G V, c G C, and f G T . The selection function H is such that (i) if a clause is 
non-ground and contains no functional term, then one of its guards is selected, 
and (ii) if a clause is ground or contains a functional term, then no literal is 
selected. 

Since we do not deal with equality in this work, we only need the resolution 
and factoring rules. A literal is called eligible in a clause C if either it is selected 
in C by E, or it is ^-maximal in C and no other literal in C is selected. 

— Resolution: from {Ai} U R\ and {^^2} U R2, derive Ri<j U R2(t if A\ and 
~^A2 are eligible in their respective clauses and unifiable with mgu a. 

— Factoring: from {Ai, A2}Ui?, derive {AiO}G>R 6 if Ai is eligible and unifiable 
with A2 with mgu 9 . 

Using these two rules, only finitely many new clauses can be deduced from a 
given set of guarded clauses. Since the calculus is refutationally complete, it is 
a decision procedure for sets of guarded clauses. 

4 The Model Building Procedure 

In this section we describe the method used to build a model for a set of guarded 
clauses in which every clause contains a positive, non-fiat ^-greatest literal (this 
implies that no literal is selected). For such a set S, our method allows to find a 
set S' of primitive guarded Horn clauses such that the C-least Herbrand model 
of S' is a model for S. 

In this section, we will use the rule form TZ'^ of the set S under consideration. 
Since the head of a rule r G TZg contains exactly one literal, we will refer to this 
literal as the head of the rule. 
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For a set TZ of guarded rules in which the head is the ^-greatest literal, we 
denote hy Ai-n its unique well-supported model. It is possible to evaluate ground 
atoms in A4-ji: a ground atom A is true in Ain iff there is a rule r G TZ such that 
A is unifiable with head(r) by mgu a, and all L £ body(r)(T are true in Ain- 
Since all L G body(r)(T are ground and ^-smaller than A, we get an effective 
evaluation procedure in this way. 

4.1 Flattening of Positive Body Literals 

In order to flatten positive body literals, we use a transformation based on 
saturation under resolution. To do this, we define the following deduction rule: 

Definition 3. Let TZ be a set of guarded rules in which the head is non- flat and 
the ^-greatest literal. Then, RESn is the inference rule defined as follows: let 
ri = U {Li} — > M and r2 = R2 ^ L2 be two guarded rules in which the head 
is non- flat and the greatest literal, and 

— a = mgu{Li,L2), 

— depth(Li) = 1, 

— all positive literals in R2 are flat. 

Then, two cases are distinguished: 

1. if RiaU i?2cr is not ground, 

R\ U {L\ \ — > M i?2 — ^ L2 

R\a U i?20" ^ Ma 

2. if R\(J U R2U is ground and true in Ain, 

R\ U {Li \ — > M i?2 — ^ L2 

— > Ma 

Lemma 2. Let TZ be a set of guarded rules in which the head is non-flat and 
the ^-greatest literal, and TZ' be the saturation of TZ under RESn- Let 

TZ" = {r gTZ' I body{r) does not contain any non- flat positive literal}. 

Then, TZ' is a set of guarded rules in which the head is the -<-greatest literal, 
and Ain = Ain"- Eurthermore, if the rules in TZ do not contain any non-flat 
negative body literal, the clauses in TZ" neither do so. 

Proof. Let ri,r2 GTZ and a be as in Definition^ If the rule deduced by RES7?, 
is ground, then clearly the head is non-fiat and the greatest literal, so let us 
assume that the deduced rule is not ground. Since depth(Li) = depth(L2) = 1, 
codom((r) does not contain any functional term (Corollary Therefore, the 
deduced rule is a guarded rule. Clearly, Ma is the ^-greatest literal in ricr, so 
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for L G (Hi U {^Li}), we have that L -< Ma. For L G R 20 ', we have that 
L -< L 2 CT = Lia A Ma. So, Ma is the A-greatest literal in the deduced rule d. 

Now we show that Ai-n = AA-r'- Let 6* be a ground substitution such that 
AAr \= body(c?6l) = (Ria U R 2 a) 6 . Then, AAr \= L 2 a 6 , and AAr \= (Ri U 
{Li\)a9. So AAr ^ MaO = head(c?6*). Therefore, adding dtoTZ does not modify 
the well-supported model AAr. 

Finally we show that for every ground atom A, AAr' ^ A iff AAr" ^ A by 
induction, using the induction hypothesis that for all literals L ^ A, AAr' ^ L 
iff AAr'i \= L. 

Let A G AAr'. Then, there is a ground substitution a and a rule r gTZ' such 
that A = head(r(r), L ^ A for L G body(r(r), and AAr' ^ body(r(r) (note that 
body (rcr) may be the empty conjunction). 

Let {Bi , . . . , Bi} be exactly those positive literals in body(r) that have depth 
1 (this set may be empty). From the induction hypothesis, it follows that AAr" ^ 
{Bia, . . ., Bia}. So for 1 < i < I, there is G TZ” such that Bia = hea,d(ri 6 i) 
and AAr'i ^ hody(ri 6 i) for some ground substitution 6 i. 

Since TZ" C TZ' , we have that G TZ' . Since TZ' is saturated under RES^, 
it must contain the rule d obtained by consecutively resolving r on Bi with 
Ti using mgu at for 1 < z < L Since body(ri) does not contain any non- flat 
positive literal and the co-domain of ai does not contain any functional term 
for 1 < z < n, body(d) cannot contain any non-flat positive literal. Therfore, 
d G TZ" . If d is ground, then d A, so A G AArh. Otherwise, let r be such 
that head(dr) = head(r(r). Then, AArh ^ body (dr). Since d is true in AArh, it 
must be that AArh ^ head(dr) = A. 

Now assume that A G AArh \ AAri. Then, there is a ground substitution 
a and a rule r G TZ" such that A = head(r^), L A A for L G body(r(r), 
and AAr! ^ body(r(j). If body(r<T) = 0, then — > A G TZ" , which implies that 
^ A G TZ' . Otherwise, since TZ" C TZ' , there must be a L G body(r(j) such that 
AAr' ^ L. But this is in contradiction to the induction hypothesis. 

Since the co-domains of all the unifiers that occur during the saturation 
process do not contain any functional term, all the negative body literals in the 
resulting set are flat. 

□ 

We will denote by flatten_positive_bodyJiterals(TZ) the set TZ" , where TZ 
and TZ" are as in the above lemma. 

4.2 Flattening of Negative Body Literals 

The idea for flattening negative body literals is the following: a ground instance 
^A9 of a literal ^A is true in a well-supported model Ad of a rule set TZ iff for all 
r G TZ, either A9 cannot be unified with head(r), or there is a literal L in body(r) 
such that L"a is true in AA, where a = mgzz(A, head(r)). In order to express 
that A cannot be unified with the head of a rule r, we have to introduce literals 
built with the syntactic equality predicate =. The algorithm implementing this 
technique is shown in Figure 1. 
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Lemma 3. Let TZ be a set of guarded rules not containing =, in which the head 
is non- flat and the ^-greatest literal and such that all positive literals in the rule 
bodies are flat, and let r be a guarded rule with non- flat ^-greatest head and in 
which all equational literals are flat. Then, for every ground substitution 9, 

Mn h body{r9) iff Mn h body{r'0) 

for an r' S flattenjnegativeJ)odyJiterals{r, TZ ) , 

and for all r' G flattenjnegativeJ)odyJiterals{r, TZ), r' is a guarded rule, all nega- 
tive literals in body{r') are flat, and head{r') is non-flat and the ^-greatest literal 
in r' . 

Proof. Let ~^Aj be a non-ground, negative covering literal of depth 1 that is 
contained in the body of the rule r (if no such Aj exists, the claim is trivial), and 
let 0 be a ground substitution such that Ms H Let {ri, . . . , r„} = {r G 

TZ I head(r) is unifiable with Aj}, and di = mgu(head(rj), Aj) for 1 < z < n. 
Let 'Pj be defined as in Figure 1. 

Then, Ms H iS for 1 < z < n, eihter head(ri) is not unifiable with 

Aj9, or Ms body(ri(Ji6*) iff for every z with 1 < z < zz, either a, x9 = t9 G 
Ivar(yij)) is false, or all L G eq{ai |var(yij))6* are true and Ms TZ6 for a 
K G body(riai) iff there is a conjunction L> G 'Pj such that Ms \= DO. Now, the 
claim follows from the fact that in the set of rules generated by the procedure 
flattenjnegativeJjodyJiterals, there is a rule r' in which ^A has been replaced by 
D. 

For the Ui in the for-loop, codom((Ji) does not contain any functional term 
for 1 < i < n according to Corollary 1. Therefore, body(ri(Ji)’^ U e(7((Ji|var(Aj)) 
contains only flat literals for 1 < j < zzz, and so all negative literals in the 
resulting rules are flat. Since the at are mgus as in Lemma 1, we have that for 
every L G body(ri(Ji) U eq{ai\vaj(Aj))j var(L) C var(ylj). Since variables that 
occur in Aj, but not in Ajat are instanciated according to ai (if possible) in the 
second for-loop, the resulting rules are guarded rules. Finally, since the literals 
in Di are either flat equational literals or body literals of a rule whose head is 
equal to AjUi, the head is the ^-maximal literal in every resulting rule. □ 

We give an example to show how the transformation works: 

Example 3. Let 

TZ = {R{x) R{f{x, a)); Q{x, y),T{x) R{f{x, y))}, and 
r = P{x, y),^R{f{x, y)) S{f{x, y)). 

Then, flattenjnegativeJ)odyJiterals{r, TZ) = 

P{x, a),^Q{x, a),^R{x) S{f{x, a)) 

P{x, y),^Q{x, y),^y = S{f{x, y)) 

P{x, a),^T{x),^R{x) S{f{x, a)) 

P(x, y),^T{x),^y = S{f{x, y)) 
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procedure flattenjnegativejbodyjiterals (r, TZ) 

begin 

let {“lAi, . . . , -'Am} = {A G body(r) | L is non-flat and negative} 
for j = 1 to m do 

let {ri, . . . , Tn} = {r' G TZ \ head(r') is nnifiable with Aj} 

for 1 < i < n, let at = mgu(head(ri), Aj) and Ei = eq{ai\vs,r(Aj)) 

and Si = {{L"j UEi\Le body(riai)} U {{L"j \ L e Ei} 

= {Ur=i Ki\KiG Si} 

end for 

TZ' = {(body(r) \ {^Ai, . . . , ^Am}) U Di U . . . U Dm head(r) | Di G <l>i} 
for all r £TZ' do 

while there is x = t G body(r) where a; is a variable do 
r = (body(r) \{x = t} —> head(r)){a; <— t}; end while 
if there is a = 6 G body(r) where a and b are different constant symbols then 
delete r from TZ' \ end if 
delete all a = a ^ body(r) where a is a constant 
end for all 
resnlt = TZ' 
end procedure 

Fig. 1. The flattenjnegativeJ)odyJiterals procedure 



Lemma 4. Let TZ he a set of guarded rules not containing =, in which the head 
is non- fiat and the -<-greatest literal, and in which all positive body literals are 
flat. Let 

7?,^ = flattenjnegativeJ)odyJiterals{r,TZ). 

rGlZ 

Then, all negative literals in the bodies of the rules in TZ' are flat, and M.n = 

Mn'- 

Proof. By LemmaH all the negative body literals of the rules in TZ' are flat. Now 
we show that for every ground atom A, A G AA-r iff A G AAr' by induction, 
using the induction hypothesis that for all i? A A, i? G AAr iff i? G AAr’. 

AAr C AAr!-. Let A G AAr. Then, there is a rule r G TZ such that for 
some ground substitution a, A = head(r)(T, B A for all B G body(r)(T, 
and AAr ^ body(r)(T. There is an r' G flatten_negative_bodyJiterals(r, 7?.) such 
that AAr ^ body (r')(T (LemmaH- Since for all B G body(r')(T, it holds that 
B -< head(r')(T = head(r)(T = A, it follows from the induction hypothesis that 
AAr! \= body(r')(T. But then A G AAr/. 

AAr! C AAr-. by reversing the above. □ 



4.3 Transformation into Primitive Guarded Horn Clauses 

Now, we will show that it is possible to compute for a given set TZ of guarded 
rules with non-flat ^-greatest heads a set S of primitive guarded Horn clauses 
such that the well-supported model of TZ coincides with the C-least Herbrand 
model of S on predicate symbols that occur in TZ. For the sake of simplicity, we 
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will indentify a PGHC with its rule form, and call a rule which corresponds to 
a PGHC primitive. 

As a first step, we flatten all body literals using the procedures in^3and^3 
Now, the idea of this transformation is to take the body of a rule r which is not 
primitive, and to define a fresh predicate symbol Q by body(r) ^ Q{x \, . . . , Xn) 
where {a;i, . . . , Xn} = var(r). Then, we unfold the new rule on all positive literals, 
and finally, we flatten the negative literals in the resulting rules. 

If the rules we obtain in this way are not primitive, we apply the same 
operation to those rules. Since the number of predicate symbols that may occur 
in the rule bodies is finite and the rule bodies are flat, there is only a finite 
number of different rule bodies, so we have to introduce only a finite number of 
new predicate symbols. As a last step, the the rule bodies are replaced by the 
corresponding flat literal. 

The procedure used to unfold flat rules on their positive literals is shown in 
Figure 2. If we unfold a rule that contains an equality literal, the variables of this 
equality literal might be instanciated. In order to deal with non-flat equational 
literals, we use the simplification rules shown in Figure 3. 

Lemma 5. Let r he a fiat guarded rule, and let TZ he a set of guarded rules 
in which all body literals are flat and the head is non- flat and the -<-greatest 
literal. Then, every rule r' G unfoldjxnd_simplify{r, TZ) is a guarded rule, and 
all L G hody(r') which are positive or huilt with = are flat. 

Proof. Since sets of guarded rules are closed under resolution, the resulting 
clauses are guarded rules. Since body literals in TZ are flat and never instan- 
ciated with non-ground functional terms by a resolution step, positive literals in 
the bodies of the resulting rules are flat. 

Now we show that non-flat equational clauses can always be flattened using 
the rules in Figure 3. Let L = ~^x = t be a literal in a flat guarded rule r. Then, 
either t is a variable in var(r) or a constant. Suppose that t is a constant. If r 
is resolved using mgu a and xa is a variable. La is flat. Otherwise, La can be 
reduced to true or false. Now suppose that t is a variable. If neither xa nor ta 
are a variable, we can reduce L to true, false or a disjunction of flat equational 
literals. If both are variables or constants. La is flat. If one of them is a variable 
and the other one a functional term. La can be reduced to true, since a non- 
ground functional term in a guarded rule contains all the variables of the rule, 
and there are no non-ground functional terms in non-ground rules. □ 

Finally, the procedure that implements the transformation into PGHG is 
shown in Figure 4. 

Theorem 1. The procedure transform_to_PGHG terminates for every set TZ of 
guarded rules with non-flat -<-greatest heads, and furnishes a set TZ' of primitive 
guarded Horn clauses such that M-jz = M-jz' F HB^z. 

Proof. Termination is guaranteed by the fact that the number of different flat 
rule bodies is finite, since the set T’ of predicate symbols is finite (new predicate 
symbols are introduced into rule bodies only after the while loop). 



An Application of Model Bnilding 593 



procedure unfold_and_simplify (r, TV) 

begin 

TZ' = 0; let {Ai, An} = body(r)+ 

for all (ri, . . . ,r„) £ 72." s.th. 6 = mgu((Ai, . . . , A„), (head(ri), . . . ,head(r„))) exists 

do 

r' — Ur=i body(ri0) U body(r0)“ — > head(r0) 

if r' is ground and M-n |= body(r') then TZ' — TZ' VJ head(r')} end if 
if body(r') contains no contradiction and is not ground then 
7^' = 7^'u{r'}; end if 
end for all 

apply the simplification rnles in Figure 3 exhaustively to the rules in 7Z' 
result = TZ' 

end procedure 



Fig. 2. The unfold_and_simplify procedure 



r U {—'t = t} — >■ H => 
r U {-./(ti, ...,tn) = g{si,. . . , s^)} 

ru{^x = /(ti, . . . tn)} 

r U ■ ■ ■ ,tn) = f{si, ■ ■ ■ , Sn)} ^ H => r U {-iti = Si} —> H 



r U {-'tn = Sn} ^ H 



Fig. 3. Rules for the simplification of equational literals 



As a first step, we flatten all positive body literals as described in Sec- 
tion Then, we flatten the negative body literals, using the procedure flat- 
tenjnegativeJ)odyJiterals. Since this procedure may re-introduce non-fiat positive 
body literals, we possibly have to flatten positive body literals again. Since flat- 
tening of positive body literals cannot introduce non-fiat negative literals, TV 
contains only clauses with fiat bodies. 

If a new predicate symbol Q is introduced by a rule r = F —!■ Q{xi , . . . , a;„), 
then r is true in well-supported model of 72. U jr} iff Q(xi, . . .,Xn) is true 
in it. Therefore, F can be replaced by Q{xi, . . .,Xn)- Clearly, the unfolding in 
unfold_and_simplify does not modify the well-supported model, and neither does 
flatten_negativeJ)odyJiterals as stated by LemmaO Therefore A4ti — Ai-jz' C 
HB-ji- □ 



4.4 Evaluation of Guarded Clauses 

The evaluation of a given guarded clauses in a model built by our method can 
be done in the following way: Let 5 be a set of primitive guarded Horn clauses 
generated by our method from a given set of guarded clauses containing a positive 
greatest literal. Then, S is also a set of guarded clauses. 
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procedure transform_to_PGHC {TV) 

begin 

TZ\ = flatten_positive_body_literals(7?.) 

72.2 = UreTCi flatten_negative_body_literals(r, 72i) 

TZ' = flatten_positive_body_literals(72.2) 

A = 7^'; 7^" = 0; Repl = 0 

while M 7 ^ 0 do 

choose r e M; M M \ {r}; 72" = 72" U {r} 

if r is not primitive and no r' € Repl exists such that body(r) = body(r')then 
let Q be a fresh predicate symbol with P ^ Q for all P £ T’ 
let {x\, . . . , Xn} = var(body(r)) 
let r' = body(r) ^ Q(xi ,...,Xn) 

Repl — Repl U {r'} 

V — unfold_and_simplify(r', 72.') 

A = AU Ureo flatten_negative_body_literals(r, 72') 
end if 
end while 

for all r £ 72" that are not primitive do 
let r' £ Repl be such that body(r) = body(r') 
body(r) = {head(r')} 

end for all 
result = 72" 
end procedure 



Fig. 4. The procedure transform J.o_PGHC 



Let C be the guarded clause we want to evaluate, and let {a;i, . . . , x„} = 
var(C'). Let Q be a fresh predicate symbol such that P < Q for all P G V, and 
let / be a fresh n-ary function symbol. Let C = CU {Q{f{xi, . . a;„))}. Then, 
Q{f{xi, . . Xn)) is the ^-greatest literal in C". Now, we only have to transform 
S U {C'} into a set 5' of PGHC, and then to test whether 5' U {^Q(a;)} is 
satisfiable. Clearly, this is the case iff C is true in 

5 Integration of the Model Building Procedure into the 
Decision Procedure 

We integrate the model building procedure into the decision procedure for 
guarded clauses in the following way (let < be a total literal ordering) : 
while the empty clause is not found and S is not saturated, 

— let 5' = {C £ 5 I all ^-maximal literals in C are positive} 

— for all C G S', delete all ^-maximal literals in C except the <-maximal 

— build a model At for S' 

— deduce (one or more) new clauses from S using factoring and resolution as 
defined in Section 3, with the semantic restriction w.r.t At (i.e. at least one 
of the parent clauses must be false in At), and add them to S. 
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So, after each iteration of the while-loop, A4 is possibly modified, taking into 
account the new clauses. Since only finitely many new clauses can be deduced, 
the model can be modified only finitely many times before a definite model A4 
is found. The refutational completeness is guaranteed by the fact that semantic 
resolution is complete, in particular using A4 . We need the ordering < to ensure 
that always the same maximal literal is chosen from a clause containing more 
than one maximal literals. Note that we can only find a model for the initial set 
if the clauses in S' always contain a ^-greatest literal (i.e. not more than one 
maximal literal) . 

We give a simple example to show how our method works. 

Example 4- Consider the satisfiable set of clauses S = 

{(1) {P(a,5)}, (2){T{a,b)} (3) {^S{x,y), P{f{x,y), g{x,y))}, 

(4) {^P{x, y),P{f{x, y),g{x, y)), S{f{x, y),g{x, y))}, 

(5) {^Q{x, y),R{f{x, y),g{x, y))}, (6) {^R{x, y),T{f{x, y),g{x, y))}, 

(7) {^T{x, y),Q{f{x, y),g{x, y))}, (8) {^P{x, y) V ^Q{x, y)}} 

From this set of clauses, the Bliksem theorem prover Q that uses special 
techniques to deal with guarded clauses deduces about 15 new clauses (depending 
on the used ordering). In the best case, our method can do with 3 new clauses: 
we assume that T ^ S ^ P ^ Q. Then, the subset of clauses without maximal 
negative literal contains the clauses (1) to (7), whose rule form is 7?. = 

P{a,b); ^T{a,b)] P{x,y),^S{f{x,y),g{x,y))^P{f{x,y),g{x,y)); 

S{x, y) P{f{x, y),g{x, y)); Q{x, y) R{f{x, y),g{x, y)) 

R{x, y) T{f{x, y),g{x, y)); T{x, y) Q{f{x, y),g{x, y)) 



Transformation to Horn clauses results in replacing the third rule by P{x, y) 
P{f{x,y),g{x,y)), since the literal ~^S{f{x,y),g{x,y)) is true in Mn- The 
clause (8) is false in M-r, since for example the atom P{f{a,b),g{a,b)) as well 
as the atom Q{f{a,b),g{a,b)) is true in Mr. So we can deduce the following 
clauses: 



(9){^T(a;,y),^P(/(a;,y),g(a;,y))} from (7), (8) 
(10H^5'(a;,y),^T(a;,y)} from (3), (9) 
i^^){^P{x,y),^T{x,y),S{f{x,y),g{x,y))} from (4), (9) 



Now, a model for the clauses (1) to (7) and (11) is built, so that we get the set 
of rules (after deletion of rules whose bodies are true) TZ' = 



P{a,b); ^T{a,b); ^ N 3 {a,b); S{x,y) ^ P{f{x,y), g{x,y))] 
Q{x, y) R{f{x, y),g{x, y)); R{x, y) T{f{x, y),g{x, y)); 

T{x, y) Q{f{x, y),g{x, y)); Ni{x, y) P{f{x, y),g{x, y)); 
N 2 {x,y) Ni{f{x,y),g{x,y)); N 3 {x,y) N 2 {f{x,y),g{x,y)); 

Ni{x,y),R{x,y) N 3 {f{x,y),g{x,y)) 



Now, all clauses are true in Mr', so no further inferences are possible. 
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6 Generalization to Loosely Guarded Clauses 

Our model building method can be generalized to so-called loosely guarded 
clauses, which are a generalization of guarded clauses. In order to define them, 
the second condition of Definition 1 has to be replaced by 

2. if C is non-ground then it contains a set of negative literals ~^Ai , . . . , ~^An 
(the loose guard) which do not contain functional terms and such that every 
pair of variables from var(C') occurs together in one of the ~^Ai. 

The main difference is that the decision procedure for loosely guarded formu- 
las uses a certain kind of hyperresolution for the literals of the loose guard (see 
Concerning our model building method, the only difference is that in the 
unfold_and_simplify procedure, instead of resolving on all positive body literals, 
only a certain body literals are resolved upon (due to space limitations, we will 
not go into detail). The other procedures can be applied as they are. 

7 Conclusion and Future Work 

We have presented a method for the semantic refinement of a resolution decision 
procedure for guarded formulas. This refinement is based on a automated model 
building procedure for sets of guarded clauses in which every clause contains a 
positive greatest literal. 

In general, model building is a more complex task than deciding satisfiability. 
Therefore, our method does not necessarily have an efficiency advantage. But 
in any case semantic restrictions might help to find proofs that are easier to 
understand for human users, since human reasoning usually uses semantic con- 
siderations. Already the smaller number of deduced clauses should be helpful for 
this purpose, but also the fact that the new clauses are deduced under semantic 
guide-lines, so they are more “meaningful” . 

In the case where a given set S of guarded clauses is satisfiable, our method 
can sometimes build a model for S. This is the case if every clause in S and 
that can be deduced from S by resolution contains not more than one positive 
maximal literal. In 0, it has been shown that for any set S of guarded clauses 
(without equality) , a set S' of guarded clauses can be found in which every clause 
has a positive greatest literal and such that Ais' is a model for S. Therefore, 
by applying the transformation method in Q first and then the model building 
method presented in this article, a model can be built for any guarded clause 
set (without equality). 

Models built by our method are expressed by primitive guarded Horn clauses, 
which is a relatively simple mechanism that is likely to be understandable for 
humans. Furthermore, primitive guarded Horn clauses might be useful to find 
finite models for guarded formulas, since the represented Her brand model can 
easily be enumerated. In order to find a finite model, we first try to find for 
each enumerated ground atom A a smaller ground atom A! such that we can 
put A = A! without loosing satisfiability. Only if such an atom does not exist, A 



An Application of Model Bnilding 597 



is used to generate greater ground atoms. This algorithm gives good results in 
practice, but its termination is an open problem. However, if the initial guarded 
formula is a translation of a modal formula, a Kripke model for the modal formula 
can be obtained from a finite model of the guarded formula (every element of 
the domain of the finite model corresponds to a world) . 

The decision procedure for guarded clauses in Q can treat clauses contain- 
ing equality. Therefore, our method could possibly extended to such clauses. 
Another possible extension is the treatment of guarded clauses as defined in 
where equality literals are not permitted, but literals may contain func- 
tional ground terms, and have a depth greater than 1. This might be possible 
using decomposition techniques as in fl. 

An implementation of the presented method will be ready soon. 
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Abstract. We apply techniques from logic programming and constraint 
databases to verify real time systems. We introduce timed logic processes 
(TLPs) as a fragment of constraint query languages over reals. We estab- 
lish a formal connection between TLPs and timed automata, and between 
the procedure of the UPPAAL model checker for restricted temporal- 
logic properties of timed automata and the top-down query evaluation 
of TLPs (with tabling in the XSB style). This connection yields an al- 
ternative implementation of the UPPAAL procedure. Furthermore, we 
can extend that procedure in order to accommodate more expressive 
properties. 



1 Introduction 



Some software and hardware components meet the tasks for which they have 
been designed only if they relate properly to the passage of time. Behaviors 
of such computing systems operating in real time are difficult to predict by 
“inspection” . Therefore real-time systems have become a prime target of formal 
specification and verification methods In this paper, 

we start investigating how techniques from logic programming 
and constraint databases can be used to explain and to 

enhance these methods. 

We single out a fragment of constraint query languages over 

reals that allows us to model real-time systems operating over dense time. We 
call the programs expressed in this fragment timed logic processes (abbrevi- 
ated TLPs) . We establish a formal connection of TLPs with timed automata, a 
standard model for timed systems We use this connection to design a 

model checking procedure for the temporal logic Cs ( “logic of safety and 

bounded liveness” ) as the top-down query evaluation of TLPs; this giv e^a di^t 
account of the procedure used in the UPPAAL model checker 
More precisely, we reduce the model checking problem for Cs properties of timed 
automata to the membership problem for the model-theoretic semantics of a 
TLP obtaine d by a product co nstruction. The local model checking procedure 
of UPPAAL ^^^^J^^^^HloriginalJy defined via tree rewriting) is a spe- 
cial case of OLDT resolution over arithmetic constraints. We have 

implemented a prototype model checker for timed systems based on OLDT res- 
olution with constraints using the CLP (7?.) system of Sicstus 3.7, and 
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we have applied it to several standard benchmark examples, and have obtained 
reasonable timings for these examples. 

The logic £g contains only a restricted version of disjunction which, in our 
setup, corresponds to queries without conjunction. Since our evaluation proce- 
dure applies to general queries, we readily obtain a model checking procedure 
for the extension of Cg where the disjunction of is not restricted (i.e., where the 
temporal-logic formulas can be formed using disjunction in the usual way). 

The forward analysis of timed systems, as implemented in UPPAAL, is gener- 
ally non-terminating. It can be turned into a terminating procedure by introduc- 
ing the splitting operation on constraints in As an alternative, we propose 

a new operation called trim. In contrast with splitting, trimming is defined on 
the logical semantics of constraints and yields a (finite) transition system that 
is bisimilar to the one for the timed automaton. Trimming can be combined 
directly with our procedure based on OLDT resolution with constraints, which 
turns it into a terminating procedure. 

Unbounded liveness properties are not expressible in Cg (and cannot be han- 
dled by UPPAAL). Model checking for such properties amounts to computing 
the greatest model of a TLP in our setup. In order to obtain a local model 
checker for unbounded liveness properties, we introduce a new method that we 
call greatest model resolution. As a consequence, we can now verify receptiveness 
properties of timed logic processes. 

2 Timed Logic Processes 

W e identify a fragment of constraint query languages over reals (in the sense 
of that will allows us to model real-time systems. Fur- 
thermore, as we will see below, it allows us to express the product constructions 

that come up in the course of model checking for formulas in the temporal 

logic Cg We call the programs expressed in this fragment as timed logic 

processes (abbreviated TLPs). A TLP is a set of clauses of one of the following 
four forms: 



(1) 


p{x) 4- 




(2) 


p{x) <- 


— Pl{x),P2{x), 


( 3 ) 


p{x) <- 


— 7 


( 4 ) 


init ^ 


1 

II 

0 



where the constraints are of one of the two forms (here n is the length of the 
tuple X = (xi, . . . , Xri) of variables) 

( 1 . 1 ) 7i(a;) A a;' = Xi -I- z A z > 0 A 72(2;') (“time transitions”) 

( 1 . 2 ) 7i(a;) A Aigs *' = 0 A /\^^g x\ = Xi A 72(2;') (“edge transitions”) 



where S C { 1 , . . . , n} and the syntax of the constraints 7 is defined by 
7 ::= true \ Xi > c \ Xi < c \ Xi > | < c | 7 A 7 
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where c G JV, the set of non-negative integers. We call these constraints the 
guards of the clauses. The variable z in (1.1) is called increment variable. 

A first motivation for TLPs is that this model subsumes the timed au- 
tomata model; i.e., we can translate timed automata to timed logic pro- 

cesses. These translations use only clauses of the form (1) with constraints ip of 
the form ( 1 . 1 ) (for time transitions) or ( 1 . 2 ) (for edge transitions) and clauses 
of the form (4) (for expressing the initial position). Clauses of the form (2) are 
used for expressing alternation (compare in product constructions used 

in model checking. Clauses of the form (3) are used to rewrite an agent to a 
nil agent (in this respect there is a strong similarity with process algebras; thus 
p(x) < — 7 states that the agent p can rewrite to the nil agent if the values of the 
variables x satisfy the formula 7 ) . These clauses can also be used to express as- 
sertions about processes (e.g., by rewriting an agent to the nil agent if the values 
of the variables x violate a safety property) . We will see later that clauses of the 
form (3) can also used for expressing Cs properties. Thus the TLP framework 
not only allows modeling a system, but also allows writing assertions about the 
behaviors of the system. 

3 Translation of Timed Automata into TLPs 

We will next translate a timed automaton U into a TLP P. Let 

U = {AP, Xn, L, E, P, inv) 

be a timed automaton. Here, AP is a set of atomic propositions, A„ is a set of 
n clocks (whose values are referred to by the variables x\, . . . , Xn), L is a set of 
locations, if is a set of edges, P is a labeling function that labels each location 
with a set of atomic propositions, G L is the initial location and inv is a 
function that assigns to each location an invariant constraint (see for 

more details). 

For each location i G L, we introduce an n-ary predicate i{x). For each 
location £ G L, the TLP V contains a clause of the form (1) with a constraint ip 
of the form ( 1 . 1 ) where 71 (a;) and 'j 2 {x') are both the invariant inv{£) of the 
location £. That is, 72 (a:^ i® obtained from 71 (a;) by renaming all variables 
tuple X to their primed versions x'l, ... ,x'.^ in the tuple x' . 

For each edge {£,6, Reset,£') G E leading from the location £ to the loca- 
tion £' , where 9 is the guard of the edge and Reset is the set of clocks reset 
in that edge, the TLP V contains a clause of the form (1) with a constraint p 
of the form ( 1 . 2 ) with head predicate £{x) and body predicate £'{x), where 
7 i = 9Ainve{x), 72 = invt and S = Reset (here inve and inv£i are respectively 
the invariants of locations £ and P). We also add a clause init < — £^{x) Ax = 0. 

The semantics of a timed automaton is defined in terms of traces that are 
sequences of positions starting with the position (^°, 0, . . . , 0) in the initial loca- 
tion with all n clocks set to 0. The semantics of a TLP is defined by its ground 
derivations that start with the ground atom ^°(0,...,0). Identifying positions 
and ground atoms, we obtain the following statement. 
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Theorem 1 (Adequacy of Translation). The timed automaton U and the 
TLP V obtained by the translation outlined above have the same semantics. 

In our definition, the semantics of a timed automaton contains also convergent 
traces. Unbounded liveness properties, however, refer only to divergent traces. 



4 Logic of Safety and Bounded Liveness (Cg) 

The syntax of formulas in the logic Cs {Logic of Safety and Bounded Live- 
ness) is given as follows: 

::= 6 \ q \ q W (L \ 6 V \ <Li A <1>2 \ W \ '^^ \ x.<L \ Z 

where 9 is an atomic constraint of the form Xi c with {=, <, >, >, <}, c 
is a non-negative integer, q is an atomic proposition and Z G Id is an identifier 
(identifiers are called variables in the mu-calculus) . The meaning of the identifiers 
Z is specified by a unique declaration 'D(Z) : Z = <1 for each identifier assigning 
a formula of £s to that identifier Z. 

The satisfaction relation \= for £s is the largest relation satisfy ing a num ber 
of conditions that are formulated in terms of timed automata in and 

that we here formulate for a TLP V and an atom p{v) standing for one of its 
‘states’. 

— V,p{v) 1= 6 implies v |= 6. 

— V,p{v) 1= q implies q £ P{p). (where P is a function that assigns to each predicate 
in P a set of atomic propositions). 

— V ,p{v) 1= g V ^ implies V ,p{v) |= q or P,p{v) |= 

— V ,p{v) \— Oy implies V ,p{v) \— 6 or V ,p{v) |= <L. 

— V,p{v) 1= A L >2 implies V,p{v) |= and V,p{v) |= <I> 2 . 

— V,p{v) 1= implies T,p'{v') |= <I> for all ground resolvents p'{v') of p{v) through 
clauses of the form (1.2). 

— T,p{v) 1= implies P,p'(w') \= <I> for all ground resolvents p'(w') of p(w) through 
clauses of the form (1.1). 

— P,p{v) 1= x.L> implies V ,p(v)[Q/ x] |= (where the ground atom p{v)[Q/x] is 

obtained from p{v) by reseting ‘place’ in v corresponding to the variable x to 

zero) . 

— V,p{v) 1= Z implies V,p{v) |= P(^). 

— V,pi{vi) A ... Apmfvm) 1= implies P,pi(m) \=L>, . . . , V,Pm{vm) |= L>. 



We call a variable that does not occur on the right hand side of any declara- 
tion in an Cg formula the root variable for that formula. An Cg formula is a set 
of declarations having a root variable. Note that we take the greatest fixpoint of 
the set of declarations (viewed as a set of equations). For a TLP V and an Cg 
formula <I>, we say that P ^ iff P, init ^ <I>. 

An example of a bounded liveness specification in is as follows: let C be an 
atomic constraint. Then the formula A = \{z.Z) where Z = CM {z < iAV^Af^) 
asserts that C should be satisfied within i time units of resolving through a clause 
of the form (1.2) (for timed automata, this amounts to the statement that C 
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should be satisfied within i time units of taking an edge transition) . We call the 
variables x the real variables. 

In order to specify properties about TLPs, it is useful to consider the dual of 
the logic Cs- So before introducing the model checking method, we first introduce 
the syntax of Cg which expresses the dual of Cg formulas. The syntax of Cg is 
given as follows: 

$ ::= 6* I g I g A ^ I 0 A ^ I V ^2 I I 3^ I x.$ \ Z 

where 6 is an atomic constraint and q is an atomic proposition. An Cg formula is 
a set of declarations with a root variable. Note that we take the least fixpoint of 
the set of declarations (viewed as a set of equations). For every formula oi Cg, 
we can define a formula in Cg such that for a TLP 7^, 7^ ^ iff 7^ ^ We 
do not provide the semantics of Cg formulas which are easily understood from 
those of Cg formulas (dual of those of Cg formulas). 



5 Product Program 

Given a TLP V, and an Cg formula we construct the product TLP , in 
which the arity of each predicate is n (assuming that the arity of each predicate 
in 7^ is fc and the corresponding Cg formula 'P has n — k real variables), such that 
V \= <P the predicate {init, Z) (see below) is in the least model of V'^ . Here 
Z is the root variable of . The construction is as follows. For the root variable 
Z we create the (0-ary predicate) {init,Z). For each predicate {p,X) created, 
expand (i.e., create a rule(s) defining that predicate) using the following rules 
if the predicate is not already expanded (depending on the declaration X = 'P 
defining X in <?.): 

- X = q: {p,X){x) < — true if g G P{p) (where P is a function assigning to 
each predicate symbol a set of atomic propositions) . 

- X = 6: {p,X){x) < — e. 

- X = qAX': {p, X){x) < {p, X'){x) if g G P{p). 

- X = 6 AX'-, (p, X){x) < — {p, X'){x) A 6. 

- X = Xiy Xp. (p, X){x) < — Ip, Xi)[x) and Ip, X){x) < — Ip, X 2 ){x). 

- X = ()X': For each clause C in 7^ of the form (1.2) such that the predicate 

p stands on the head of the clause create a clause of the form {p, X){x) < — 
{p' , X'){x') A (fi A (fi' where p is the constraint in the body of the clause C 
and p' = Ar=fc+i A = Xi. 

- X = 3X'-. For each clause C of the form (1.1) such that the predicate p stands 
on its head, create a clause of the form {p, X){x) < — {p' , X'){x') A p A p' , 
where p is the constraint in C and p' is given by Ar=fc+i x'^ = Xi + z. 

- X = Xi.X': {p, X){x) < — {p, X'){x') A Xi = 0 A Aj^j x'j = xj. 
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Theorem 2. Given a TLP V and an Cg formula <P, V 'P if and only if the 
atom {init, Z) is not in the least model of (as created above) where <P is the 
dual of the Cg formula <P and Z is the root variable of <P (i.e., Z is the root 
variable of<P). 



Implementation. To prove V \= <P, we try to prove V “P where (P is the 
Cg formula corresponding to <P (i.e., the dual of <P). This is proved by proving 
that {init, Z) is not in the least model of (where Z is the root variable of 
(p). We can either compute the least model of using the least fix point of 
the immediate consequence operator (see for a definition of the imme- 

diate consequence operator) resulting in a global model checker. Alternately we 

I with constraints to prove that 






can extend XSB-style tabling | 

{init, Z) does not succeed in the tabled resolution using the non-ground tran- 
sition system. To be precise, our method extends with constraints the OLDT 



resolution of 



. Extending standard results from logic programming | 



1 



we get, the state {init, Z) succeeds iff it succeeds in the derivation tree obtained 
by using tal^d resolution. Note that the tabling strategy produces a local model 
checker for Lg {Cg). To guarantee termination of the model checking procedure, 
we can use the trim operation on constraints, described below, along with the 
tabling strategy mentioned above. 



Providing a Counter Example. To provide a counter example, we follow the fol- 
lowing method. With each non-ground goal we keep the following information: 
the constraints encountered so far (including the mgus, i.e., most general unifiers, 
which are also regarded as constraints), a list of the numbers of clauses encoun- 
tered so far (we assume that the clauses are numbered) and a list of increment 
variables encountered so far (assuming that they are suitably renamed). Thus a 
non-ground goal will take the form of a five-tuple {Q, cpi, ip2, Li, L2) where Q is 
a conjunction of predicates, ipi is the constraint store, ip2 is the concatenation 
of all the constraints of all the clauses (and the mgus) encountered thus far, Li 
is a list of the numbers of the clauses encountered so far, L2 is the list of the 
increment variables of the clauses encountered so far. Now the “earliest” (with 
respect to time) ground counter example (i.e., a ground derivation acting as a 
witness to the success) can be provided in the following way. First project ip2 on 
the set of variables in the list L2. Let the constraint obtained be (p. Now mini- 
mize with respect to p. The solutions of Zi obtained in this method can 

be used in providing a ground counter example. The counter example can now 
be generated from the sequence of clauses and the values of the corresponding 
increment variables. 



6 The Trim Operation on Constraints 

We first start with the observation the model checking procedure described above 
is possibly non-terminating. The counter example is provided by the translation 
to TLP of the timed automaton in figure H 
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Our aim is to define an equivalence relation on the set of non-ground 
states of V (i.e., states of the form {p{x),(p) where p is a predicate symbol and (p 
is the constraint store in which the free variables are x) such that the following 
conditions hold: 

— The quotient (in the standard sense) of the non-ground transition system of V, 

induced by «m, denoted by "P/ ~m, has a finite index, i.e., a finite number of 
“states” or equivalence classes (see for a definition of non-ground transition 

system induced by a constraint query language program). 

— The transition system induced by "P/ «m (in the standard sense) bisimulates 

the non-ground transition system induced by V. 

The suffix M denotes the maximal constant occurring in the guards of the TLP 
V (this suffix is kept since the equivalence relation involves M). 

Let 7^ be a TLP with M as the maximal constant occurring in the guards of 
the clauses. Let s be any non-ground state. Let sol{s) denote the set of ground 
instances of s. Now we define an equivalence relation on the set of non- 
ground states of V as follows: is the smallest equivalence relation satisfying 

the following: 

— {p{x),ip) RiM {p{x),(p') if for all p{v) £ sol{{p{x),(p)) there exists p{w) £ 
sol{{p{x), (f')) such that Vi G {1, . . . , n} either {vi = Wi) or {vi > M A Wi > M) 
and vice versa. 

From now on, we view the non-ground transition system induced by P as a 
labeled transition system in which the clauses act as labels. 

Proposition 1. The non-ground transition system of V and the quotient of the 
non-ground transition system ofV induced by are bisimilar. 

Now we show how to decide whether two nonground states are equivalent 
using the trim operation described below. 

Below, by a reachable nonground state (p{x),ip), we mean that there is a 
non-ground derivation from init to {p{x),ip) using the clauses in V. Given a 
“reachable” non-ground state {p{x),ip), we convert it to a state {p{x),(p') such 
that {p(x),ip) = {p(x),ip'), where p' is in a normalized form where we allow 
constraints of the form Xi ^ c or Xi — Xj relop a where {>, >, <, <}, relop £ 
{>,>}, c is a natural number and a is an integer (note that it can be easily 
shown that for reachable nonground states the constraint store can be converted 
into normalized form; it can also be shown that there exists an algorithm for 
doing this). In what follows we deal with constraints in normalized form. 

Definition 1 (Trim). We define an operator trim, which given a satisfiable 
constraint ip, produces a constraint p' = trimlpp), by the method given below. The 
constraint trim{p) is obtained from the normalized form of p by the following 
operations: 

— Remove all constraints of the form Xj — Xi > a or Xj — Xi > a, for each pair of 
variables Xi,Xj , i j, such thatpAXi > M is satisfiable and3-xj(p) is equivalent 
to 3-xj{p Axi > M) and {pAXj > M) is not equivalent to p, where a is an integer 
and the existential quantifier is over all variables but Xj. 
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— Remove all eonstraints of the form Xi < c or Xi < c where c is an integer and 
c> M. 

— For each i, such that {(fi A Xi > M) is equivalent to q>, replace all the constraints 
of the form Xi — Xj ~ a or Xi ~ c by the constraint Xi > M , where a and c are 
integers and c > M and {>, >}. 



Lemma 1. For reachable non-ground states {p{x),Lp) and (p{x),ip'), {p{x),Lp) 
~M {p{x),if') iff {p{x),trim{ip)) = {p{x),trim{ip')) . 

In the above, we identify two nonground states iff they have the same ground 
instances. At a high level, the trim operation can be viewed as an accurate widen- 
ing operation, i.e., it does not lose precision with respect to model checking for 
the properties that we are concerned with here. The removal and replacement 
of constraints in the definition of trim can be seen as constraint widening oper- 
ations. The basic intuition is as follows: once the value of a real variable goes 
above the maximal constant, it does not matter what the value is. Hence, if a 
constraint has a solution in which the value of a variable is above the maximal 
constant, then the constraint can be widened to incorporate all “similar tuples” . 
Logically, the relation can be viewed as a symbolic bisimulation. Thus, the 
relation ’^m provides a logical characterization of the trim operation on con- 
straints. Note that the definition of trim itself provides with an algorithm for 
trimming. 

Lemma 2. The equivalence relation produces a finite number of reach- 
able equivalence classes (i.e., equivalence classes containing reachable nonground 
states). 



Proposition 2. Given two reachable non-ground states (p{x), p) and {p{x), p') , 
where both ip and ip' are in normalized form, it is effectively decidable whether 
{p{x),ip) {p{x),ip'). 

The trim operation described above can be combined with the tabling strat- 
egy described above to provide a termination guarantee for the model checking 
procedure. If {p'{x),ip') is the resolvent of{p{x),ip) through a clause C, then we 
add the goal {p'{x),trim{ip')) as the table entry. The details are described in 
the full version of the paper By lemmaHtem^ation of the algorithm 

is guaranteed. From the proof of lemma B (see it can be seen that 

the model checking procedure described above requires polynomial space in the 
worst case. 

We have implemented a prototype local model checker based on the method 
given above. Though the implementation is still very much sub optimal (no 
fine tuning has been done) the performance of the model checker seems to be 
encouraging. We used our model checker to verify the safety property of several 
well known benchmark examples taken from literature. The experimental results 
are summarized in table in Figure H All the results are obtained on PC (200 
MHz Pentium Pro). All the timings denote the total time needed. 



606 Supratik Mukhopadhyay and Andreas Podelski 



Example 


time (seconds) 


Example in figure H 


1.5 


Fischer’s Protocol (Two Processes) 


4.2 


Rail-road Crossing 


1.8 


Audio Protocol 


7.2 



Fig. 1. Experimental Results 



7 Full Disjunction 

Note that the logic Cs described above allows only restricted disjunc- 

tion. In this subsection, we show that in our framework we can allow for full 
disjunction. Note that it is stated in that their model checking tech- 

nique based on the rewrite tree cannot be extended to a logic with general 
disjunction. We call the extension of the lo^c Cg with full disjunction X_^s- Du- 
ally, we call the the extension of the logic Cg with full conjunction as XCg (i.e., 
the dual of XCg). The satisfaction relation for XCg is the satisfaction relation 
for Cg augmented with the clause: 

— V,p{v) \= <1>2 implies V,p{v) \= or V,p{v) \= <I> 2 - 

For an XCg formula we can obtain an XCg formula in the similar way as 
above {XCg is the corresponding extension of Cg). Given a TLP V and a, XCg 
formula <!>, we can construct a product program using an extension of the 
product construction given above by the following “alternating” clause. 

- X = Xi A X 2 : {p, X){x) < — (p, Xi){x) A (p, X 2 ){x). 

Theorem 3. Given a TLP V and an XCg formula <P, V \= 'P if and only if 

{init, Z) is not in the least model ofV^ where <P is the XCg formula correspond- 
ing to <P and Z is the root variable of <P. 

Note that we do not have to change the implementation for this extension - 
we can reuse the implementation described above. 

Note that the rewrite tree based model check ing procedure imple- 
mented in the model checker UPPAAL can be viewed as a special case 

of our derivation tree using tabled resolution with constraints as described above. 
Use of tabled resolution with constraints allows us to increase the expressiveness 
of the underlying logic allows only restricted disjunction). Also note 

that the model checking procedure in may not terminate (consider the 

timed automaton given in Figure Hand the formula X = x2 < 2A[AA VA 
where x2 refers to the clock x2 of the timed automaton; this asserts that always 
the value of the clock x2 will be less than 2). In contrast our model checking 
procedure combined with the trim operation is guaranteed to terminate. Like 
the model checking procedure in our model checking procedure is also 

local (only the reachable portion of the state space is explored and the state 
space is explored in a demand-driven fashion). 
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8 Unbounded Liveness Properties 

We now look at unbounded liveness properties. An unbounded liveness property 
is a declaration of the form X — gVV[ A (this is actually the dual of the property 
X = q/\3()X, where we take the least fixpoint of the declaration) where q is an 
atomic proposition and we take the greatest fixpoint of the declaration (viewed as 
an equation) . This asserts that for all (infinite) ground derivations (starting from 
init) using resolutions through clauses of the form (1.1) immediately followed 
by a resolution through a clause of the form (1.2), there exists a ground atom in 
that satisfies q (for timed automata this is the same as the assertion that for all 
(infinite) traces starting from the initial position using time transitions followed 
by edge transitions, i.e., first taking a time transition and then following it up 
with an edge transition and so on, there exists a position that satisfies q). Note 
that this is the negation of the specification which there exists a (infinite) ground 
derivation (starting from init) using resolutions through clauses of the form (1.1) 
immediately followed by a resolution through a clause of the form (1.2), such 
that every ground atom in the derivation satisfies the atomic proposition q. 

Given an unbounded liveness specification is the negation of S'; 

V \= '1' iS V ^ (Jt) ^ and a TLP V, we construct a TLP V'^ such that V \= 'P 
the atom (inzt, X) is in the greatest model of , where X is the root variable 
<?. The construction of a product program is same as that shown in case of 

Cs- 

Theorem 4. Given a TLP V and an unbounded liveness specification T , we 
have V \= T if and only if the atom {init, X) is not in the greatest model ofV'^, 
where = T and X is the root variable of <L>. 



9 Implementation 



Since model checking V for an (unbounded) liveness property T reduces to check- 
ing whether {init, X) is contained in the greatest model of (as constructed 
above), it can be done by computing the greatest fixpoint of the immediate con- 
sequence operator for . This results in a global model checker. Alternately, 
since the clauses in have at most one predicate in the body (from the con- 
struction of the program), we introduce a new greatest model resolution with 
tabling prove that {init, X) is in the greatest model of . To the best of the 
knowledge of the authors, this is the first time any kind of tabling (without nega- 
tion) is used for the greatest model of a constraint query language program. The 
greatest model resolution algorithm with tabling is given in Figure^ In Figure 
B by {pred{x),ip) {pred' {x) , (p') , we mean that {pred' {x) , (p') is the resol- 
vent of {pred{x), ip) and the clause C where pred denotes a predicate symbol. In 
step 4(6)z of the algorithm we check whether there exists a goal {pred' {x) , tp") 
in the table such that ip" entails the constraint store ip' of the newly generated 



i t the tabling 



Note that the tabling 
those in 



used here is different from that used in section Oas well as 
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goal {pred'{x), p'). In this case, we do not need to register the solutions into the 
table. We will terminate at the first instance of a success leaf or the first instance 
when a newly generated goal contains a goal already in the table (whichever oc- 
curs earlier). Note that in the above implementation, use of negation along with 
tabled resolution for least model would have resulted in splitting of constraints 
which is prohibitively expensive in practice. 




Fig. 2. An example timed automaton 



Theorem 5 (Soundness). If procedure in Figur^^terminates then {init,X) 
is contained in the greatest model of if and only if it returns ’yes 

Note that procedure in Figure Jmay not terminate. To ensure the termina- 
tion of the model checking procedure, as in the previous section, we can combine 
the trim operation described above along with the procedure. The combined 
algorithm requires polynomial space in the worst case. The details are straight- 
forward. We refer the reader to for the details. Using our method, we 

have been able to verify the unbounded liveness property X = at_2 V V[A for 
the example of timed automaton shown in FigureJ(TLP corresponding to that 
timed automaton), where the atomic proposition at_2 is satisfied only by the 
location 2. 

The local model checking algorithm given in section^and the model check- 
ing algorithm for unbounded liveness properties given above can be combined 
effectively to model check for receptivenesij properties. A receptiveness prop- 
erty is a formula of the form where is a declaration of the form 

A = AiV30AV 3X and <p 2 is a declaration of the form Xi = q A 3()Xi, where 
we take the least fixpoint for the first declaration and the greatest fixpoint for 
the second declaration. This asserts that there exists a reachable ground atom 
p such that there exists an infinite derivation (using resolutions through clauses 
of the form (1.1) immediately followed by a resolution through a clause of the 



Note that our definition of receptiveness is different from that in 
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Procedure Greatest Model Resolution 

Input Program and the atom (0-ary predicate) {init, X) 

Output A yes/no answer whether the atom is in the greatest model of 

Data Structures 

Stack Table 

Boolean Flag = false 

begin 

Push {init, X) in Table. 
repeat 



1. Let {pred(x),ip} be the non-ground goal at the top of the stack Table. 
If (pred(x), if) fails (i.e., there does not exist a clause through which it re- 
solves), pop it from Table and go to the end of the repeat-until loop to check 
if Table is empty, (end If) 

2. If {pred{x),ip) succeeds through a clause, make Flag true, (end If) 

3. It Flag is true return yes. 

4. else 

(a) Swzc\={{pred' {x),Lp') \ {pred{x),(p) — > {pred' {x),(p')} where C is a 
clause in V* . 

(b) for each element {pred' {x),ip') in Succ do 

i. If there exists {pred! {x),gJ') in Table such that ip" |= ip' , make Flag 
true. 

ii. else push Ippred' {x),p>') to Table, (end If) 

(c) end for (end If) 

5. If Flag is true return yes. (end If) 

until Table is empty (end of repeat until) 
return no. 

end 



Fig. 3. Greatest Model Resolution (GMR) Procedure 



form (1.2)) starting from p in which every ground atom satisfies q (for timed au- 
tomata, this amounts to the specification that there exists a reachable position 
p such that there exists an (infinite) trace starting from p using time transi- 
tions followed by edge transitions, i.e., first taking a time transition and then 
following it up by an edge transition and so on, such that every position in that 
trace satisfies q). Using the combination mentioned above, we have been able to 
falsify the receptiveness prope rty for th e example in Figure ^with q = ^atJ2. 
The model checker UPPAAL does not seem to be able to verify re- 

ceptiveness properties. We leave the details of model checking for receptiveness 
properties to the full paper. 
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10 Related Work 



Logic-based methods for specification and verification are slowly gaining pop- 
ularity. In the past few y ears there has been a lot of work on model checking 
using deductive methods While most of these works have 

been focussed on finite state systems, there has also been substantial work on 
verificat ion of integer-valued a nd parameteri zed system s using methods based 
on logic . Bjorner et.al. use the theorem prover 

STEP to verify real time systems. 

The works from the logic programmin g, theorem proving and databa se com- 
munity that come closest to our work are 



g, tneorem pr 



sAsn araisK 



In 



real time systems were translated into constraint logic programs. 
But no detailed model checking results based on such a translation has been 
provided. Gupta and Pontelli in have been able to verify several interest- 

ing properties of real time systems. In contrast with automated model checking 
methods, they rely on the programmer to write a “driver” routine to identify 
the finite number of finite repeating patterns in the infinite strings accepted 
by a timed automaton. In a recent paper, Gupta and Pontelli describe 

definite clause grammar for the model checker UPPAAL. In an interesting ap- 
proach, they use Horn logic denotational semantics framework for specifying, 
implementing and automatically verifying real time systems. But in their ap- 
proach, they have to make sur e that the verification of properti es leads to finite 
computations. Gupta extends the methods of to more general 

settings. 

Fribourg in verifies real time systems specified by logic programs with 

gap constraints. This work only considers reachability problems for real time 
systems. Termination is always guaranteed here because a backward analysis 
is used (industrial-scale tools like UPPAAL use forward analysis in spite of a 
missing termination guarantee 

Urbina in ^^^9 baptizes a class of GLP programs hybrid automata without, 
however, establishing a formal connection with the standard model for timed 
systems. In fact, the semantics results in ^^^9 cannot be connected with 
liveness properties of timed automata, in contrast to our work on TLPs. 

The works from the verification community that come closest to our work 
are The model checking method in based on the 

rewrite tree can be viewed as a special case of our model checking procedure 
based on OLDT resolution extended to constraints. We have been able to model 
check for a logic which is stricti^npre expressive than that in Also, the 

model checker UPPAAL does not seem to be able to model check for 

receptiveness properties that we have been able to model check for. In ^Q^9 
Daws and Tripakis present a global model checking procedure for real time sys- 
tems. In contrast, ours is a local one. Also, their method can be used only for 
model checking “reachability” properties like safety while we have given meth- 
ods to deal with unbounded liveness properties. Sokolsky and Smolka 
present a local model checker for real time systems. But, as mentioned in the 
Introduction, their method for ensuring termination is based on an expensive 
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“splitting” of constraints. We have also not received any report on the perfor- 
mance of their model checker on any practical example. Du, Ramakrishnan and 
Smolka extend XSB with the POLINE constraint library to verify real 

Q and hence they also 



time systems. But they follow the same techniques as 
ensure termination using expensive splitting of constraints. 
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Abstract . We show how unfold / fold program transformation techniques 
may be used for proving that a closed first order formula holds in the 
perfect model of a logic program with locally stratified negation. We 
present a program transformation strategy which is a decision procedure 
for some given classes of programs and formulas. 

1 Introduction 

One of the main motivations of this paper is to better understand the relationship 
between unfold/fold program transformation and theorem proving. It is 

usually recognized that folding steps during program transformation correspond 
to applications of inductive hypotheses during proofs by induction, and goal 
replacements correspond to lemma applications. 

Some transformational techniques for proving equivalence properties of func- 
tional and logic programs have already been presented in and re- 

spectively. In this paper we extend these techniques by introducing a method for 
proving that a closed first order formula ip holds in the perfect model M{P) ra 
of a locally stratified logic program P. This property is denoted by M{P) ^ p. 

Our proof method for showing that M{P) [= p holds, consists of two steps: 
Step 1: we use a variant of the Lloyd-Topor transformation for transforming 
a statement of the form: /<—(/? where / is a new predicate symbol, into a 
conjunction F(/, p) of clauses such that P A F{f, p) is locally stratified and 
M{P) '^p iff M{P AF{f,p)) ^/, and 

Step 2: we show that M{P AF{f, p)) ^ / holds by applying transformation rules 
which preserve perfect models, and deriving from P A F(f, p) a new program of 
the form: Q A f. 

We illustrate our proof method by means of the following example. 

Example. [Semaphore] Consider the following program P, where s . . . sO with n 
occurrences of the successor function s, denotes the natural number n\ 

1. down{sx) ^ ^down{x) 3. up{sx,0) ^ down{x) 

2. up(0,0) 4. up{sx, sy) ^ up{sx,y), x>y 

This program describes a semaphore which as time progresses, alternates be- 
tween the states up and down. When the semaphore goes up for the n-th time, 
it stays up for a period of 2n time-units, and when it goes down, it stays 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 613^^ 2000. 
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down for one time-unit only. We want to prove the following property of the 
semaphore: (A) \!x,y{{x>y, up{x,y)) — > up{ssx,Q))^ which states that if the 
semaphore is up then it will be up again in the future. We start from the state- 
ment: / <— {y!x,y{x>y, up{x,y)) up(ssx,0)). By applying a variant of the 
Lloyd-Topor transformation (see Section we get the clauses: 

5. 6. g ^ x>y, up{x,y), ^up{ssx,0) 

This concludes Step 1 of our proof method. Step 2 is realized by applying trans- 
formation rules which preserve perfect models (see Section J. We proceed by 
introducing the following two definitions: (i) h x> y, up{sx,y), ~^up(sssx,0) 
and (ii) k(n) <— a; > z, plus{y, n, z), up{sx, y), ~iup(sssx, 0). 

By positive and negative unfolding, folding, and goal replacement, we get the 
program Q : f ^ ~^g, g ^ h, /i <— fc(sO), k{n) ^ k{sn). Now, since fc is a 
useless predicate being defined by the recursive clause k{n) <— fc(sn) without 
a base case, we may apply the clause deletion rule (see rule R6 in Section H 
and we get the program R \ f ^ ^g, g ^ h, fc(sO). This step is correct 
because in the perfect model of program R there are no atoms with predicate k. 

Then, since the definition of the predicate k in program R is empty, we delete 
clause h ^ fc(sO) by unfolding it w.r.t. fc(sO). Analogously, we delete the clause 
g <— ft. by unfolding it w.r.t. ft. Thus, the derived program consists of clause / <— 
~^g only. Finally, by unfolding / <— ~^g w.r.t. ~^g we get /, because the definition 
of g in the derived program is empty. This completes our transformational proof 
of Property (A) . □ 

The tight correspondence between program transformation and theorem prov- 
ing can also be exploited to turn program transformation strategies into proof 
strategies. In particular, at Step 2 of our proof method, in order to direct the 
transformation rules, we may use the so called UFS strategy (see Section Q 
which is an enhancement of a transformation strategy proposed in When 
our UFS strategy terminates, it derives from P A F{f, (f) either (i) a new pro- 
gram of the form Q A /, in which case M{P) ^ ip, or (ii) a program R where no 
clause has head predicate /, in which case M{P) ^ p, because M{P) ^ iff 
M(P A F{f, p)) ^ / iff M{R) \= f and / does not hold in the perfect model of 
R. We will show that the UFS strategy terminates for some classes of properties 
and some classes of logic programs with locally stratified negation, and thus, it 
can be used as a decision procedure for those classes. 

2 Preliminaries 

In this section we recall some basic definitions used in the paper. For notions 
not defined here and, in particular, for those of stratum, locally stratified logic 
program, and perfect model, the reader may refer to 

The formulas and programs we consider are constructed by using a fixed 
first-order language C. Logic programs are conjunctions of clauses which may 
have negated atoms in their bodies. A goal is a conjunction of literals. The empty 
goal is true. The head and the body of a clause C are denoted by hd{C) and 
bd{C), respectively. The predicate symbol of the atom hd{C) is called the head 
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predicate of C. Given a term t we denote by vars(t) the set of all variables occur- 
ring in t. Similar notations will be used for the variables occurring in formulas. 
Given a clause C, a variable in bd(C) is said to be existential iff it belongs to 
vars{hd{C)) — vars{hd{C)). Given a formula (p we denote hy freevars{ip) the set of 
all free variables of ip. A literal is said to be propositional iff its predicate symbol 
is nullary, that is, it has arity 0. A goal (or a clause, or a program) is proposi- 
tional iff all its literals are propositional. A formula is said to be function-free iff 
no function symbols occur in it. 

We say that a predicate p depends on a predicate 5 in P iff either there exists 
in P a clause of the form: p{. . .) <— P such that q occurs in the goal B or there 
exists in P a predicate r such that p depends on r in P and r depends on q 
in P. The definition of a predicate p in a program P, denoted by Def{p, P), is 
the conjunction of all clauses of P whose head predicate is p. We say that p is 
defined in P iff Def{p,P) is not empty. The extended definition of a predicate 
p in a program P, denoted by Def* {p, P), is the conjunction of the definition 
of p and the definitions of all the predicates on which p depends in P. The set 
of the useless predicates of a program P is the maximal set U of predicates of 
P such that a predicate p is in C/ iff the body of each clause of Pe/(p, P) has a 
positive literal whose predicate is in U . For instance, p and q are useless and r 
is not useless in the program (p ^ q,r) A {q ^ p) A (r ^). 

3 Prom First-Order Formulas to Logic Programs 

In this section we present a method that given a locally stratified program P 
and a closed first order formula p in the language C, introduces a new predicate 
/ and constructs a locally stratified program P A P(/, p) such that M{P) ^ p 

iff M(P A P(/, p)) h/- 

In order to construct F{f, p) we need to consider a class of formulas, called 
statements of the form A (3 where A is an atom and /3, called the body 
of the statement, is a (possibly open) first-order logic formula. We write C\y\ to 
denote a first-order formula where the subformula 7 occurs as a conjunct ‘at top 
level’ , that is, (7 [ 7 ] = pi A . . . A A 7 A cti A . . . A CTs for some first-order formulas 
pi, . . . , Pr-, (Ti, . . . , (Tg, and some r > 0 and s > 0. When we say that the formula 
C[ 7 ] is transformed into the formula G[(5], we mean that C[(5] is obtained from 
C'[ 7 ] by replacing the top level conjunct 7 by the new top level conjunct 5. 

Given a conjunction of statements the following LT transformation, similar to 
the one proposed in Q, terminates and it produces a locally stratified program. 
The LT Transformation. 

Given a conjunction of statements, perform the following transformations: 

(A) Eliminate from the body of every statement all occurrences of logical con- 
stants, connectives, and quantifiers other than true, A, and 3. For every state- 
ment st, rename the bound variables of st so that none of them occurs in 
freevars(st) and all of them are distinct. 
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(B) Apply as long as possible the following rules: 

(B.l) A ^ C[^true] is deleted 

(B.2) A <— is transformed into A ^ C\(p\ 

(B.3) A ^ A ^/>)] is transformed into A ^ C[^newp(yi, . . . , yk)j A 

newp{yi, . . . , t/fc) ^ A ^/> 

where ip^true, if) ^ true, newp is a new predicate symbol, and 
{yi, ■■■, yk}=freevars{ip A t/j). 

(B.4) A ^ C[-'3a; <p\ is transformed into A <— C[^newp(yi, . . yk)] A 

newp{yi, ...,yk)^ip 

where newp is a new predicate symbol and {yi, . . . , yk} = freevars(3x ip). 
(B.5) A <— C[3x p] is transformed into A ^ C\tp] □ 

Given a locally stratified program P and a closed first-order formula p, we 
denote by F{f, p) the conjunction of the clauses derived by applying the LT 
transformation to the statement / <— (/?, where / is a new predicate symbol 
occurring neither in p nor in P. We assume that the new predicates introduced 
during the construction of F{f, p>) do not occur in P. 

The reader may verify that in the Semaphore Example of Section^ clauses 
5 and 6 have been derived by applying the LT transformation starting from the 
following statement: / <— \/x,y{{x > y, up{x,y)) up(ssx,0)). The follow- 
ing result states that the LT transformation is correct w.r.t. the perfect model 
semantics, thereby extending the result by Lloyd and Topor, who showed that 
their transformation is correct w.r.t. the Clark completion semantics. Thus, Step 
1 of our proof method is sound. 

Theorem 1. [Correctness of LT Transformation w.r.t. Perfect Models] 

Let P be a locally stratified program, be a closed first-order formula, and / 
be a predicate symbol occurring neither in p nor in P. If F(f, p) is obtained 
from / <— by the LT transformation, then (i) P A F(f, tp) is a locally stratified 
program, and (ii) M{P) \= ip lA M{P F{f, p)) \= f. □ 

4 Transformation Rnles 

In this section we present our transformation rules and we provide a sufficient 
condition under which they preserve perfect models. We extend the results in 
Q which refers to the definition, positive unfolding, and folding rules only. 

A transformation sequence is a sequence of programs Pq, , Pn, where, for 
0 < fc < n— 1, program Pk+i is derived from program Pk by the application of 
a transformation rule as indicated below. We assume that the set of predicate 
symbols of the language is partitioned into two categories: basic predicates and 
non-basic predicates. Atoms, literals, and goals which have occurrences of basic 
predicates only, are called basic atoms, basic literals, and basic goals, respectively. 
We assume that each basic atom is in a strictly smaller stratum w.r.t. any 
non-basic atom. The partition of the set of predicates into basic or non-basic 
predicates is arbitrary. 

For 0 < fc < n, we also consider the conjunction DefSf. of definitions, con- 
structed as follows: 
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(1) DefsQ is the conjunction of every clause C in program Pq of the form 
p{xi , . . . , Xm) ^ Li, . . Ln, with n > 0 such that: (i) xi, . . . , Xm are distinct 
variables (possibly not all variables) occurring in the goal Li, . . (ii) at least 
one literal among Li, , L„ is a non-basic positive literal, (iii) no predicate sym- 
bol occurring in the goal Li , . . . , depends on p in Pq, and (iv) C = Def{p, Pq); 

(2) for fc > 0, Defs^. is the conjunction of the clauses in DefsQ and those intro- 

duced by the definition rule R1 during the transformation sequence Pq, . . . , Pk. 
Rl. Definition Rule. We get program Pk+i by adding to program Pk a clause 
C of the form: newp{xi, . . . ,Xm) <— Li,...,Ln, with n > 0, such that: (i) 
xi, . . ., Xm are distinct variables occurring in Li, . . . , (ii) at least one literal 
among is a non-basic positive literal, and (iii) the predicate sym- 

bol newp is a non-basic predicate occurs neither in Pq, . ■ ■ , Pk nor in the goal 
Z/i , . . . , L^. 

R2. Positive Unfolding Rule. Let C be a renamed apart clause in Pk of the 
form H ^ Gi, A, G^, where A is an atom, and Gi and G 2 are (possibly empty) 
goals. Suppose that: (1) Di, . . .,Dm, with m>0, are all clauses of program Pk, 
such that A is unifiable with hd(Di), . . ., hd(Dm), with most general unifiers 
0i,...,0m, respectively, and (2) Gi is the clause {H ^ Gi,bd{Di),G2)9i, for 
i = l,...,m. By unfolding G w.r.t. A we derive program Pk+i by replacing G 
in program Pkhy Gi, . . . ,Gm- 

In particular, if m = 0 then we derive Pk+i by deleting clause G from Pk. 
R3. Negative Unfolding Rule. Let C be a renamed apart clause in Pk of 
the form P[ ^ G\,^A,G 2 , where A is an atom, and G\ and G 2 are (possi- 
bly empty) goals. Let D\,. . ., Dm, with m > 0, be all clauses of program Pk, 
such that A is unifiable with hd{Di), . . . , hd{Dm), with most general unifiers 
0i,...,0m, respectively. Assume that: (1) A = hd{Di)0i = ••• = hd{Dm)6m, 
that is, for i = 1, . . . , m, A is an instance of hd{Di), (2) for i = 1, ... ,m, Di has 
no existential variables, and (3) from Gi, ~^{bd{Di)6i V . . . V bd{Dm)9m), G 2 we 
get an equivalent disjunction QiV. . .VQr of goals, with r > 0, by first pushing ^ 
inside and then pushing V outside. By unfolding G w.r.t. ^A we derive program 
Pfc-i-i by replacing G in program by Ci, . . . , Gr, where for i = 1, . . . , r, clause 
Gi is H ^ Qi. 

In particular: (i) if m = 0 then we get the new program Pfc-i-i by deleting ^A 
from the body of clause G, and (ii) if for some z G 1, . . . , m, bd{Di) = true then 
we derive program Pk+i by deleting clause G from Pk. 

R4. Folding Rule. Let U be a renamed apart definition in Defsk and G be 
a clause in Pk of the form H ^ G\,B,G 2 , where B, G\, and G 2 are (possibly 
empty) goals. Suppose that for some substitution 0\ (i) B = bd{D)6, and (ii) 
for every variable x in the set vars{D) — vars(hd{D)), we have that xO is a 
variable which occurs neither in {PI, G\, G 2 } nor in the term yO, for any variable 
y occurring in bd{D) and different from x. By folding clause G w.r.t. B using 
clause D we derive the clause E : P[ ^ G\,hd{D)0,G2 and we get program 
Pfc+i by replacing G in Pk by E. 

R5. Tautology Rule. We get the new program Pk+i by replacing in Pk a 
conjunction of clauses by the corresponding equivalent conjunction of clauses. 
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according to the following equivalences, where G and R denote (possibly empty) 
goals, and H and A denote atoms: 1. {H ^ A, ~^A, G) <-> true 

2.{H^G, H^G,R) ^ (H^G) 3. {H ^ H,G) ^ true 

4. {H ^ A, G,R, H ^ ^A, G) ^ {H ^ G,R, H ^ ^A, G) 

R6. Clause Deletion Rule. We get the new program Pk+i by removing from 
Pk the definitions of the useless predicates of Pk- 

R7. Goal Replacement Rule. Let C be a renamed apart clause in Pk of 
form H ^ Gi,Q,G 2 , where Q, Gi, and G 2 are (possibly empty) goals. Sup- 
pose that, for some goal R, we have: M{Pq) ^ Vsi . . . a;„ (3j/i . . . Q ^ 

3zi...Zn,R) where: (i) {yi,...,y„} = vars{Q) - vars{H, Gi, G 2 ), (ii) 

{zi, . . . , Zuu} = vars{R) — vars{H, Gi, G 2 ), and (iii) {xi,. . . ,a;„} = vars{Q, R) — 
{j/i, . . . , zi, . . . , Zto}. Suppose also that Q and R are basic goals and H is 
a non-basic atom. Then we derive program Pk+i by replacing G in Pk by the 
clause H <— Gi, i?, G 2 . 

Theorem 2. [Correctness of the Transformation Rules] Let Pqi • ■ • i Pn, 

be a transformation sequence such that the following holds: if for some k with 
1 < fc < n, we have applied rule R4 for folding clause G in Pk using clause D in 
PoADefSk, then there exists i, with 0 < i<k such that D occurs in Pi and Pi+i 
is derived from Pi by positive unfolding of D w.r.t. a non-basic atom. Then we 
have that M{Pq A Defs^) = M{Pn). □ 

Notice that the statement obtained from Theorem 2 by replacing ‘positive 
unfolding’ by ‘negative unfolding’ is not a theorem, as shown by the following 
example. Let Pq be the program {p ^ ^q{x)) A {q{x) ^ q{x)) A {q(x) ^ r). By 
negative unfolding w.r.t. ^q{x) we get program Pp. {p <— -^q{x),^r) A {q{x) ^ 
q{x)) A {q{x) ^ r). Then by folding we get program P 2 : {p ^ p, ~^r) A (q{x) ^ 
q(x)) A (q(x) ^ r). We have that M(Pq) \= p, while M{P 2 ) ^ ^p. 

5 A Strategy for Unfold/Fold Proofs 

In order to verify whether or not M{P) ^ ip holds. Step 2 of our unfold/fold 
proof method requires the construction of a transformation sequence from pro- 
gram P A F{f, (fi) to a new program, say T, such that either (i) Def{f, T) is /, 
and in this case we infer that M{P) ^ p, or (ii) T is a program where Def{f, T) 
is the empty conjunction, and in this case we infer that M(P) ^ cp. To construct 
this transformation sequence we need a strategy for guiding the application of 
the transformation rules. In this section we present such a strategy, called UFS 
(short for Unfold/Fold proof Strategy). The UFS strategy is an extension of the 
strategy introduced in the case of definite logic programs for eliminating exis- 
tential variables Q. The basic idea is that by eliminating existential variables, 
from P A F{f,p) we may derive a program, say S, such that Def*{f,S) is a 
propositional program. Then, we can transform S by using the clause deletion, 
unfolding, tautology, and goal replacement rules, into a program T satisfying 
either (i) or (ii) above. Obviously, since in general M{P) ^ is an undecidable 
property, our UFS strategy may fail to produce a propositional program. 
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For specifying the UFS strategy, we need the following definition 
Definition 1. A level mapping of a program P is a mapping from the set of 
predicate symbols occurring in P to the set of natural numbers. The level of 
predicate p is the value of p under this mapping. 

By the definition of the LT transformation there exists a level mapping of 
P A F{f, ip) such that: (i) the level of every predicate defined in P is 0, (ii) 
the level of every predicate defined in F{f,ip) is greater than 0, (iii) for each 
clause p{. . ^ B in F{f, ip) the level of every predicate in B is strictly smaller 
than the level of p, and (iv) the predicate / has the highest level, say K. For 
instance, in the Semaphore Example we may choose the level mapping m as 
follows: m{down) = m{up) = m{>) = 0, m{g) = l, and m(/) = 2 (thus, K — 2). 

The UFS strategy requires three substrategies: (1) unfold, (2) tautology 
& REPLACE, and (3) define & fold, which we will specify below for the classes 
of programs and formulas for which the UFS strategy terminates. 

The Unfold/Fold Proof Strategy UFS. 

Input: (i) P A F{f, p), where P is a locally stratified program and p is a, closed 
first order formula, and (ii) a set Laws of equivalences of the form: M{P) ^ 
Va;i ■ ■ - Xu (3?/i ■ . .yvQ ^ . . .Zw R), where Q and R are basic goals. 

Output: A program T such that: (i) M{T) \= f iS M{P A F{f, p)) ^ /, and (ii) 
Pe/(/, T) is either / or the empty conjunction. 

Let P A P(/, v^) be P A pi A ... A P^ , where for i = 1, . . . , AT, program P^ is the 
conjunction of the clauses whose head predicate has level i. T := P; 

for i = 1, . . . , K do 

Let Pos be the conjunction of the clauses of P' whose body has at least one 
non-basic positive literal, and Neg be the conjunction of the clauses of P' which 
are not in Pos. Let Defs be Pos and Out be the empty conjunction, 
while Pos is not the empty conjunction do (f) 

(1) unfold(P, Pos, U): From program T A Pos we derive P A P by a finite 
sequence of applications of the positive or negative unfolding rules to the clauses 
in Pos. We require that: 

[Progression] the positive unfolding rule is applied at least once to each clause 
in Pos. 

(2) TAUTOLOGY & replace(P, Laws, U, R): From program T A U we derive 
P A P by a finite sequence of applications of the tautology and goal replacement 
rules to the clauses in U, using the equivalences in the set Laws. 

(3) DEFINE & fold(P, R, Defs, OutClauses , NewDefs): From program TAR 
we derive P A OutClauses A NewDefs by: (i) a finite sequence of applications 
of the definition rule by which we introduce the (possibly empty) conjunction 
NewDefs of clauses, followed by (ii) a finite sequence of applications of the 
folding rule to the clauses in R, using clauses occurring in Defs A NewDefs. We 
assume that the following conditions are satisfied: 

(3.1) [Positive definitions] The body of each clause in NewDefs has at least one 
non-basic positive literal. 

(3.2) [Ao existential variables] Each clause in OutClauses which has been de- 
rived by folding has no existential variables. 
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(3.3) [Full Folding] Each predicate in the body of each clause in OutClauses 
which has been derived by folding, occurs in Defs A NewDefs. 

Out := Out A OutClauses] Pos := NewDefs] Defs := Defs A NewDefs od; 
Delete from Out the definitions of useless predicates, thereby deriving Out'] 

T := T A Out' A Neg] 

Initialize D to the conjunction of all definitions of nullary predicates in T; 
Initialize Q to the conjunction of all definitions of non-nullary predicates in T; 
while D is a not a conjunction of unit clauses do (ff) 

UNFOLD (Q, D, U): From program QAD we derive Q A 17 by a (possibly empty) 
sequence of applications of the positive or negative unfolding rules to the clauses 
in D. (Here the Progression requirement need not be satisfied.) 

TAUTOLOGY & REPLACe(Q, Laws, U, R)] D = R od; 

Unfold the clauses of Q w.r.t. their propositional literals, thereby deriving Q'] (jf)') 
T := Q' A D end for □ 

Our UFS strategy proceeds by iterating over levels (from level 1 to level K) 
a sequence of transformations on the program T, which initially is P. For i = 
the conjunction of the clauses defining the predicates with level i, 
that is, program P% is processed by the UFS strategy, and the while loop (f) 
generates from program TAP® (which is T A Neg A Pos) the new program T. 
The objective of the while loop (f) is: (i) to ensure that positive unfolding steps 
w.r.t. non-basic atoms are performed before folding, and (ii) to avoid existential 
variables via definition and folding steps. Then useless predicates are deleted. 
Finally, the while loop (t)) performs unfolding, tautology, and goal replacement 
steps on the definitions of nullary predicates so to reduce each of them, if possible, 
either to the empty definition (in which case the corresponding predicate is false) 
or to a unit clause (in which case the corresponding predicate is true). The truth 
values of the propositional predicates are then propagated by the unfolding steps 
(jt)). When the last program level K has been processed, we get for the predicate 
/ either the empty definition or the clause /. Thus, we may establish whether 
or not M{P A F{f, ip)) \= f holds. 

The soundness of our proof strategy follows from the fact that the trans- 
formation rules are used in such a way that the hypothesis of the Correctness 
Theorem of Section J holds. The UFS strategy may not terminate, because in 
general M{P A F{f, ip)) ^ / is undecidable. Indeed, (i) during the execution of 
the WHILE loop (f ) we may introduce by applying the definition rule, an infinite 
number of new clauses, and thus, Pos never becomes the empty conjunction, and 
(ii) the WHILE loop (f)) may not terminate for nullary predicates which depend 
on non-nullary predicates. 

The reader may check that our introductory Semaphore Example has indeed 
been worked out using the UFS proof strategy. 

6 Decision Procedures Based on Unfold/Fold Proofs 

Now we present two classes of formulas, called tree-typed formulas and tree- 
typed clausal formulas, and two classes of programs, called MR programs and 
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DL programs, for which a deterministic version of the UFS strategy, called dUFS 
strategy, terminates. Thus, the dUFS strategy is a decision procedure for estab- 
lishing whether or not M{P)\=(p holds, when and P are in the given classes. 

In this section we assume that all predicates are non-basic. The tree-typed 
formulas are function-free formulas whose variables range over sets of trees de- 
noted by tree programs which we now define. 

Definition 2. [Tree Programs] A tree program is a conjunction of tree clauses. 
A tree clause is a clause of the form: ro{t(xi , . . . , Xn)) <— ri(a;i), . . . , r„(a;„), with 
n > 0, where t is a function symbol and Xi, ... ,Xn are distinct variables. A tree 
atom is an atom whose predicate is defined by a tree program. 

Definition 3. [Tree- Typed Formulas] A tree-typed formula over a program 
P is a first-order formula (p, defined as follows: 

if ::= p{xi, ...,Xn) \ \ Pi /\ p >2 I P 2 I Va; (r{x) ^ p) \ 3x (r(x) A p) 

where: (i) xi, . . . , Xn, with n > 0, are distinct variables, (ii) all predicates occur- 
ring in p are defined in P, and (iii) Def*(r, P) is a tree program. 

Example. [Even- Odd Paths] Let us consider the following Even-Odd program: 

1. bin{leaf) 4. even{t{x,y)) ~^even{x) 

2. hin{t{x,y)) ^ hin{x) , hin{y) 5. even{t{x,y)) <— ~^even{y) 

3. even{leaf) 6. odd{t{x,y)) ^ ^odd{x), ^odd{y) 

Clauses 1 and 2 are tree clauses. The formula Va; {bin{x) even{x) V odd{x)) 
is a tree- typed formula over Even- Odd. Informally, the formula means that in 
every binary tree there exists a path of even length or all paths have odd length. 
Thus, we expect that M{P) ^ p holds, as we will formally prove below. □ 
The Tree- Typed LT Transformation. 

In order to construct the locally stratified program P(/, p) for a given tree-typed 
formula p, we apply the so called tree-typed LT transformation, which is a variant 
of the LT transformation (see Section^ obtained by replacing rules (B.3) and 
(B.4) by the following ones: 

(B.3)* A C[--(p A if)] is transformed into A ^ C[^newp(yi, . . ., yk)] A 

newp{yi, . . . , yt) ^ p /\ p /\ if 

where newp is a new predicate symbol, {y\, . . ., yk\ = freevars{p A if), and 
p is the conjunction of all tree atoms r(y) occurring as conjuncts at top level 
in C[^{pAif)] and such that y G {yi, . . ., y^}. 

(B.4)* A ^ Cl-^^x (r(a;)A(p)] is transformed into A ^ C[^newp(yi, . . ., yk)] A 

newpfyi, ...,yk)^ pAr{x) Ap 
where newp is a new predicate symbol, {yi, . . ., yk} = freevars{3x (r{x)Ap)), 
and p is the conjunction of all tree atoms r(y) occurring as conjuncts at top 
level in C[-^3x (r(a;)Av3)] and such that y G {yi, . . ., yk}. 

Example. [Even-Odd Paths. Continued] For the tree-typed formula Va; {bin{x) 
— > even{x)\/ odd{x)) , the corresponding F{f, p) obtained by tree-typed LT trans- 
formation is the conjunction of the following two clauses: 

7. f ^ ^g 8. g ^ bin{x),^even{x),^odd{x) □ 

Theorem 3. [Correctness of the Tree- Typed LT Transformation 
w.r.t. Perfect Models] For every locally stratified logic program P and closed 
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tree-typed formula ip over P, if F(f, ip) is obtained from p by the tree-typed 
LT transformation, then (i) P A F{f, p) is a locally stratified program and 
M{P) \= pi^ M{P AF{f, p)) \= f, and (ii) for each clause C in F(/, p) we have 
that: (ii.l) C is of the form newp{xi, . . . ,Xm) <— ri(a;i), . . . , r„(a;„), G, where 
ri{x\), . . . ,rn{xn) are tree atoms, (ii.2) vars{C) = {xi, . . . , a;„}, (ii.3) G is a 
function- free goal, and (ii.4) G = Def{newp, P A F(/, p)). □ 

Definition 4. [Monadic Regular Programs] A monadic regular program is 
a conjunction of monadic regular clauses. A monadic regular clause (or an MR 
clause, for short) is a locally stratified clause of the form: 

Po{t{xi, . ..,Xn)) ^Pl(yi), ■ . . ,Pk{yk),^Pk+l{yk+l), ■ ■■,^Pm{ym) 
with n, m>0, where t is a function symbol, xi, . . . ,x„ are distinct variables, and 
yi, . . ,,ym are (not necessarily distinct) variables occurring in {a;i, . . . , Xn}- 
Tree programs are MR programs. 

We now describe the deterministic version of the UFS strategy, called dUFS. 

The Unfold/Fold Proof Strategy dUFS. 

The dUFS strategy is obtained from the UFS strategy defined in Section ^ by 
replacing the substrategies: (1) unfold, (2) tautology & replace, and (3) 
DEEINE & FOLD by the following ones, respectively: 

(Id) BREADTH-FIRST unfold(T, P os ,U): From program TAPos we derive TAU 
by: (i) one application of positive unfolding w.r.t. each positive literal occur- 
ring in the body of a clause in Pos, followed by (ii) one application of negative 
unfolding w.r.t. each negative literal occurring in the body of a clause in Pos. 
(2d) tautology(P,[/,P): From program PAG we derive TAR by a sequence of 
applications of the tautology rule, constructed by rewriting as long as possible an 
instance of the left hand side of an equivalence of Rule R5 by the corresponding 
instance of the right hand side. 

(3d) BLOCK-DEFINE & eold(P, R, Defs, OutClauses , NewDefs): From program 
T A R we derive program T A OutClauses A NewDefs as follows: 
for each non-unit clause G in P 

(i) we partition bd{C) into subconjunctions, called bloeks, such that bd{C) = 
Pi A ... A Bm, and two literals occur in the same subconjunction Bi, for some 
i, 1 < i < m, they share a variable, 

(ii) for i = 1, . . .,m, we apply the definition rule and we add to NewDefs a 
clause of the form Newp ^ Bi, where vars(Newp) = vars{Bi) n vars{hd{C)) , 
unless a variant clause modulo the head predicate symbol, already occurs in 
Defs, and 

(iii) we fold G w.r.t. Pi, and we fold the resulting clause w.r.t. P 2 , and so on, 

until we fold w.r.t. P^. FI 

We have that: 

- the BREADTH-EIRST UNFOLD substrategy fulfills the Progression requirement, 

- in the tautology substrategy we have omitted the Laws argument because 
goal replacements are not performed, and 

- the BLOCK-DEFINE & FOLD substrategy fulfills the conditions (3.1), (3.2), and 
(3.3) of the DEFINE &: eold substrategy of Section H Indeed, Condition (3.1) 
is fulfilled, because each variable occurring in the body of a clause generated 
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by the strategy dUFS also occurs in a tree atom, and therefore, each block has 
at least one non-basic positive literal. Moreover, by Points (ii) and (iii) in (3d) 
above, also Conditions (3.2) and (3.3) are fulfilled. 

Example. [Even-Odd Paths. Continued] The proof that 'dx{hin{x) even{x) V 
odd{x)) holds in the perfect model of the Even-Odd program is as follows. We 
have that program P is made out of clauses from 1 to 6, program P^ (at level 
1) is made out of clause 8, and program (at level 2) is made out of clause 7. 
We start from level 1. Initially Pos = clause 8. By breadth- first unfolding, from 
clause 8 we get the following clauses: 

9. g ^ bin(x), bin{y), even{x), even{y), odd{x) 

10. g ^ bin{x), bin{y), even{x), even{y), odd{y) 

By the tautology rule R5.2 we delete clause 10 (it is subsumed by clause 9). 
Then we apply the block-define & fold substrategy by introducing the fol- 
lowing two definitions: 11. h^o ^ bin{x) , even{x) , odd{x) and 12. he ^ 

bin{y), even{y) and by folding clauses 9 we get: 9.f g ^ heo, he 
Now Pos = clause 11 A clause 12, and we have to execute once more the body of 
the WHILE loop (t) of the dUFS strategy. By unfolding clauses 11 and 12 we get: 

11.1 heo ^ bin{x),bin{y),^even{x),^odd{x),^odd{y) 

11.2 heo ^ bin{x),bin{y),^even{y),^odd{x),^odd{y) 

12.1 he 

12.2 he ^ bin{x), bin{y),^even{x) 

12.3 he ^ bin{x), bin{y),^even{y) 

By the tautology rule R5.2 we delete clause 11.2 (it is subsumed by clause 11.1) 
and we also delete clauses 12.2 and 12.3 (they are subsumed by clause 12.1). Then 
we apply the block-define & fold substrategy by introducing the following 
definition: 13. ho ^ bin{x),^odd{x) and by folding clause 11.1 we get: 

11. If heo ^ g^ ho 

Now Pos = clause 13. By unfolding clause 13 we get: 

13.1 ho 13.2 ho ^ bin{x),bin{y),^odd{x),^odd{y) 

By the tautology rule R5.2 we delete clause 13.2 (it is subsumed by clause 13.1). 
No application of the block-define & fold substrategy is required. Now Pos is 
empty, and Oitf is the conjunction of the following clauses: 12.1 he and 13.1 ho 
together with clauses 9.f and 11. If. We then delete clauses 9.f and 11. If because 
they are the definitions of the predicates g and heo which are useless in Out. The 
WHILE loop (tf) does not change D. Since Q = Q' , we have that T is made out 
of the clauses of P together with the clauses 12.1 and 13.1. 

We can now start processing level 2, that is, program P^. Since Pos is the empty 
conjunction, the body of the while loop (f) is never executed. Neg is clause 7, 
and before the execution of the while loop (tf), program T is made out of the 
clauses in P together with the following clauses: 

7. f^^g 12.1 he 13.1 ho 

After the while loop (t)) and the statement (fft) we get the new program T 
made out of the clauses in P and the clause: 7.1 / together with clauses 12.1 
and 13.1. Now, since M(T) \= /, we have that M{P) \= (p. □ 
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Obviously, the breadth-first unfold, tautology, and block-define & 
FOLD substrategies terminate. Also the dUFS proof strategy terminates for tree- 
typed formulas and MR programs, as stated by the following theorem. 
Theorem 4. [Termination of the dUFS Proof Strategy for MR 
Programs] Let P be an MR program and be a tree-typed formula over P. 
Then the dUFS proof strategy with input program P A F{f, (fi) terminates with 
output program T. Moreover, Def{f, T) is / iff M{P) \= ip and Def{f, T) is the 
empty conjunction iff M(P) ^ □ 

Thus, dUFS is a decision procedure for M{P) ^ ip when P is an MR pro- 
gram and is a tree-typed formula over P. Although very restricted, the classes 
of MR programs and tree-typed formulas allow us to express some interesting 
properties, such as the equivalence of finite tree automata (see, for instance, 
as shown in the following example. 

Example. [Equivalence of Tree Automata] The tree language recognized by a 
(nondeterministic top-down) finite tree automaton T = (Q, E, S, qO, F) corre- 
sponds to a subset of the perfect model of a tree program Pt (which is also its 
least Herbrand model) defined as follows: 

- for each state q G Q we define a unary predicate Pq, 

- for each symbol a G E of arity k we define a fc-ary function symbol fa, 

- for each tuple {q, a, ql, . . . , qk) in the transition relation 5, where a is a fc-ary 
symbol with fc > 1, Pt has the clause: Pq{fa{xi, . . .,Xk)) ^ Pqi{xi), . . .,Pqk{xk) 

- for each state q G F G_ Q and 0-ary symbol b such that 9 is a final state for b, 

Pt has the unit clause: Pqifb) 

Then the tree language recognized by the tree automaton T with initial state qO, 
is the set {t \ M{Pt) ]= Pqo{t)}. Given another tree automaton U with initial 
state rO and represented by program Pj/, we have that T and U recognize the 
same language iff M(Pt A Pu) h ^x {pqo(x) Pro(x)) A Wx (proix) Pqo{x)). 
Thus, the equivalence of T and U can be reduced to the verification of a tree- 
typed formula over the tree program Pt A Pu (recall that each tree program is 
also an MR program). □ 

We now introduce a second class of formulas, called tree-typed clausal formu- 
las, and a second class of programs, called deterministic linear programs (or DL 
programs, for short) for which the unfold/fold proof strategy dUFS terminates. 
Thus, given a tree-typed clausal formula p, and a DL program P, we can decide 
whether or not M{P) ^ p holds by using the proof strategy dUFS. 

Definition 5. [Tree- Typed Clausal Formulas] Let P be any program and 
P be a tree program. A tree-typed clausal formula over a program P A P is a 
closed first-order formula p generated by the following grammar: 

p ::= \/x (r(x) ^ v^) I S ::= p(xi, ...,Xn) \ ^p(xi, ...,Xn) \ S \/ 6 

where: (i) xi, . . . , Xn, with n > 0, are distinct variables, (ii) all predicates oc- 
curring in p are defined in P A P, (iii) for each predicate p, Def*{p, PAR) is a 
subconjunction of P, (iv) for each predicate r, Def*{r, PAR) is a subconjunction 
of P, and (v) no predicate is defined in both P and P. 

Definition 6. [Deterministic Linear Programs] A linear clause is a locally 
stratified clause of one of these three forms: 
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p(il(xi, ■ ■ ■ , ■ ■ ■ 5 ■ ■ ■ 7 ^-u)) 

p{ti{xi, . ..,Xm), ■ ■■,tn{xu, ■ ■■,Xy)) ^ q{yi, ■■■,yk) 
p{ti{xi , . . . , Xm), ■ • ■ , tn{xu, ■■■, Xy)) ^ ^q(yi, ■ ■ ■ , yk) 
with n > 0, where: (i) are function symbols, (ii) 

xi, . . . , Xm, ■ ■ ■ , Xu, ■ ■ ■ , Xy are distinct variables, and (iii) yi,...,yk are 
distinct variables occurring in {a;i, . . . , Xm, ■ ■ ■ , Xy, ■ ■ ■ , Xy}. A deterministic 
linear program (or DL program, for short) is a conjunction of linear clauses such 
that no two clause heads are unifiable. 



There are MR programs which are not DL programs and vice versa. 
Theorem 5. [Termination of the dUFS Proof Strategy for DL 
Programs] Let P be a DL program, ii be a tree program, and be a tree- 
typed clausal formula over PAR. Then the dUFS strategy with input program 
P A F{f,ip) terminates with output program T. Moreover, Def{f,T) is / iff 
M{P) \= ip and Def{f, T) is the empty conjunction iff M{P) p. □ 



Example. [Clausal wMSnS] The clausal fragment of the weak monadic second 
order theory of two successor functions (cwMS2S) is the set of closed for- 
mulas p such that W \= p, where: (i) v? is a closed formula generated by the 
following grammar: 

p ::= Vw {word{w) p) | Va; {set{x) ^ (^) | 5 

5 ::= member{w,x) \ -^member{w,x) | (5 V (5 
(ii) W is the structure "Pyira({0, 1}*) of finite sets of words over {0, 1}, where: (ii.l) 
the successor functions sq and si are interpreted as sq{w) = wO and si(w) = wl, 
respectively, (ii.2) the predicates word and set hold of all words and finite sets 
of words, respectively, and (ii.3) member(w, x) is interpreted as membership of 
word w to set x. 

We may define the word, set, and member predicates by means of the following 
Member program, which is P A R, where: 

P: R: 



word(emptyword) 
word(so{w)) ^ word{w) 
word{s\{w)) <— word{w) 
set{leaf {n)) ^ label{n) 
set{t{xQ, n, xi)) ^ set(xo), 
label{n), set(xi) 
label {accept) 
label{refuse) 

Every finite set of words is represented as a finite tree, and (1) t (of arity 3) 
and leaf (of arity 1) are the tree constructors, (2) both the internal nodes and 
the leaf nodes are labeled by either the constant accept or the constant refuse, 
and they are called accept nodes or refuse nodes, respectively, and (3) left arcs 
are labeled by 0 and right arcs are labeled by 1. The empty word is represented 
by the constant emptyword. The accept paths of a tree x are the sequences of 
labels from an accept node to the root. A word w is member of a set a; iff w 
is an accept path of x. For instance, the set {0, 01} is represented by the tree 
t{leaf {accept) , refuse, t{leaf {accept) , refuse, leaf {refuse))) . 



member {empty word, leaf {n)) <— acceptlabel{n) 
member {empty w or d,t{xQ,n,Xi)) <— acceptlabel{n) 
member {so{w),t{xo,n,Xi)) <— member{w,xf) 
member {si{w),t{xo,n,Xi)) <— member{w, Xi) 
acceptlabel ( accept ) 
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We have that the structure W corresponds to the perfect model (equal to the 
least Herbrand model) of Member, in the sense that: W \= (fi iE M {Member) ^ ip. 
Since (1) P is a DL program, (2) i? is a tree program, and (3) every formula 
ip which is generated by the grammar of Point (i) above is a tree-typed clausal 
formula over PAR, by Theorem 5 we have that by using our dUFS proof 
strategy we can test whether or not M {Member) ^ p holds. Thus, dUFS is a 
decision procedure for cwMS2S. The extension from cwMS2S to cwMSrtS (with 
n successors, instead of 2) can be obtained by a straightforward modification of 
the Member program. □ 



7 Conclusions and Related Work 



The idea of using unfold/fold transformations for proving program properties 
goes back to where it was advocated as a method for proving the equivalence 
of functional terms. The present paper extends the techniques proposed in 
for showing equivalences of definite programs w.r.t. least Herbrand models and, 
in particular, (i) we consider logic programs with locally stratified negation and 
perfect model semantics, (ii) we prove first-order formulas, and (iii) we present 
an automated strategy for performing proofs. A different extension of has 
been recently presented in where the authors prove equivalences of definite 
programs w.r.t. least Herbrand models by using a more powerful folding rule. 

Our transformational method for proving properties of the perfect model of 
a locally stratified logic program is related to other methods for theorem proving 
as we now illustrate. 

(i) The method based on the Clark completion amounts to prove that 

M{P) \= p hj showing that eomp{P) h p, where comp{P) denotes the Clark 
completion of program P. Notice that for some program P and formula p, such 
as the ones introduced in our Semaphore and Even-Odd Paths Examples, the 
relation M{P) ^ p can be proved by our unfold/fold proof method and yet 
comp{P) p. 

(ii) Several enhancements of the resolution method have been proposed in the 
literature for verifying properties of logic programs with negation w.r.t. the per- 
fect model semantics. Among those we recall the SLDNF-resolution Q which is 
based on the negation as finite failure rule, but it is unable to deal with infinitely 
failed derivations and moreover, it is not complete w.r.t. the Clark completion. 
We also recall the SLS-resolution HQ which enhances the resolution method by 
using the negation as (finite or infinite) failure rule. In the absence of floundering 
B, SLS-resolution is sound and complete w.r.t. the perfect model semantics. 
However, it is not an effective inference rule, in the sense that the set of conse- 
quences of the perfect model of a logic program is not recursively enumerable. 
Finally, we recall the SLG-resolution Q, which combines resolution and tabling. 
SLG is an effective method and it is more powerful than the SLDNF-resolution 
for dealing with infinitely failed derivations. SLG-resolution can be used for ef- 
ficiently verifying CTL properties of finite-state transition system ^^3- Notice 
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that, however, our folding rule is more powerful than tabling, because it allows 
us to tabulate a conjunction of literals, instead of one literal only. 

(iii) Brass and Dix Q have proposed a query evaluation algorithm for disjunctive 
logic programs based on transformation rules. These rules include the positive 
unfolding and tautology rules, and they preserve several semantics including 
the perfect model semantics for the class of locally stratified logic programs. 
However, Brass and Dix do not take into consideration the folding and goal 
replacement rules, which play a crucial role in our technique. 

(iv) The satisfaction relation M{P) ^ ip may also be proved by adding to 
comp{P) a set of formulas, or induction schemata, that formalize an induc- 
tion principle over terms of the Herbrand universe. Thus, one may use standard 
techniques for inductive theorem proving Q. The main difference between this 
method and our unfold/fold proof method is that the latter does not require any 
induction schema. 

(v) The unfold/fold proof method is related to methods for proof by consis- 
tency (also called inductionless induction method) of equational formulas by 
using term rewriting systems (see ^ for a recent revisitation). This relation- 
ship is based on the ability of the unfold/fold proof method of proving inductive 
properties without using an explicit induction schema. However, the proofs by 
consistency are refutational proofs, they work by finding minimal counterex- 
amples, and they require suitable well-founded orderings on terms, while the 
unfold/fold proof method does not require such term orderings. 
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Abstract. This paper advocates and explores the use of multi-predicate 
induction schemes for proofs about mutually recursive functions. The in- 
teractive application of multi-predicate schemes stemming from datatype 
definitions is already well-established practice; this paper describes an 
automated proof procedure based on multi-predicate schemes. Multi- 
predicate schemes may be formally derived from (mutually recursive) 
function definitions; such schemes are often helpful in proving properties 
of mutually recursive functions where the recursion pattern does not fol- 
low that of the underlying datatypes. These ideas have been implemented 
using the HOL theorem prover and the Clam proof planner. 



1 Introduction 

The abstract syntax of programming languages is usually represented formally 
as recursive types. For examp^ a type of boolean expressions might be declared 
in the following ML-like stylej 

datatype prop = var of string I not of prop 

I and of prop x prop I or of prop x prop 

Parsing maps text in the concrete syntax of the language into elements of these 
recursive types. Early stages of compilers may map the types into other recur- 
sive types that represent a simpler internal language from which it is easier to 
generate machine instructions. Thus they are recursive functions (or procedures) 
operating over the recursive types. Code generators and interpreters will also typ- 
ically be recursive functions defined over these types. In declarative languages 
the original source programs are often recursive functions or predicates. 
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Many impressive examples of machine-assisted formal reasoning about lan- 
guages and programs can be found in the literature. The basis of such proofs is 
typically a structural induction theorem (scheme). For example, the scheme for 
the prop type is: 

VP. ((Vs. P(var(s))) A (Ve. P(e) D P(not(e))) A 
(Vei 62 . P(ei) A P(c 2 ) D P(ei and 62 )) A 
(Vei 62 . P(ei) A P( 62 ) D P{ei or 62 )) D 
V 6 . P{e) . 



There are, however, fundamental features for which effective automation tech- 
niques have not yet been developed. One such feature is mutual recursion. In 
real-world examples mutual recursion is quite common because if there are mutu- 
ally dependent syntactic categories, the types representing them will be mutually 
recursive and hence functions defined over those types will usually be mutually 
recursive too. For example. Standard ML Q has a mutually dependent block 
of 7 syntactic categories involving at least 28 clauses and 4 cycles, the largest of 
which has 4 categories in it. 

In this paper we present an approach to automating induction for mutually 
recursive functions. The essence of the approach is to use induction schemes that 
have one predicate for each of the mutually recursive functions. Such schemes 
have been applied before in interactive proofs (where the instances for all the 
predicates are provided by the user) but previous research on automating induc- 
tion has only considered schemes with a single predicate. 

An important subsidiary issue is how mutually recursive definitions and 
multi-predicate schemes are obtained: we demonstrate how simple manipula- 
tions allow us to reduce mutual recursion to single recursion, and how multi- 
predicate schemes are likewise produced from single-predicate schemes. These 
manipulations thus allow us to build on previous work Our work differs 

from previous work on generating multi-predicate schemes (e.g. ^3 Appendix 
A]) in that our schemes follow the recursion pattern of the mutually recursive 
functions rather than the recursion pattern of the types. 

Example 1. As an example of our approach consider the following functions de- 
fined by Paulson page 167] for computing the negation normal form of prop: 



nn/(var(a;)) = var(j;) 
nn/(not(var(a;))) = not(var(a;)) 
nn/(not(not(p))) = nnf{p) 

nnf(not(p and q)) = nnf (not (p)) or nnf(not(q)) 
nnf(not(p or q)) = nnf {not (p)) and nnf{not{q)) 
nnf{p and q) = nnf{p) and nnf{q) 
nnf{p or q) = nnf{p) or nnf{q) 

nnfpos{va.T{x)) = var(a;) nnfpos{p and q) = nnfpos{p) and nnfpos{q) 

nnfpos{not{p)) = nnfneg{p) nnfpos{p or q) = nnfpos{p) or nnfpos{q) 
nnfneg {var{x)) — not(var(a;)) nnfneg{p and q) = nnfneg{p) or nnfneg{q) 
nnfneg {not (p)) = nnfpos{p) nnfneg{p or q) = nnfneg{p) and nnfneg{q) 
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The definition of nnf has been modified to be more efficient than the first version 
given by Paulson but, as he describes, the mutually recursive functions are more 
efficient still. Now suppose we wish to prove the equivalence of the two versions: 

Vp. nnf{p) = nnfpos{p) 

Using the structural induction scheme for prop given above leads to difficulties. 
The first case of the induction (for var) is simple. In the case for not, however, 
we have nnf{p) = nnfpos{p) (where p is fixed) as a hypothesis and the formula 
to be proved (the conclusion) is: 

nn/(not(p)) = nn/pos (not (p)) 

The right-hand side rewrites using the definition of nnfpos to nnfneg{p) but none 
of the clauses of the definition of nnf apply to the left-hand side. The solution 
is to do a case-split on the form of p. This works when p is a var form but there 
is again trouble in the not case which rewrites as follows: 

nnf (not (not (p'))) = nnfneg(not(p')) 
nnf(p') = nnfpos (p') 

This is not matched by the hypothesis nnf(p) = nnfpos (p) because p and 
p' are different. In fact, p = not(p'), so the hypothesis is nnf (not(p')) = 
nnfpos (not (p')) which rewrites to nn/(not(p')) = nnfneg(p'). However one looks 
at it, the hypothesis cannot be used to prove the conclusion. The problem is that 
the induction has gone only one step through the mutually recursive cycle for 
nnfpos and nnfneg. 

The solution proposed in this paper is to use an induction scheme that follows 
the recursion of the mutually recursive functions: 

VP Q. ((Vs. P(var(s))) A (Ve. Q(e) D F(not(e))) A 
(Vei 62. P(ei) A P(e2) D P(ei and 62)) A 
(Vei 62. P(6i) A P(62) D P(6 i or 62)) A 
(Vs. Q('va-r(s))) A (V6. F(e) D Q(not(e))) A ( 1 ) 

(V61 62. Q(ei) A <3(62) D Q(ei and 62)) A 
(V61 62. Q(ei) A <3(62) D < 3 (ei or 62)) D 
(Vz;i. P(vi)) A (V'62. Q(v2)) ■ 

Observe that the scheme has two conclusions. Only one of these is used to match 
against the formula to be proved. This means that initially only one of P and 
Q will be instantiated. The main role of our procedure is to instantiate the 
other predicate during the proof. The example in SectionHshows this in action. 
For the example at hand, if P matches to the original conjecture, Q eventually 
becomes instantiated to Vp. nnf (not (p)) = nnfneg (p). By this means, the proof 
works out very smoothly. 

It is also possible to prove the proposition using a single-predicate induction 
scheme derived from the definition of nnf. This avoids the case-split and also 
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allows the proof to go through but it is not so smooth and hence would be more 
of a challenge for an automatic prover. Of course, in examples where nnf does 
not occur, e.g., showing the result of nnfpos is in normal form, the induction 
scheme for nnf would not be available, and Q is essential. 

2 Deriving Multi-predicate Schemes from Definitions 

Our approach to deriving induction schemes requires some background informa- 
tion on how mutually recursive functions are defined. The definition of mutually 
recursive functions fi-.-fn is handled by mapping the original recursion equa- 
tions to recursive equations for a single ‘union’ function W; after U is defined, 
the originally specified equations can be achieved by defining each fi in terms 
of U, and then rewriting U with these definitions. In the same spirit, our in- 
duction schemes are derived by manipulating the induction scheme for U. The 
validity of the derived definitions and induction scheme is assured because they 
are constructed by deductive steps in a sound logic Q. For lack of space, we 
have omitted a formal description of these algorithms; the interested reader can 
find them in 

Sums. We use a sum type to help represent U. The datatype (a, /3) sum is built 
from the ini and inr constructors. A type (r, 6) sum is more usually rendered 
as r-|-5. The usual facts about constructors hold, i.e., ini and inr are injective 
and distinct. We also use ‘case’ expressions over sums: 

sum_case f g (ini x) = f x sum_case f g (inr y) = g y ■ 

Returning to our example, the union function tl : prop-|-prop — > prop for nnfpos 
and nnfneg is formulated as follows: the arguments to nnfpos are injected into 
the sum with ini, and similarly, arguments to nnfneg are injected into the sum 
with inr. In this example, the range of U is just prop; however, when the range 
types oi f I ... fn do not coincide, the range type of the union function is a sum. 

W(inl(var a;)) = var x 
W(inl(not a;)) = W(inr a;) 

W(inl(a; and y)) — W(inl a;) and W(inl y) 

U{in.l{x or y)) = W(inl a;) or W(inl y) , , 

W(inr(var x)) = not (var x) ' ' 

W(inr(not a;)) = W(inl a;) 

W(inr( X and y)) = W(inr x) or W(inr y) 

H(inr(x or y)) = W(inr x) and W(inr y) 

The function specified by the recursion equations for W is defined by invoking 
the relationless definition algorithm described in ^JJnow the desired functions 
can be defined: 

nnfpos{x) = U (ini x) nnfneg{x) = U (inr x) . 

^ Termination is subsequently proved automatically, but validity is not threatened if 
it isn’t. 
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Finally, the definitions of nnfpos and nnfneg can be used (from right to left) to 
rewrite the definition of 11 to derive the originally specified recursion equations. 

What about induction? The following induction scheme has been automati- 
cally derived for U, by the algorithm detailed in which uses deductive steps 
to manipulate the wellfounded induction theorem into the desired form: 

VP. (Vx. P (inl(var a;))) A (Vx. P (inr x) D P (inl(not a;))) A (3) 
(Va; y. P (ini x) A P (ini y) D P (inl(a; and y))) A 

(Va; y. P (ini x) A P (ini y) A) P (inl(a; or y))) A 

(Va;. P (inr(var a;))) A (Va;. P (ini x) D P (inr(not a;))) A 
(Va; y. P (inr x) A P (inr y) A) P (inr(a; and y))) A 

(Va; y. P (inr x) A P (inr y) D P (inr(a; or y))) 

D Va;. P X . 

It is easy to manipulate Q into the desired multi-predicate scheme. The deriva- 
tion starts by instantiating P : prop -|- prop — > bool in Q to sum_case Qi Q2- 
This opens up the possibility to reduce with the definition of sum_case at each 
(former) occurrence of P. The result is 

(Va;. Qi(var a;)) A (Va;. Q2 x D <31(11°^ 2;)) A 
(Va; y. Qi X AQi y D Qi{x and y)) A 
(Va; y. Qi X AQi y Z) Qi{x or y)) A 

(Va;. Q2(var a;)) A (Va;. Qi x D Q2(not x)) A (4) 

(Va; y. Q2 X A Q2 y D Q2(x and y)) A 
(Va; y. Q2X AQ2yA) Q2{,x or y)) 

D Vs. sum_case Qi Q2 s . 

Now all that is necessary is to instantiate s, once with ini vi, and once with 
inr V2- Simplifying again with the definition of sum_case and then performing 
some trivial tidying-up steps gives the desired result, in which the antecedant is 
that of Q and the conclusion is (Vr^i. Qi ^^i) (Vf2- Q2 V2)- 

3 An Example Proof 

It is not possible in the space available to present a real-world example and cut- 
down versions do not display the range of features we wish to illustrate. Thus 
the example given below, concerning annotated trees, is somewhat contrived. 
The general idea of restructuring trees is, however, reminiscent of operations on 
abstract syntax trees in compilers. The types involved are: 

datatype atree = annotate of string x atree I node of utree 

and utree = leaf I branch of num x utree x utree I anode of atree 

The types atree and utree are of annotated trees and unannotated trees, re- 
spectively, where the constructors node and anode allow switching between the 
two. The functions used are: 
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amerge(annotate(s, at)) = concat(s, at) 

amerge(iLode(t)) = iLode{merge(t)) 

concat{si, annotate(s2, at)) = concat{strcat{si, S2), at) 

concat(s, node(i)) = annotate(s, node(mer5e(t))) 

merge(leaf) = leaf 

mer5e(branch(n, fi, t2)) = hra.nch{n, merge{ti) , merge{t2)) 
merge{an.ode{at)) = anode(amer5e(af)) 

where strcat concatenates two strings. The example illustrates a number of im- 
portant features with reasonable simplicity and brevity: 

— a recursion pattern in the functions that differs from the recursion pattern 
of the types, and hence an induction scheme that differs from the standard 
structural induction; 

— functions with different argument types; 

— functions with different result types; 

— functions that cannot be unwound to a single recursive function; 

— more than two mutually recursive functions and hence more than two induc- 
tion predicates. 

The induction scheme derived by the approach outlined in Sect.^is: 



VPi P2 P3. 

(Vs at. P2{s,at) D Pi(annotate(s, at))) A (Vt. Psit) D Pi(node(t))) A 
(Vsi S2 at. P2{strcat{s\, S2),at) D P2(si, annotate(s2, at))) A 
(Vs t. Ps(t) D P2(s, node(t))) A 

P3(leaf) A (Vn ti t2. ^3(^1) AP3(t2) D P3(branch(n, ti, t2))) A 
(Vat. P\{at) D P3(anode(at))) D 

(Vui : atree. Pi(ui)) A (Vt>2 : stringx atree. P2{v2)) A (VU3 : utree. ^3(^3)) 

Although this scheme is perfectly useful, it does not fit well with our cur- 
rent proof-planning technology which cannot handle the induction hypothesis 
P2{strcat{si, S2), at), since it involves a function application. However, an ac- 
ceptable version is simple to obtain, by instantiating P2 with A(s, u). Q{v) and 
beta-reducing. This yields, with some renaming of the induction predicates, 

VP Q R. (Vs at. Q{at) D P(annotate(s, at))) A (Vt. R{t) D P(node(t))) A 
(Vsi S2 at. Q{at) D Q(annotate(s2, at))) A 
(Vs t. R(t) D Q(node(t)) A 

P(leaf) A (Vn ti t2. R(ti) A R(t2) D R(hranch(n, ti, t2))) A 
(Wat. P(at) D P(anode(at))) D 

(Vui : atree. P{vi)) A (Vt>2 : atree. Q(v2)) A (Vvs : utree. R(v3)) . 
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The property to be proved is the idempotency of amerge: 

Wat. amer ge{arner ge{at)) = amergeiat) 

The first step is to match this goal with one of the conjuncts of the conclusion 
of the induction scheme. Type constraints mean it has to be either the first or 
second conjunct. The first is more appropriate but the second could be tried if the 
proof attempt using the first fails. So, the induction predicate P is instantiated 
to Xat. amerge{amerge{at)) = amergeiat) and Q and R remain uninstantiated. 
Beta-reduction yields the following goal (with the v's renamed to something 
more meaningful for this presentation): 

(Vat. amergeiamerge{at)) = amerge{at)) A (Vat. Q{at)) A (Vt. R{t)) 

A proof procedure for induction would now normally attempt to prove all 
the hypotheses of the instantiated induction scheme. However, since Q and R 
have not yet been instantiated, only the hypotheses whose consequent involves 
P should be attempted. 

Case CRat) D P(annotate(s, at)). The initial form of the first case of the 
proof is| 

Q{at) h? amerge(a?7ierge(annotate(s, at))) = amerge(annotate(s, at)) 

Using the definition of amerge the conclusion reduces as follows: 

Q{at) h? amergeiconcat{s,at)) = concat{s,at) 

If we were using the structural induction scheme we would be stuck at this point 
because the hypothesis would be P{at), i.e., amerge{amerge{at)) = amerge{at) 
which is no use in proving the conclusion. Using the scheme derived from the 
functions, however, the hypothesis is Q{at) which we can use by (second-order) 
matching it to the residual conclusion. This instantiates Q to: 

Xat. Vs. amergeiconcat{s,at)) = concat{s,at) 

This A-abstraction can be formed in a straightforward manner from the conclu- 
sion of the goal. The A-bound variables are the arguments of Q in the hypothesis 
(In this case there is only one.) and the other variables in the conclusion are uni- 
versally quantified. Having made this instantiation, the truth of this case of the 
proof follows immediately by beta-reduction in the hypothesis. 

Case R{t) D P(node(t)). This case proceeds in a similar way and serves to 
instantiate R. The initial goal is reduced using the definitions as follows: 

R{t) h? amerge(amerge(node(t))) = amerge(node(t)) 

R{t) h? amerge(node(merge(t))) = node(merge(f)) 

R{t) h? node(merge(merge(f))) = node(merge(f)) 

® The h? symbol is used to separate the hypotheses and conclusion of the conjec- 
ture. The question mark indicates that we do not yet know that the conjecture is a 
theorem. 
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We now apply the injectivity of the node constructor to reduce the goal further: 
R{t) h? merge{merge(t)) = merge{t) 

(Actually, the fact that node is a function is sufficient to justify this step but it 
is a safer step when the function in question is injective because there is then an 
equality between the two forms rather than just an implication.) Instantiating 
R to At. merge{merge(t)) = mergeit) completes this case of the proof. 

Now that both Q and R have been instantiated the remaining induction cases 
can be attempted. Actually, even if only Q (or only R) had been instantiated 
during the proofs of the cases for P, it would still be possible to proceed with 
the cases for Q, during which R would become instantiated. This is a property of 
the induction schemes generated from mutually recursive functions and is made 
more formal in Sect.^ 

Case Q{at) D Q(annotate(s, at)). Having renamed the s from the scheme 
to avoid a conflict, the goal in this case is: 

Vs. ainerge{concat{s,at)) = concat{s,at) 

h? amerge{concat{s, annotate(s^, at))) = concat(s, annotate(s^, at)) 

The conclusion rewrites using the definition of concat to: 

amerge{concat{strcat{s, s'), at)) = concat{strcat{s, s'), at) 

Instantiating s in the hypothesis to strcat(s, s') completes this case. 

The remaining cases of the proof are straightforward using the definitions 
and the injectivity of the type constructors. 

The formula used to instantiate Q could be used in another way, namely to 
strengthen the original conjecture by adding it as another conjunct and then 
restart the proof. Indeed this could be done even if the structural induction 
scheme for the types were used. A structural induction using the strengthened 
goal is, however, more tricky, requiring an automated procedure to do such 
things as: use one of the conjuncts of the hypothesis twice and detect that the 
two conjuncts of the conclusion are identical. These things are easy for a human 
to see but are challenging for an automatic procedure to do in general. Using 
the scheme generated from the functions is considerably simpler. 

4 A Proof Procedure for Using Multi-predicate Schemes 

The example proof in Sect. H motivates a proof procedure induct ion_mutual 
for multi-predicate induction schemes. The procedure takes a scheme S, a goal 
term t, and a matching induction predicate Pk as arguments. 
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Definition 1. The scheme S has the general form: 

A ... A A Cl D 

Pm, 1 Am,l ) A ... A Pm,nm^'^rn,nm) ^ Cm D -Pm,o(^m ; • ■ • ; ] ) 

(Vtti. Pi(t;i)) A ... A (yVr- Pr{Vr)) 

with the following properties (where [a;] denotes the set {1 , . . .,x}J: 

1. m > 0, Vi G [m]. > 0, r > 0. 

2. The P ’s are induction predicates. 

3. The V ’s are vectors of one or more variables. 

1. The C’s are additional conditions. 

5. Vi G [m]. fi[vi^i, . . . ,Vi^m] denotes a vector of terms involving variables in 

5 ■ ■ ■ 5 ■ 

6. Vi G [r]. 3j G [m]. Pi = Pj^. 

1. Vi G [m]. Vj G [ui]. 3k G [m\. Pij = Pup. 

8. The free variables appearing in {vip , . . . , Vi^m, Ci, . . . , Vi^n(W are as- 

sumed to be universally quantified in hypothesis i. 

The consequent of hypothesis i of the scheme is Pip{fi[vip, . . . ,Vi^m]) and 
the antecedants are {Pi,i{vip), . . . , Pi^mivi^nJjCi}. If h denotes hypothesis i 
then let pred{h) denote Pip. 

It is not necessary for all the Pij predicates (1 < i < m, 0 < j < Ui) to appear 
in the conclusion of the scheme (i.e., be equal to one of the Pfc (1 < fc < r)). 

Property 5 of Definition J says that each of the induction predicates in the 
conclusion must appear as the consequent of at least one of the hypotheses. 
PropertyOsays that each of the predicates in the antecedants of the hypotheses 
must be the consequent of one of the hypotheses. 

Definition 2. A predicate is native in the antecedants of a hypothesis if it is 
equal to the predicate that appears in the consequent. Otherwise it is foreign. 

For the proof procedure it is useful to distinguish cases of the induction 
that involve foreign predicates in the antecedants. This motivates the following 
definition. 

Definition 3. A hypothesis 

Pi.li,‘^i.l') A ... A Pi.riiiT'i.Wi) A Ci Z) Pip(^fi\Vip^...,Vi^ji(^'^ 

of a scheme is said to be a base case if Ui = 0. Otherwise it is a step case if 
there is a j G [nj such that Pij = Pip, and a cycle case if there is a j G [nj 
such that Pij yf Pip. So, a hypothesis may be both a step case and a cycle case. 

Let us now assume that Pk has been selected as the induction predicate for 
the goal term t and that variables {a;i, . . . , xif,} in t have been matched up to tJfc. 
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Without loss of generality, t can be assumed to have the form \/xi . . .xi^. yi-.-iju- 
F[xi, . . . ,xif.,yi, . . . ,yu\ (universal quantifiers can be commuted). 

The induct ion_mutual procedure is shown in Fig.J The procedure is non- 
deterministic and may fail at various points. The intention is that it should 
backtrack at points of failure and try alternative execution paths (see below). 
The subroutine use_hypotheses assumes that the goal has been rewritten to 
a conjunction of formulas and tries to match hypotheses to the conjuncts. It 
goes beyond the procedures typically found in inductive provers in that it can 
instantiate predicate variables in the hypotheses during the matching process. 
Some remarks about the procedure: 

— The x’s and y’s are vectors of variables. 

— The function frees computes the free variables of a term. 

— (j) is a, substitution and {p(p)i 3 denotes the result of applying (j) to p and 
beta-reducing (including redexes from previous calls of use_hypotheses). 

— match(p,f) is true if and only if p can be made syntactically equal to t by 
instantiating the universal quantifiers in p. 

— The subroutines base_case and step_case are as they might be in a proce- 
dure for induction using a single-predicate scheme. Specifically, base_case 
reduces using the definitions of the functions in the goal and performs stan- 
dard logical simplifications, while step_case manipulates the induction con- 
clusion using the definitions and lemmas to get it into a form in which (some 
of) the hypotheses can be used. It then uses the hypotheses and simplifies. 
Both subroutines are allowed to leave a residual goal. For simple examples 
it would suffice for these subroutines to do exhaustive rewriting with the 
function definitions but for more complex examples it is beneficial to use 
heuristic procedures such as those in Clam Q. 

— The syntactic form ‘(base_case then use_hypotheses) (h)’ means “ap- 
ply the base_case subroutine to h and then apply the use_hypotheses 
subroutine to any residual goals” . 

The choice points in the procedure are: 

1. The selection of an instantiated predicate; 

2. Within the base_case and step_case subroutines; 

3. The selection and ordering of the antecedants F' in use_hypotheses. 

Failure of a conjunction of antecedants (the induction hypotheses) to match the 
residual term causes backtracking which drives a search through the different 
combinations and permutations of antecedants at choice point B The search 
terminates if a match is found. If no combination of antecedants produces a 
match then use_hypotheses fails. This may cause backtracking at point 
yield a different residual term. If that is not successful the induction predicates 
may be processed in a different order (point ^ but this is unlikely to help the 
proof because the cases for the originally chosen predicate must be processed 
eventually. Further backtracking might cause earlier instantiations of predicates 
to be undone and a different choice to be made at pointHfor an earlier invocation 
of use_hypotheses, but undoing instantiations may be difficult to implement. 
For a discussion of the termination properties of the procedure see Q. 
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procedure induction_mutual(S',t,Pfc) ; 

procedure matches (p,t) ; 

piA...Apu ■= p; t\A...Atu ■= t] 

I := {i€ [m] I Pi has the form Pi(®i)} ; 

for i £ I do begin yi := frees{ti) — Xi; Ai := Xxi.Wyi.ti end; 

<t> := {Ai/Pi I i£l}; 
if Vi € [m]. match ((pi(^)/3 ,ti) then 
begin 

for i G J do instantiate Pi to Ai; 
return true 

end 

else return false 
end procedure; 

procedure use_hypotheses (P D t) ; 

if (3P' C P. (P' = {oi, . . . , Uu}) A u > 0 A matches (ai A ... A Uu A)) 
then return 
else fail 
end procedure; 

H := the hypotheses of S; 

instantiate Pk to Ari . . . *4 . Vi/i . . . i/u. P[xi, . . . , 0:4 , yi , . . . , y„] ; 
while 7^ {} do 
begin 

P := any pred{h) (for h £ H) that has been instantiated; 

Cases := {h £ H \ pred{h) — P}; 

beta-reduce applications of instantiated induction predicates in Cases; 

H := H -Cases; 

Base := {h £ Cases | h is a base case}; 

Cycle := {h £ Cases | h is a cycle case and not a step case}; 

Step := {h £ Cases | h is a step case and not a cycle case}; 
StepAndCycle := {h £ Cases \ h is both a step case and a cycle case}; 
for h £ Base do base_case (h) ; 

for h£ Cycle do (base_case then use_hypotheses) (h) ; 
for h£ Step do step_case (h) ; 

for h£ StepAndCycle do (step_case then use_hypotheses) (h) 

end 

end procedure 

Fig. 1 . The induction procedure for multi-predicate induction schemes 
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5 Implementation and Results 

The algorithm described in Sect. O for generating induction schemes from mu- 
tually recursive function definitions has been implemented in the HOL theorem 
prover The induct ion_mutual procedure of Sect. B has been implemented 
in the Clam proof planner and the resulting proof plans can be turned into 
a tactic for use in HOL via an interface between the two systems Q. Although 
it would in principle be possible to do everything in HOL, Clam, which is based 
on Prolog, has good support for the meta-variables needed for the uninstanti- 
ated induction predicates and for more complex examples offers sophisticated 
heuristics for controlling the rewriting stages. 

For the step cases of induct ion_mutual (using the terminology of Defini- 
tionH, the rippling method B is used to guide the proof. Rippling takes place 
with respect to the hypotheses that correspond to the native induction predicate 
(Definition^ . For non-step cases reduction (symbolic evaluation) and simplifi- 
cation are used. Currently, the instantiation of induction predicates works for 
cases in which reduction or “rippling out” are used. Another form of rippling, 
called “rippling in” , guides the proof to a point at which a universally quantified 
variable in the hypothesis can be instantiated in a non-trivial way (cf. the third 
case of the proof in Sect.^. This form of rippling is typically required where 
one of the functions has an “accumulator” argument. 

The induct ion_mutual procedure was developed using a simple example 
about mutually recursive even and odd predicates plus an example involving a 
type of arbitrarily branching trees: 

datatype tree = leaf of int I node of (tree) list 

Here, the recursive type is nested under a type constructor (list). Functions 
defined over such nested recursive types are naturally mutually recursive. The 
example involves two functions, flatten_tree and fringe, that construct a list 
of the leaf nodes of a tree but in different ways. The function flattenjree uses a 
second-order map function, while fringe has a mutually recursive counterpart, 
fringes, for dealing with the list of subtrees. The conjecture is that the two 
definitions are equivalent. 

The procedure of Fig. O has been used to automatically prove both of the 
development examples, the example presented in Sect.H and the other formulas 
listed in TableO 

The function reverse_tree reverses the order of the leaf nodes and is defined 
in a similar way to flattenCree using map. Since reverse_tree is not mutually 
recursive. Example 4 does not involve mutually recursive functions but a multi- 
predicate scheme is still used because the tree type is nested recursive. The 
proof requires lemmas for the distributivity of map, reverse, and flatten (which 
flattens a list of lists and is used in the definition of flatten_tree) over app (which 
concatenates two lists), and the lemma app{x,n±l) = x. In addition. Example 5 
requires the associativity of app, and Example 6 requires Example 5 as a lemma. 

Our implementation is also capable of generating the induction scheme for 
the exp /exhelp example discussed in ^ and successfully plans all but one case. 
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Table 1. Theorems proved using the Clam implementation 



Conjecture No. of lemmas 

1 Vn. even(n) 3 ~^odd{n) 0 

2 Vn. even(n) V even{suc{n)) 0 

3 Vt. flatten J,ree{t) = fringe{t) 0 

4 Vt. f latten_tree{reversej,ree{t)) = reverse{flatten_tree{t)) 4 

5 Vx y. fringes{app{x, y)) = app{fringes{x), fringes{y)) 1 

6 Vt. fringe{reversej,ree{t)) = reverse{fringe{t)) 3 

7 Vat. amerge{amerge{at)) = amerge(at) 0 



The case that cannot be handled involves nested recursive function calls, which 
are currently out of the scope of Clam. The proof procedure does get as far 
as synthesizing the instantiation for the second induction predicate. In fact, an 
interactive proof in HOL is very simple once this instantiation has been found, 
involving merely an application of the instantiated induction scheme, followed 
by conditional rewriting using the definitions of the functions. (Of course, such 
a freewheeling approach would be problematic as a fully automatic procedure 
because of concerns about termination of rewriting.) 



6 Related Work 



The procedure presented here for induction using multi-predicate schemes is in 
some respects similar to so-called middle-out reasoning Q. The proof of the orig- 
inal conjecture proceeds simultaneously with finding suitable instances for the 
induction predicates, with each assisting the other. The formulas used to instan- 
tiate the predicates can be seen as intermediate lemmas or as extra conjuncts 
that generalise the original conjecture. Like middle-out reasoning, the procedure 
uses meta- variables to stand for some initially unknown term structure. 

Also related is Protzen’s lazy generation of induction hypotheses Protzen 
generates the actual induction scheme during the proof rather than instances for 
its predicate(s). This allows hypotheses to be used that would not be suggested 
by recursion analysis. His work is in a destructor-style setting and it is not 
obvious how it would transpose to the constructor-style we use. There appears 
to be an implicit assumption that only one induction predicate is required so his 
work would not immediately be applicable to functions defined over mutually 
recursive types. It is conceivable that his approach would provide a good way to 
control the rewriting prior to instantiation of our additional induction predicates. 

Kapur and Subramaniam describe a technique for automating induction over 
mutually recursive functions using cover sets Q. Their approach is to unroll the 
mutual recursion to obtain a cover set that captures the recursive dependencies. 
It is not clear from their paper how their algorithm generalises to more than two 
mutually recursive functions or that it works in general for two functions that 
are each defined in terms of both functions. Our approach can handle both of 
these situations. 
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Liu and Chang | deal with mutual recursion by generating strong induction 
schemes, i.e., ones in which the property is assumed to hold for a chain of smaller 
values rather than just the next smallest. The hypotheses for the smaller values 
are captured by defining auxiliary recursive functions which follow the recursion 
pattern of the mutually recursive functions but with predicates in place of the 
original expressions. By this means, all the necessary hypotheses for the proof 
are obtained. Liu and Chang’s paper is mainly about generating the schemes, 
saying little about how they are used in proofs. 

7 Conclusions and Future Work 

This paper makes two contributions: a procedure for automating proofs about 
mutually recursive functions and a procedure for deriving the multi-predicate 
induction schemes used by the first procedure. The latter goes beyond previous 
work on generating multi-predicate schemes from mutually recursive datatypes 
and single-predicate schemes from non-mutual functions by deriving multi-pre- 
dicate schemes from mutually recursive functions. The procedures have been im- 
plemented and tested in the Clam proof planner and the HOL theorem prover, 
respectively. The implemented proof procedure makes use of Clam's infrastruc- 
ture but it is essentially independent of the details of Clam, and hence could be 
re-used in other systems. 

The induction schemes have one predicate for each of the mutually recursive 
functions. This avoids the need for techniques such as unwinding the functions 
into a single function (which tends to cause a quadratic increase in size and is not 
always possible anyway) . One induction predicate is matched against the initial 
goal and the instantiations for the other predicates are synthesized as part of 
the proof procedure. An important point is that the induction scheme follows 
the recursion pattern of the functions rather than of the types over which they 
are defined (though these do coincide in many cases). 

An item for future work is to investigate examples where there is more than 
one occurrence of an uninstantiated predicate in the hypotheses, e.g.: 

Wx y. Q{x) A Q{y) D P{C{x, y)) 

In such cases, it becomes more difficult to find an instantiation. Also, if there is 
more than one recursive function involved in a conjecture it may be necessary 
to combine induction schemes as is done, for example, by Boyer and Moore Q, 
Liu and Chang Q, and by Walther Q. 
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Abstract. Humans have different problem solving strategies at their 
disposal and they can flexibly employ several strategies when solving a 
complex problem, whereas previous theorem proving and planning sys- 
tems typically employ a single strategy or a hard coded combination of 
a few strategies. We introduce multi-strategy proof planning that allows 
for combining a number of strategies and for switching flexibly between 
strategies in a proof planning process. Thereby proof planning becomes 
more robust since it does not necessarily fail if one problem solving mech- 
anism fails. Rather it can reason about preference of strategies and about 
failures. Moreover, our strategies provide a means for structuring the vast 
amount of knowledge such that the planner can cope with the otherwise 
overwhelming knowledge in mathematics. 



1 Introduction 



The choice of an appropriate problem solving strategy is a crucial human skill 
and is typically guided by some meta-level reasoning. Trained mathematicians 
use different problem solving strategies. For instance, a theorem can be solved 
by analogy to another previously solved theorem, by forward reasoning, or by 
backward reasoning. For teaching mathematics this has been described in Q. 
Schoenfeld too investigates strategies and advocates the teaching of their 
heuristic control. 

For automated theorem proving the situation is quite different currently. 
Traditional automated theorem provers (ATPs) such as Otter or Spass either 
blindly search for a proof in a rather unmanageable search space or use a search 
heuristic determined by parameter settings to traverse the search space. As a 
result, these systems cannot recognize mathematically promising search paths 
or combine several search strategies. Their performance depends on whether 
the ATP’s search heuristic is appropriate for proving the particular problem. 
Indeed, experience has shown that no one theorem prover or heuristic is best for 
any problem. 

As a reaction to these difficulties several approaches combine different prob- 
lem solving strategies: (1) different systems are combined in a way that allocates 
certain time slices to each system in a row until one of the systems solves the 
problem (2) different instances of the same system with different parameter 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 644-^^| 2000. 
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settings are successively tried for completely solving a problem (3) cooper- 
ation of different systems by exchanging specific intermediate results has been 
realized in Q. 

As we discuss below, these solutions are insufficient at least for the problems 
arising in proof planning. Moreover, there is another problem rarely addressed 
in automated theorem proving that we shall tackle in this paper. In ATPs the 
search space is largely determined by the axioms included into the problem 
formalization. Thus, the success of an ATP depends extremely on the problem 
formalization including the selected axioms. This is problematic in a realistic set- 
ting for proving many theorems, where all mathematical knowledge is available 
in principle. 

An alternative technique for theorem proving is proof planning. It differs 
from traditional automated theorem proving in that it considers a theorem to 
be proved as a planning problem . A partial plan is refined by introducing 
new steps or adding new constraints until the proof plan is fully instantiated 
and complete, i.e., it has no open goals anymore. A step is represented by a 
(instantiated) method such as induction, diagonalization, or estimations. 

Typically, the search space in proof planning differs from that of ATPs be- 
cause proof planning tries to solve a problem at the level of methods most of 
which are more abstract than the logical inference steps of ATPs. Even more im- 
portant for restricting the search space is the meta-level reasoning that guides 
the selection of methods. Currently, this meta-level reasoning is encoded by a list 
of control rules or by variations of the difference reduction search heuristic 
called rippling Q. 

However, when the class of theorems to be proved with the same methods 
and control rules grows, the search heuristics might prove to be inappropriate 
for new theorems. There are at least two reasons for this phenomenon. First, 
mathematics is very knowledge-intensive and all the knowledge (methods, ax- 
ioms) has to be used indeed. If all the methods are potentially available, then 
the search space becomes unmanageable. Secondly, in order to be able to prove 
nontrivial mathematical theorems, different subproblems have to be attacked in 
different ways. For instance, a certain subgoal (e.g., a tautology) may be hard 
to prove by proof planning but proved easily by an ATP. 

The above mentioned approaches to combine several ATP strategies are not 
sufficient for proof planning since they are not flexible enough: (1) They do 
not offer the possibility to switch flexibly between strategies during the planning 
process and cannot make use of explicit meta-reasoning at the level of strategies. 
(2) None of the approaches provides any means for managing and structuring 
the overwhelming amount of knowledge that realistic theorem proving is faced 
with. 

To solve the mentioned problems of proof planning we introduce multi- 
strategy proof planning that can switch flexibly between different strategies in 
the same planning process and can use knowledge in a structured way. We ex- 
tend the notion of a strategy such that different strategies can employ different 
refinement or modification algorithms and different search heuristics. The strat- 
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egy choices in our multi-strategy planning are subject to strategic control by 
meta-level reasoning. 

The paper is organized as follows. First, we briefly review previous proof 
planning in the f?MEGA system. Then we introduce multi-strategy proof plan- 
ning and describe how it is realized in Multi, the multi-strategy planner of the 
17mega system. Finally, we provide evidence that Multi is more powerful than 
the previous proof planner of f?MEGA and discuss examples of the limit domain 
which are provable only by Multi. 



2 Basics of Knowledge Based Proof Planning 

Proof planning considers mathematical theorems as planning problems. A plan- 
ning problem is defined by an initial partial plan (specified by the proof as- 
sumptions and the open goal given by the theorem to be proved) and a set of 
methods. A partial plan tt is a tuple {T, CS), where T is a set of steps that 
are instantiated methods, A is a partial order over T, and CS is a collection of 
constraints (the constraint store) for general and for domain-specific constraints 
such as inequality constraints and set constraints, respectively. A simple planner 
searches for a (partially instantiated) method M whose application proves a goal 
g. It introduces M into the plan. The subgoals needed for the application of M 
replace g in the planning state. The planner continues to search for methods 
applicable to a subgoal and terminates when a solution is found. 

We illustrate proof planning in the limit domain for which a typical problem 
is: ‘show that the limit of the sum of two real functions is equal to the sum of 
their limits’ whose formalization is 

lim f{x) = h A lim g{x) = lim(/(a;) -I- g{x)) = h + h- 

X — >a X — >a X — >a 

Since the limit is defined by 

lim h{x) = I AA 

Ve(0 < e ^ 3(5(0 < S A Vx(x a A\x — a\ <(5— > \h{x) — ^| < e))), 
we need to show that 

Ve(0 < e ^ 3(5(0 < S A Vx(x yfaA|a; — a|<(5^ I (/(a:) + g(x)) — (^i 3- ^ 2 )! < e))) 
holds under the assumptions 

Vei(0 < ei ^ 3(5i(0 < (5i A Va;i(a:i yf a A |a;i — o| < (5i — > \ f{xi) — ^i| < ei))) 
Vc 2(0 < 62 ^ 3 ( 52(0 < S2 A yx2{x2 ^ a A \x2 ~ a\ < 82 ^ \9{^2) — ^2! < ^2)))- 

An epsilon-delta-proof of this problem as well as similar theorems constructs 
a real number S (dependent on e) that satisfies the inequalities in the the- 
orem. Epsilon-delta-proofs require proof planning with the general methods 
Quantif ierElim*, AndElim*, Quantif ierintro*, Andlntro*, =subst, and Fo- 
cus and the domain-specific methods Solve, Solve*, and ComplexEstimate. 
Quantif ierElim*, AndElim*, Quantif ierintro*, and Andlntro* iteratively 




Proof Planning with Multiple Strategies 647 



apply certain natural deduction rules. For instance, Andintro* closes an open 
goal Ai f\ A2 ■■■ f\ An and introduces the new subgoals Ai, A2 . . and An- 
AndElim* decomposes an assumption A ^2 ■ ■ ■ A An into assumptions Ai, 
A2 ■ ■ and An- Focus marks subformulas or terms whose position is provided 
as a parameter of the method. The method =subst reduces a goal t[a\ which 
contains an occurrence of a formula a to the new goal t[b] where the occurrence 
of a is replaced by an occurrence of b, if there is a proved equation a = b. The 
Solve method satisfies inequalities between simple terms such as a; < c by pass- 
ing it to a constraint solver that collects consistent constraints in a constraint 
store CS Solve* reduces a goal oi < 5 i to a subgoal 62(7 < bia in case 
an assumption 02 < 62 exists and 01,02 can be unified by the substitution a. 
Finally, ComplexEstimate reduces inequality goals b < e with a complex term b 
to simpler inequality subgoals, see (J. 

The previous proof planner of 17mega, Planner, refines a partial plan by 
applying different operations refining or modifying the partial plan until a solu- 
tion, i.e., a sequence of steps that transforms the initial state into a goal state 
and satisfies the constraints, is found. Planner has refinement and modifica- 
tion operations for backward and forward planning, for the expansion of complex 
methods, for the instantiation of meta-variable^ and backtracking. These op- 
erations are invoked in a default order: First, backward and forward planning 
and backtracking is employed until no open goal is left. Then complex methods 
are expanded and the constraint solver is employed to compute instantiations 
for the meta- variables from the set of collected constraints. Backtracking is used 
only if a situation is reached where none of the selected methods can be applied 
to an open goal. 

When proof planning limit theorems. Planner behaves as follows: It back- 
wardly decomposes the goal formula to (in)equality subgoals (by applying meth- 
ods such as Quantif ierintro* and Andintro*). Then simple (in)equality goals 
are closed by Solve. In order to satisfy more complex goals, forward planning 
is necessary before the backward planning can be continued. The forward plan- 
ning decomposes an assumption (by applying methods such as Quantif ierElim* 
and AndElim*) in order to obtain a new assumption that can be used to further 
tackle a goal by Solve* or ComplexEstimate. When no open goal is left and 
all constraints are collected, the constraint solver computes instantiations for 
the meta-variables that are consistent with the collected constraints. Then the 
meta-variables are instantiated everywhere in the proof. 



3 Multi-strategy Proof Planning 

In the following, we introduce multi-strategy proof planning. First, an example 
(exercise 4 . 1.3 in the analysis textbook Q) illustrates that and why the proof 
planning with a fix combination of refinement and modification operations that 

^ A meta-variable is a place holder for a term or a formula. In the following, meta- 
variables are denoted by capital letters. 
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works for many examples is insufficient as a general technique. Then we intro- 
duce proof planning with multiple strategies and its implementation, Multi. 
In Section J we shall show how multi-strategy proof planning overcomes these 
problems. (This example is just one, see, e.g., for other examples.) 



3.1 A Motivating Example 

Exercise 4.1.3. Let / : R — > R and let c G R. Show that lim f{xi) = I if and 

Xi—*C 

only if lim f(x + c) = 1. 

x^O 

Two implications have to be proof planned for solving this exercise: 

lim f{xi) = I lim f{x + c) = I (1) 

xi^c x^O 

and 

lim f{x + c) = lim f{x\) = I (2) 

x—>^0 xi^c 

Since the limit lim is defined as described in the previous section we need to 

X — 

show for Q that 

Ve(0 < e ^ 3(5(0 < S A Wx^x yfOA|a; — 0| <(5— *■ \f{x -I- c) — ^| < e))) 
holds under the assumption 

Vei(0 < ei — > 3^1 (0 < (5i A \/xi{xi c A |a;i — c| < (5i ^ \f{xi) — /| < ei))). 

Planner evaluates a list of control rules to determine which method to apply 
next. When planning for Q, first the complex goal formula is (backwardl;^ 
decomposed. This creates the new subgoals 0 < I? and \f{x' + c) — l\ < e| 
The simple goal 0 < D can be closed by Solve that passes the inequality to 
CS. The goal \f{x' + c) — l\ < e is too complex to be send to the constraint 
solver. An appropriate assumption that can be used to further simplify this goal 
is the subformula |/(a:i) — ^| < ei of the original assumption. This subformula 
is highlighted (‘focused’) by the method Focus and then unwrapped by forward 
planning. This unwrapping yields the new assumption |/(Ai) — ^| < Ei and the 
additional goal |Ai — c| < di. Now \f{x' + c) — l\ < e can be closed by the 
method Solve*. This yields the new goals Ei < e and Xi = x' + c which can be 
closed by Solve. The goal \Xi — c| < di should be closed by the method Solve* 
using the assumption |a;' — 0| < D. However, Solve* is not applicable because 
(Xi — c) and (x' — 0) are not unifiable and hence proof planning is blocked. If 
we could use the information Xi = (x' + c) available in the constraint store, 
an eager instantiation of Xi by (a;' -I- c) would unblock the planning because 
the goal would be instantiated to |a:' -I- c — c| < di which could be simplified 
to I a;' I < di. For this simplified goal Solve* would be applicable (using the 
assumption |a;'| < D that is implied by the assumption |a;' — 0| < D). 

^ The universally quantified variables x, t in the goal are replaced by new constants 
x' , e, whereas the existentially quantified 5 is replaced by a new meta- variable D. 
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Planning for Q works similarly, except that a goal \f{x'i) — l\ < ei arises 
which can potentially be closed by the method Solve* using the assumption 
\f{X + c) — ^1 < E. Again, Solve* is not applicable in this situation because x[ 
and (A + c) are not unifiable and hence proof planning is blocked. In this case 
no helpful information is available in the constraint store. The problem is that 
the unification has a residuum X + c = x'^. If we could prove this equation we 
could apply it to rewrite the goal and the proof planning became unblocked. 

In both cases, Q and Q, Planner fails to find a proof plan. In Q Planner 
fails since its fix order to plan first until no open goals are left and to instantiate 
the meta- variables afterwards excludes an instantiations of meta- variables while 
there are still open goals. In B Planner fails since backtracking is the only 
reaction to blocked planning as opposed to reasoning about failures and repair. 

Designing more elaborate methods that perform the (failure) reasoning im- 
plicitly does not solve this problem in general since methods should not encapsu- 
late and hide the control because then the control cannot be modified, extended, 
adapted to new situations (see ^3 for a discussion) . Moreover, methods should 
be the building blocks of a plan rather than executing several algorithms. 

3.2 Strategies 

In order to make proof planning more robust and flexible we allow to combine 
the common planning algorithm with other algorithms also refining or modify- 
ing partial proof plans such as case-based planning, call of traditional ATPs, 
expansion of complex steps, and instantiation of meta-variables. In addition, the 
behavior of these algorithms can be influenced by different parameter settings. 
For instance, there are particular parameter settings for ATPs to make them 
appropriate to tackle particular problems. Similarly, a planner is equipped with 
parameters determining a list of methods and control rules to specify which 
methods and which control rules it can use. Rippling y is such an algorithm 
and constitutes a strategy together with parameters for its direction and for the 
measure of annotations. In general, we define each instantiation of an algorithm 
by parameters to be a strategy. 

Multi-strategy planning can employ different strategies during one proof pro- 
cess and can switch flexibly between strategies to tackle different subproblems 
by different strategies. In particular, 

— several strategies can cooperate for planning a proof of a theorem, 

— this cooperation can be guided by strategic meta-reasoning. 

Below, algorithms are indicated by italic fond and strategies (more gener- 
ally, knowledge sources) by bold face, while methods and control rules are in 
typewriter fond. 

3.3 Realization in Multi 

In Multi, strategies are implemented as data structures with three slots: (1) 
an application condition stating which kind of problems/ tasks the strategy can 
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tackle, (2) the modification or refinement algorithm which is employed by the 
strategy, and (3) the parameter setting with that the algorithm is employed. 
Among the algorithms which are employed in Multi are PPlanner for partial 
order planning, Exp for the expansion of complex methods, InstMeta for re- 
fining a partial plan by instantiating certain meta-variables in the partial plan, 
ATP which tries to close an open goal by calling a traditional ATP such as Ot- 
ter C Planner for case-based planning and BackTrack for removing 

steps introduced by other algorithms. 

In Multi, not only an open goal is a task but other kinds of tasks can be 
created and solved by strategies too. For instance, each introduction of a meta- 
variable creates the task to instantiate this meta- variable and each introduction 
of a complex method into the plan creates the task to expand this method. 
Different tasks can be tackled by different algorithms and strategies. 

This paper describes the strategies of PPlanner and InstMeta needed to 
accomplish epsilon-delta-proofs. The parameters of PPlanner are a list of meth- 
ods, a list of control rules, and a termination condition specifying when the strat- 
egy application should terminate; a parameter of InstMeta is the function that 
determines how the instantiation is found. In particular, we need the strategies 
NormalizeGoal, UnwrapHyp, SolveLinearInequality, and =SubstApply 
which are instantiations of PPlanner and the strategy InstPromCS which is an 
instantiation of InstMeta. By NormalizeGoal, SolveLinearInequality, and 
UnwrapHyp the methods and control rules needed to find epsilon-delta-proofs 
are structured such that those methods and control rules are grouped together 
which are needed to tackle certain classes of subproblems. 

The strategy SolveLinearInequality (see Table® is applicable to prove in- 
equality goals. Its list of methods consists of Solve, Solve*, ComplexEstimate, 
and Focus. Its list of control rules contains stop-with-f ocus and eager-in- 
stantiate. SolveLinearInequality terminates when there are no further in- 
equality goals. Note that it is the chosen parameterization of PPlanner that 
makes SolveLinearInequality appropriate to tackle inequality goals as stated 
in its application condition. 



Table 1. The SolveLinearInequality strategy 



Strategy: SolveLinearInequality 


Appl- condition 


Linear-Inequality 


Algorithm 


PPlanner 


Parameters 


Methods 


Solve, Solve*, ComplexEstimate, Focus, . . . 


C-Rules 


stop-with-f ocus, eager-instantiate, . . . 


Termination 


No-Linear-Inequalities 



The parameters of NormalizeGoal determine that the strategy plans back- 
wardly and can decompose goals that contain logical connectives or quantifiers. 
For instance, it contains the method Andlntro* that can decompose a goal that 
is a conjunction. 
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The task of UnwrapHyp is to unwrap a focused, i.e., highlighted, subfor- 
mula of an assumption in order to make it available for proving a goal. The 
list of methods in the strategy UnwrapHyp determines that PPlanner plans 
forward, e.g., with the method AndElim*. The control rules determine that if Un- 
wrapHyp is called, the available methods can only be applied to an assumption 
that carries a focus and if the method application does not destroy the focused 
subformula. For instance, if the assumptions B1AB2 and A^2 A/ocus(A3 A^4) 

are in the planning state, the method AndElim* can only be used to decompose 
the second assumption into assumptions Ai, A2, and A3 A ^44 but not to A3 and 
A 4 . UnwrapHyp terminates when the focused subformula is fully unwrapped. 

The strategy =SubstApply is applicable on every goal. It introduces a (or 
few) new equation as a goal which is closed either by applying theory-specific 
equational reasoning or by constraint solving. Then this equation is used to 
rewrite the original goal by the method =subst. =SubstApply’s purpose is 
to repair failed proof attempts caused by a slightly failed unification whose 
residuum is an equation (or a few equations) . 

How could we achieve the same refinement of the partial plan without using 
a strategy? If we employed the method =subst inside the strategy SolveLin- 
earlnequalities, then we would need a control rule that chooses, say as the last 
method, =subst. If we represented this failure reasoning by control rules inside a 
strategy, the choice of the method =subst and its parameter required to reason 
about the failed proof attempt before it was actually attempted. Since the eval- 
uation of the control rules is not repeated when some of the selected methods 
are not applicable, the only way to determine whether =subst should really be 
tried, is to encode the failure of applying the previously tried method (because of 
a failed unification) into the application-conditions of subst. We think that this 
is not conceptually clean. Moreover, the parameter of the method =subst (the 
residuum of the unification) can be chosen only when the previously failed proof 
attempt is analyzed. This is, however, not the task of application-conditions 
of a method but (meta-)reasoning about the proof. The control and usage of 
=SubstApply are explained in the next section. 

The strategy InstPromCS instantiates meta-variables which occur in con- 
straints collected by the constraint solver. InstFbomCS specifies that InstMeta 
replaces a meta- variable by a term that is computed by the constraint solver and 
that satisfies the currently collected constraints. 

Multi employs a blackboard architecture because this is an established 
means to organize the cooperation of several independent components - so-called 
knowledge sources - for solving a complex problem. The information about the 
status of the problem solving process is stated on a blackboard that can be 
accessed and changed by the knowledge sources. Multi’s architecture is simi- 
lar to the BBl blackboard system Q. The architecture of Multi is summa- 
rized in the following and described in more detail in (Q. The architecture has 
two blackboards, one for the solution problem and one for the control problem. 
The solution blackboard contains the partial proof plan and a store which con- 
tains the status of the execution of strategies. The strategies are the knowledge 
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sources which work on this solution blackboard. A strategy component contains 
all the strategies that can be used. The control blackboard contains job offers 
and demands. The MetaReasoner is the knowledge source working on the con- 
trol blackboard. A scheduler looks up the control blackboard, takes the highest 
ranked job offer, and executes it. 



Table 2. Cycle of MULTI 



Job Offer. Strategies whose application condition is true put a job offer onto the 
control blackboard. 

Guidance. The MetaReasoner evaluates strategic control knowledge with informa- 
tion from the blackboards. It orders the set of job offers accordingly. 

Invocation. The scheduler invokes the first strategy from the list of job offers and 
deletes that strategy from the list. 

Execution. The invoked strategy rehnes or modifies the solution blackboard objects 
and may place demands onto the control blackboard. 



In a nutshell. Multi operates according to the outline in Table^ A strategy 
can change the solution blackboard by refining or modifying the partial plan 
and saving information to the store. If a strategy’s condition part is satisfied, a 
strategy posts its applicability information, i.e., a job offer to tackle a certain 
task, onto the control blackboard. Strategies can also post demands onto the 
control blackboard. For instance, if the currently executed strategy S can only 
continue, if another strategy S’ is executed first, then S is interrupted, its status 
saved to the store, and a demand for S’ is placed onto the control blackboard. 
After the execution of S’ the strategy S can be reinvoked again from the store. 

In order to rank the job offers the MetaReasoner evaluates strategic con- 
trol knowledge represented by strategic control rules. The meta-reasoning at the 
strategy-level can prefer a strategy or can cause a switch to another strategy 
if the current one is not appropriate. For instance, as a consequence of a failed 
proof attempt MetaReasoner should prefer a strategy that avoids the failure. 
Other instances of meta-reasoning include reasoning about demands. 

Since demands originate from interrupted and blocked strategies it makes 
sense to prefer job offers for a demand. This preference is expressed in the strate- 
gic control rule pref er-demand-satisf ying. The rule pref er-demand-satis- 
f ying has a higher priority than the rule delay-instantiations-f rom-cs that 
delays the instantiation of met a- variables. This means that if there is a demand 
for InstFhomCS, then InstFhomCS can be applied even when there are still 
open goals. 

Now we illustrate Multi’s proof planning for epsilon-delta-proofs. First Nor- 
malizeGoal is called to decompose backwardly the goal formula. Then Solve- 
Linearlnequality is called on the produced inequality subgoals. If a goal is 
not solvable with one of the present assumptions, an appropriate subformula of 
an assumption is highlighted using the method Focus. After this focus is set 
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SolveLinearInequality is interrupted. This is controlled by the control rule 
stop-with-f ocus which states that if a focus is set, then the current computa- 
tion should be interrupted and first the focused subformula should be unwrapped 
by UnwrapHyp. This flexible switch is performed as follows. 

— The current status of the SolveLinearInequality execution is saved in 
the store and a demand is placed onto the control blackboard to call Un- 
wrapHyp. 

— After the execution of UnwrapHyp the demand is removed from the control 
blackboard. 

— Then the interrupted execution of SolveLinearInequality can be reinvoked 
again from the store. 

4 Results and Experiences with Multi 

A comparison of Multi’s performance with traditional ATPs such as Otter 
would make little or no sense because even relatively simple limit theorems 
cannot be solved by them. A comparison with the proof planner CLAM Q is 
not a good idea either because it does not have domain-specific methods and 
cannot solve most of these problems. A comparison with Bledsoe’s work Q is 
not possible, mainly because his system was not tried with the larger variety of 
limit theorems that would include the problematic examples. The limit domain’s 
methods have been designed in a way that Planner would have at least the 
strength of Bledsoe’s system. For these reasons we compare Multi’s performance 
with Planner only. 



4.1 Experiments 

Experiments with proving many theorems on convergent sequences, convergence 
of functions, and continuity have shown that Multi performs better than Plan- 
ner. In particular. Multi can prove more problems than Planner with its 
default combination of refinement operations. Table^contains some typical ex- 
amples from the fourth chapter of the textbook Q that can be solved by Multi 
but not by PLANNER. 

Below we shall examine 4. 1.3(1) and (2) in more detail. The mathematical 
content of some other examples from Table B is spelled out here to give an 
impression beyond the table’s information. 

Theorem 4.1.8. (Sequential Criterion) Let / : A ^ R and let c be a cluster 
point of A; then: 

(i) lim f = L if and only if 

X — >C 

(ii) for every sequence (a;„) in A that converges to c such that Xn ^ c for all 
n G N, the sequence {f{xn)) converges to L. 

Exercise 4.1.12. Suppose the function / : R — > R has limit L at 0, and let 
a > 0. If 5 : R — > R is defined by g{x) := f{ax) for a; G R, show that 
lim q = L. 

x^O 
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Table 3. Some problems provable with Multi but not with Planner. 



Name of problem 


success reason 


exercise 4.1.3 first part 


Eager Instantiation 


exercise 4.1.3 second part 


Reasoning about Failure 


exercise 4.1.12 


Eager Instantiation 


theorem 4.1.8 


Reasoning about Failure 


example 4.2.8. (a) 


Theorem Application 


exercise 4.2.2. (a) 


Theorem Application 


exercise 4.2.9. (a) 


ATP Application 


exercise 4.2.9. (b) 


ATP Application 



Example 4.2.8. (a). (Show that) lim a;^ = 0 (a; > 0) 

x^O 

Exercise 4.2.2. (a). (Show the existence of the limit) lim (a; > 0) 

Exercise 4.2.9. (a). Let f,g be defined on A to R and let c be a cluster point 

of A. Show that if both lim / and lim(/ + g) exists, then lim g exists. 

X^C X — *c x—*c 

In Table^the left column names theorems, examples, and exercises from Q 
that exhibit failures in proof planning with Planner. The right column contains 
a shorthand of the reason for the success of Multi. Here, Eager Instantiation 
means the possibility to instantiate certain meta-variables eagerly; Reasoning 
about Failure means the ability to reason about failures of method applications; 
ATP Application labels problems for which some subgoals are solvable by an 
ATP strategy; Theorem Application labels problems solvable by switching to 
a strategy that applies previously proved limit theorems rather than using the 
strategies for epsilon-delta-proofs. 

Since the knowledge engineering for proof planning is pretty difficult, the 
number of theorems that have been successfully proof planned so far is growing 
only slowly. However, if not quantitatively then at least qualitatively, there is 
striking evidence for the need to reason about the choice of strategies and their 
combination in mathematics since the newly solved examples exhibit common 
features in mathematics. 

Generally speaking, the main practical results are (i) a greater robustness 
of Multi’s proof planning in the sense that if one strategy does not succeed in 
planning a proof. Multi can switch to another one; (ii) the use of strategic meta- 
level reasoning allows to flexibly guide the proof planning; (iii) the integration 
of independent theorem provers. 

As a side effect of multi-strategy proof planning, a new abstraction level of 
proof plans is introduced that can be used for the presentation of proof ideas 
like, e.g., ‘we unwrap the assumption X and then prove inequalities’. Moreover, 
the refinement of a partial plan by a human user can be integrated easily within 
Multi since one of the strategies represents the user and via the interface the 
user can directly choose one of the offers from the control blackboard thereby 
overwriting the automatic meta-level reasoning. 
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4.2 Explanation of Multi’s Success 

In the following, Multi’s success is explained and illustrated in more detail. 

Meta-reasoning at the Level of Strategies. A great deal of the power of 
proof planning stems from its strategic meta-reasoning. While control rules in 
PPlanner (and in Planner) allow to reason at the level of methods, Multi 
allows for meta-reasoning at the level of strategies. The meta-reasoning can deal, 
e.g., with avoiding proof failures, different ways to backtrack, determine in which 
situation a complex method should be expanded, or when to call case-based 
planning 

Lets have a look at meta-reasoning about failed proof attempts. Planner 
cannot reason about failure and repair. It can only find an applicable method to 
close the goal or backtrack. Multi, however, can reason about failures. 

The idea behind it is as follows. Planning can be blocked if a unification 
required in the application condition of the method does not succeed but has a 
residuum t\ = ^ 2 - If we knew t\ = ^ 2 , or could prove it, then the equality could be 
applied eagerly and proof planning became unblocked. The strategic control rule 
prefer-repair-unify checks whether a failure is caused by blocked unification 
and whether this unification could be enabled by additional equality constraints 
or equational reasoning. If this is the case, no backtracking is performed but 
the last strategy execution is stored and the strategy =SubstApply is called. 
It introduces the needed equality constraint as a new goal, solves it, and then 
applies the method =subst to the original goal such that the unification will 
work later on. Then the interrupted strategy execution is reinvoked. 

To illustrate, in exercise 4.1.3^ fh® planning became unblocked if we knew 
X + c = x'l - Then =Subst Apply introduces the equality constraint A -|- c = a;( 
as a new goal. The new equation X+c = x’l is used to replace the x’l in |/(a;() — 
by (A -I- c). When SolveLinearInequality is reinvoked. Solve* is applicable 
to the changed goal |/(A + c) — l\ < e with the assumption |/(A + c) — l\ < E 
since the unification is possible now. Solve closes the new goal A -|- c = and 
passes this constraint to the constraint solver. 

Flexible Combination of Algorithms. Multi allows to switch between 
strategies during the planning process. The necessity of this feature was indicated 
for exercise 4.1. 3.(1) in where an eager instantiation of a meta- variable had 

to be performed to unblock the proof planning. 

To allow for an eager instantiation of a meta- variable the list of control rules 
of the strategy SolveLinearInequality contains the rule eager-instantiate. 

(control-rule eager-instantiate 

(IF (instantiation-determined-f or-mv ?MV)) 

(THEN (interrupt (InstFromCS ?MV)))) 

This control rule states that if the current constraint store fully determines 
the instantiation for a meta-variable, then the current strategy should be inter- 
rupted and a demand for instantiating the meta-variable should be placed onto 
the control blackboard. 
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For instance, in planning exercise 4.1.3lJ, Solve* closes the goal \f{x' + 
c) — l\ < e with assumption \f{Xi) — l\ < Ei. Thereby the constraint Xi = 
x' + c arises from unifying \f{x' + c) — ^| and \f{Xi) — l\ and is added to the 
constraint store. This constraint determines the instantiation of Xi. Therefore, 
the strategic control rule eager-instantiate fires and requests the interruption 
of SolveLinearInequality together with a demand for instantiating Xi . Guided 
by the strategic control rule pref er-demand-satisf ying the MetaReasoner 
prefers the job offer of InstMetaCS which then instantiates Xi by {x' + c). 
Then the interrupted execution of SolveLinearInequality is continued and 
simplifies the instantiated goal |a;' + c — c| < di to \x'\ < di which can be closed 
with Solve*. 

Structuring Knowledge. Since the parameters of PPlanner allow to config- 
ure strategies, different behaviors can be simulated that correspond to proving 
in different theory contexts, e.g., proving in a particular chapter of a book. In 
this way, the natural structure of mathematical books can be used. Imagine, 
e.g., a problem in which the limit of a composite function has to be found. This 
problem could be solved by speculating a limit and proving it by an epsilon-delta- 
proof which requires to expand the definition of the limit. Knowing the basic 
limit theorems, this problem could also be solved by decomposing the function 
and applying the limit theorems to the non-decomposable functions. The sec- 
ond proof will be shorter and more abstract than the first one but it relies on 
other theorems. The decision which collection of methods to choose from may 
largely depend on the context in which a problem should be solved. The context 
determines the resources that can be use, e.g., the prior knowledge of theorems. 

Currently, some of the examples and exercises from ^ are provable only 
with the second kind of proof, e.g., example 4.2.8. (a) or exercise 4. 2. 2. (a). The 
reason is that their epsilon-delta-proofs that would require estimations of non- 
polynomial functions like square root or sinus which require more theory-specific 
knowledge in addition to the commonly successful estimation methods. After 
reducing the goal (e.g., lim sin{x) -|- 1 = 1) by the strategy applying general 

x^O 

limit theorems to three subgoals lim sin(x) = X\, lim = A 2 , and X\ + X 2 = 1, 

X — *^0 X — >0 

the subgoals can be tackled by general or theory-specific estimations (such as 
sin{x) < 1, or lim sin{x) = 0). 

Integrating ATP Systems. When the strategies performing epsilon-delta- 
proofs fail, other strategies are available in Multi, e.g., strategies with an ATP 
as algorithm. A multi-strategy proof planner can employ a traditional ATP to 
solve problems that are simple enough such that the ATP can find a complete 
proof. Then this prover is a refinement algorithm that does not produce new 
subgoals. 

In Multi, a strategy calling Otter with parameters is employed. These 
parameters are ATP-specific and control the search of the ATP. For certain 
classes of problems it is known which parameter setting is appropriate to find 
a proof. The application condition of the strategy checks whether a problem 



Proof Planning with Multiple Strategies 657 



belongs to one of these classes. If not, then the ATP strategy is called with a 
default setting. 

For instance, certain subproofs of the exercises 4.2.9. (a) and 4.2.9. (b) are 
solvable by Otter but not with the epsilon-delta-proof strategy. Despite the 
general observation that ATPs cannot solve most limit theorems, they can prove 
certain subproblems. The reason for the success on the subproblems of 4.2.9. (a) 
and (b) is OTTER’s strength in low-level inferences. 

5 Conclusion and Related Work 

We have presented multi-strategy proof planning that combines several strategies 
and thereby leverages the strength of different problem solving strategies. Note 
that our definition of a strategy extends the common notion of a strategy that 
determines how to traverse a search space. 

Proof planning with multiple strategies integrates several refinement and 
modification mechanisms and search strategies in a flexible way. Such an ap- 
proach is necessary in proof planning because 

1. more often than not, a mathematical problem cannot be solved by a single 
strategy 

2. a fix control of functionalities of a proof planner may be too rigid 

3. in a realistic mathematical scenario, a vast amount of existing mathematical 
knowledge is available in principle which requires means that help structuring 
the knowledge. 

The power of our multi-strategy proof planning stems from the collabora- 
tion of different strategies, its guidance by strategic meta-reasoning, and from 
the design of strategies that include different problem solving algorithms and a 
parameterization that may reflect mathematical knowledge structure. In partic- 
ular, the reasoning about failed problem solving attempts is a precious source of 
guidance — at least in mathematics. Therefore, an important result is the dis- 
covery of a pattern of meta-reasoning about a class of failed proof attempts in 
mathematics. In addition to being more powerful, multi-strategy proof planning 
provides an appropriate framework for integrating user interaction and stand- 
alone ATPs into proof planning. 

We implemented multi-strategy proof planning in a system. Multi, which is 
a component of the proof assistant 17mega Q. The design of Multi decouples 
the plan refinement and modification from the search control. This has been 
useful in Al-planning, as discussed, e.g., in Q. 

We have compared the performance of Multi with the previous proof plan- 
ner of 17mega. First experiments have shown a better performance of the multi- 
strategy proof planner Multi in a realistic mathematical domain as compared 
with the otherwise similar proof planner. Now there are two levels where deci- 
sions are made, the strategic and the method level. This structures and changes 
the search spaces. As opposed to our approach an encoding of more control into 
single methods would hide the control and its structure and thus open the door 
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to more arbitrarily designed methods. Therefore, the separation of methods from 
(most of) the control is a good idea because of extensibility and modifiability. 



Related and Future Work. Another contribution to greater robustness and 
certain ‘strategic’ guidance has been the failure reasoning by critics With the 
introduction of critics Ireland and Bundy also separate the proof methods from 
a particular and common kind of meta-reasoning, failure reasoning. These critics 
typically suggest repairs in order to continue with rippling. While critics are an 
beautiful first step towards more flexibility, multi-strategy planning extends and 
generalizes the failure reasoning of critics to general meta-reasoning about several 
other strategies and introduces the blackboard mechanism for communication. 

For planning in complex domains that differ considerably from the proof 
planning domains, Wilkins and Myers ^3 describe a multi-agent planning ar- 
chitecture (MPA) that integrates a meta-reasoning component (meta-planning 
cell) and various stand-alone problem solving components for the same reasons 
explained above. Q propose a multi-agent architecture to combine ATPs and 
proof planning. They propose to develop and employ a resource management 
that will evaluate single agents as well as the society of agents. The goal of this 
project is to model human proof search behavior as a mixture of the activities 
of several agents. 

We demonstrated how proof planning benefits from the flexibility and struc- 
ture of multi-strategy proof planning. The strategy level introduces new choice 
points and changes the potential search space, e.g., by structuring the knowledge. 
With a large number of problems we shall test the influence of the new structure 
of the search spaces and of the additional evaluation of control knowledge on the 
overall performance. 
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Abstract. The Recursive Path Ordering (rpo) is a syntactic ordering 
on terms that has been widely used for proving termination of term- 
rewriting systems How to combine term-rewriting with ordered 

resolution and paramodulation is now well-understood and it has been 
successfully applied in many theorem-proving systems In this 

setting an ordering such as rpo is used both to orient rewrite rules and to 
select maximal literals to perform inferences on. In order to further prune 
the search space the ordering requirements on conditional inferences are 
better handled when they are treated as constraints Typically 

a non-orientable equation s = t will be split as two constrained rewrite 
rules: s — > 1 1 s > t and t — > s | t > s. Such constrained rules are 
useless when the constraint is unsatisfiable. Therefore it is important 
for the efficiency of automated reasoning systems to investigate decision 
procedures for the theory of terms with ordering predicates. 

Other types of constraints can be introduced too such as disunification 
constraints Q. It is often the case that they can be expressed with or- 
dering constraints (although this might be inefficient). 

We prove that the first-order theory of the recursive path ordering is 
decidable in the case of unary signatures with total precedence. This 
solves a problem that was mentioned as open in The result has to 
be contrasted with the undecidability results of the lexicographic path 
ordering Q for the case of symbols with arity > 2 and total precedence 
and for the case of unary signatures with partial precedence. We recall 
that lexicographic path ordering (Ipo) and the recursive path ordering 
and many other orderings such as coincide in the unary case. 

Among the positive results it is known that the existential theory of total 
Ipo is decidable The same result holds for the case of total rpo 

The proof technique we use for our decidability result might be interest- 
ing by itself. It relies on encoding of words as trees and then on building 
a tree automaton to recognize the rpo relation. 

Keywords: Recursive path ordering, first-order theory, ground re- 
ducibility, tree automata, ordered rewriting. 
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1 The Recursive Path Ordering on Words 

We assume that ^ is a finite alphabet, A* the set of words on A and e is the 
empty word. We shall often identify a letter with the corresponding word of 
length one. There is a correspondance between words and terms on a unary 
alphabet: every letter can be considered as a unary function and every word 
oi, 02, . . . , o„ can be considered as a term ai(o2(. . .o„(a;) . . . )) where x is an 
element of the set of variables X. 

The Recursive Path Ordering (rpo) originally introduced by Dershowitz ^ 
is defined as follows on words: 

Given a finite total precedence on A, 



if and only if one of the following holds: 

1 . s yf e and t = e 

2 . s = as' and t = bt' and either 

(a) a b and s t' or 

(b) a = b and s' 

(c) b a and s' t 

where s' '^fpo t is an abbreviation for s' yfpo t or s' = t. 

The following properties of rpo are well-known and their proofs can be found 
in the literature (e.g. Q). We omit the superscript A when it is clear from 
context. 

Proposition 1. The relation >~rpo is antireflexive, transitive, monotonic (i.e. 
aw >~rpo cLw' if w >~rpo w' ) , total, well-founded and has the subterm property 
(i.e. w >~rpo w' when w' is a proper subterm of w). 

When the precedence is not total, all properties but totality of >rpo remain 
valid. 

We now give a few properties that will be useful in the sequel. 

Lemma 1. If s >~rpo t then for all w G A* , ws >rpo wt. 

Proof: by induction on the length of w and by the monotonicity property. □ 

Lemma 2. If a G A and w )^rpo w' then for all w" G A* such that a >~rpo w" , 
we have aw >~rpo w" aw' . 

Proof: by induction on the length of w" . If w" is empty it is obvious. If w" = bu 
where b G A, then by definition of rpo we must have a b and a >rpo u. Since 
u is shorter than w" , by induction hypothesis we have aw >rpo uaw'. By the 
definition of rpo, we also have aw )^rpo buaw' and the result follows. □ 

The next lemma shows that when terms s, t have the same number of maximal 
symbols a then the comparison can be done by considering only the rightmost 
(innermost) occurrence of a whose arguments are different in s and t. 
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Lemma 3. Let W\,W 2 , ■ ■ ■ , Wk, U\,U 2 , ■ ■ ■ ,Uk he two sequences of words such 
that each letter in each word is strictly smaller than a € A. If w >~rpo w' then 
we have: 



aw\aw2 ■ ■ ■ awkttw >~rpo au\au2 ■ ■ ■ aukaw' 
Proof: By induction hypothesis we can assume that: 

aw2 ■ ■ ■ awkaw )^rpo clu 2 ■ ■ ■ aukaw' 
by the previous lemma we have: 



aw2 ■ ■ ■ awkttw >~rpo U\au2 ■ ■ ■ aukaw' 
by the subterm property and transitivity we have: 



w\aw2 ■ ■ ■ awkttw >~rpo U\au2 ■ ■ ■ aukaw' 

The result follows by monotonicity. □ 

We denote by max{w, A) the maximal letter of A that occurs in word w and 
by mul{w, A) the number of occurrences of this letter in w. As a consequence of 
the previous lemmas we get: 

Lemma 4. w >~rpo w' iff one of the following holds: 

1. max{w , A) max{w' , A) 

2. max{w,A) = max{w' ,A) and mul{w,A) > mul{w' ,A) 

3. a = max{w,A) = max{w',A), mul{w,A) = mul{w',A), w = 
woawiaw 2 ■ ■ - awk, w' = uoauiau 2 ■ ■ ■ auk and there exists 0 < i < k such 
that Wi )^rpo Ui and for all j > i we have Wj = Uj. 

A first idea would be to try to use word automata in order to recognize the 
relation ^rpo- However this is not possible. Consider A = {a, b} with a>- b. We 
introduce the product alphabet A^ = {(u,v) \u,v G AU{_L}}, where _L is a new 
symbol. Classically we can associate to every couple of words U = U\.U 2 - ■ -Um G 
A* and V = vi.V 2 - ■ -Vn G A* a word U ®V = (ui, ui), (u 2 , U 2 ), ■ ■ ■ on by 
completing the shortest word (if any) by some _L’s in order to get two words of 
the same length. Assume that the relation R= {U®V\ U,V G A* and U P} is 
recognizable on by an automaton A with N states. Then 
belongs to R. By a pigeon-hole argument the automaton will enter twice the 
same state when reading the second half of the word. Then by pumping between 
the corresponding positions, A should accept also b ^ 0 a^b™, with m < N . 
Since a^b"^ >- b^a™, this raises a contradiction. 

2 Coding Words as Trees 

We shall now define a tree representation of words so that comparison of 
words can be performed by an automaton. Our goal is to represent a word 
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w = w\aw 2 ■ ■ ■ awkttWk+i by a binary tree a(tfc+i, a{tk, ■ ■ ■ , a{ti, e ) ...))) where 
ti represents Wi and a G ^ is maximal in w w.r.t. First we introduce a new 
signature F that contains a binary symbol for each element of the alphabet A. 
The binary symbol associated with a G A will be denoted also a, by abuse of 
notation. We shall introduce also a constant symbol Ca for each a G A. We shall 
denote by a' the successor of a with respect to the total precedence of A. 
We denote by o (resp. m) the minimal (resp. maximal) element of A. 

The translation function r from A* to T{F) is defined using auxiliary func- 
tions Ta, a G A. 



Ta'{wia'w2) = a'{Ta{w2),Ta'{wi)) when a' ^ W2 
Ta'{w) = a'{Ta{w),€ai) when o' ^ w 

To(w.o) = o(eo,To(w)) 

To(e) = o(eo,eo) 

Now we define t(w) = Tm(w). 

Example 1. Assume A = {a,b,c} with a b c. Then r(e) = 

a(6(c(ec, ec),eh),ea). 

Example 2. Assume A = {a, b, c} with a >-^ b c. Then r{caacb) = 
a(b(c(ec, ec),b(c(ec, c(ec, Cc), e;,))), a(6(c(ec, Cc), Cb), a(b(c(ec, c(ec, Cc)), eb), Ca))) 




Note that r is a real encoding. In other terms, two different words are never 
coded as the same tree. 

Lemma 5. The function r is injective. 
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Proof: Let la = {c a}. We prove by induction on a that is injective on I*. 
Since Im = A this will imply the result. If a = o then To{o^) = To{cP) clearly en- 
tails j = k. Now we assume by induction hypothesis that la is injective. Consider 
two words wi,W2 S la’ such that Ta>{wi) = Ta>{w2)- If neither of wi,W2 con- 
tains a' we have a'(Ta(wi), €a') = a'(Ta(w2), £a') and therefore Ta(wi) = Ta(w2) 
which implies wi = W2 by the induction hypothesis. The case when wi = uia'vi 
(for some words u\ G Ia> ,v\ G la ) and a' does not occur in W2 is impossi- 
ble since Ta'(wi) should contain in that case more a' that Ta'(w2)- Now assume 
that wi = uia'vi and W2 = U2a'v2 with U\,U2 G Ia’,vi,V2 G la- We prove by 
induction on the sum of the lengths of wi and W2 that Ta’{wi) = Ta’(w2) im- 
plies wi = W2- The base case is trivial. a'{Ta{vi),Ta’{ui)) = a'(Ta(v2),Ta’(u2)) 
which implies by decomposition Ta(vi) = Ta(v2) and Ta’(ui) = Tq'(u 2). From the 
induction hypothesis we have vi = V2, ui = U2 and therefore wi = W2- □ 

A finite tree automaton over a signature IF is a tuple A — (Q,Qf, A) where 
<5 is a finite set of states, Qf C Q is a, subset of accepting states and Z\ is a set 
of transition rules of type: 



f{qi,. .. ,qa) ^ q 

where n > 0, / is symbol of T of arity n and g, 91 , . . . , S Q. We consider here 
bottom-up tree automata: they are applied to ground terms inductively from the 
leaves to the root. A ground term t is accepted by A if t q for some state 
q G Qf. 

For more details about tree automata a recent reference is Q. 

Lemma 6. The set of trees {r(w)| w G A*} is recognizable by a tree automaton 

C. 

Proof: The following automaton does the work. Let Q = {qa\ q G A} U {gso}, 
Qf = {qm} where m is the maximal element in the precedence. The transitions 
are, for all a G A: 

Cq 
Co 

o{qso,qso) 
o{qso,qo) 
a{qa,qa') 

□ 



9a, 

qso 

9o 

9o 

9a' 



a o 



3 Tree Automata 

We define now a tree automaton for comparing two words. First let us extend F 
with a constant T. By abuse of notation we denote by fg a new function symbol 
associated with the couple {f,g) G {F U {T}) x (F U {T}). We denote by 
the signature {fg \ f,g G F U {T}} (product alphabet), where the arity of fg is 
equal to the maximum of the arities of / and g ( T has arity 0) . The automaton 
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will traverse in a bottom-up way the tree obtained by gluing together the tree 
structures associated to the two words. 

The coding of a couple of trees £ T{F)‘^ as a tree ti ® t2 on the 

product alphabet is defined recursively as follows: 



/(si,S2) ®5(ri,r2) = fg{si 0ri,S2(8)r2) 

/(si, S2) 0 Ca = fea{si 0 _L, S2 0 -L) 

Ca O /(si, S2) = Ca/(-L 0 Si,_L (g) S2) 

/(si , S2) (g -L = /-L(si (g _L, S2 (g -L) 

_L (g /(si, S2) = -L/(-L (g si,_L g) S2) 

Lemma 7. The set of trees {r(w) g) r(?;)| w,v G ^*} is recognizable by a tree 
automaton. 

Proof: We just need to take the product of two copies of the automaton in 

Lemman □ 

Theorem 1. The set of trees {r(w) g) t{v) \ w >rpo "c} is recognizable by a tree 
automaton. 

Proof: let Q — {qf, , 9“ | a G > 1 } be the set of states. The set of accept- 
ing states is Qf = {9+ , } where m is the maximum element of the alphabet. 

The meaning of 9“ (resp. 9“ ) is that on the right branch we have encountered 
more (resp. less) a’s in t{w) than in t{v). The meaning of 9“ (resp. 9“ , resp. 9“ 

) is that the number of a’s is the same but some a-free subword tips the balance 
in favour of w (resp. v, resp. equality). 

The transitions of the bottom-up tree automaton include, for all a,b G A 
with a = b': 



aa(_, q%) - 




aa(9>,9=) - 


■rq- 


aa{_, qf) - 


qf 


aa(9>,9<) - 


-^9> 


acai-, -) - 


-.q% 


aa(9>,9>) - 


-^9> 


eoa(_, _) - 


qf 


aa(9+,9“) - 


-^9> 


Ta(_, _) - 


qf 


aa(9+,9<) - 


-^9> 


aT(_, _) - 


■^9+ 


aa(9+,9>) - 




CaCa - 


9= 


aa{qt,qf) - 


->9< 


Tea - 


qf 


aa(9-,9<) - 


-^9< 


CaT - 


-9+ 


aa(9-,9>) - 


-^9< 


00 ( 9 ^, 9 “ ) - 


qf 


aa{q’f,qf) - 


->9< 


aa(9L,9>) - 


■^9> 


aa(9<,9<) “ 


-^9< 


aa{qt,qf) - 


■^9< 


aa(9<,9>) - 


-^9< 



In order to complete the automaton we may add a failure state and transi- 
tions for detecting trees that do not stand for a couple of words. We call A the 
automaton we get finally. 

We now show that if w >rpo u then t{w) g) r(u) is accepted by A. For this we 
show the more general result: 
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Claim: If a is the maximal letter in w then Ta{w) ® Ta(u) 9 G {9+,9>}- 

We proceed by induction on a (w.r.t. >-^). The base case when w € {o}* is 
left to the reader. Assume that the result is true for all c ^ a. Consider now the 
words w, u and a € A such that a = max{w, A) and w )~rpo u. 

Let t be Ta(w) 0 Ta(u). By Lemmajthere are three ways to get w ^rpo u: 

If a = max{w,A) >- d = max{u,A) then Ta{t) = aa{ti,aea{t2,t^)) for some 
terms ti,t2,t3- K can be checked that t q+- 

The case when a = max{w,A) = max{u,A) and mul{w,A) > mul{u,A) is 
similar. 

Assume now that w = woawiaw2 ■ ■ .awkawk, u = uoauiau2 ■ ■ .aukauk and 
a is larger than every symbol in wt, Uj where z, j = 0 , . . . ,k- Let b be the prede- 
cessor of a: b' = a. By LemmaJ w )~rpo u iff there exists j such that Wj >rpo Uj 
and I > j implies wi = ui. Let us denote Tb{wj) 0 Tb{uj) by Sj. 

Then t — aa{sk, aa{sk, aa{. . . , aa{sj, . . . , aa(so, Ca) ■ ■ ■ ))• Running the au- 
tomaton on t one can get, after some steps, aa(sfc, . . . 00(9', 9) . . . ) for some 
9 G {9 =j9<i 9>}- By the induction hypothesis (since b a) Sj q' . where 9' 

is either or q’f . Hence applying one more rule of the automaton we also have: 
aa{q',q) a 9>- Since s/ codes a couple of identical words, we have s/ 9^, 
for I > j. Applying several times the rule 00(9^1 9>) ^ 9> allows one to con- 
clude. By symmetry we can show that t{w) ® t{u) ^a 9 G {l-j 9< } whenever 

TV '^TpO 

For the converse one needs to show that whenever t{w) 0 t{u) ^a q & Qf 
we have w )^rpo u. Since the ordering '^rpo is total either w ^rpo u or w >~rpo u. 
In the first case 9 S {9™, 9< } and in the second, 9 G {9+,9>} = Qf- Now since 
the automaton A is deterministic if q G Qf then necessarily w >rpo u. □ 

The first-order theory we will show decidable has both inequality interpreted 
as >~rpo and equality interpreted as identity. When a G A we shall reduce the 
satisfiability of a formula au )^rpo v (resp. u )^rpo o,v) to the satisfiability of 
w >rpo V Aw = au (resp.u '^rpo w Aw = au). This motivates the next theorem. 

Note that the set {av ^ v\v G A*} is recognizable by a word automaton. 
However we have now adopted a tree representation for the words to handle 
inequalities and we cannot mix different representations of the same word. Hence 
we have to prove: 

Theorem 2 . The set of trees {r(au) 0 t{v) \ v G A*} (where a G A) is recog- 
nizable by a tree automaton. 

Proof: Note that adding a letter a to a word w amounts to replacing a leaf by 
a node of the tree representation of w. There is a unique position where this 
node can be inserted: it is at the position of the rightmost occurrence of Cq. Let 
Q — {90j 91,92} be the set of states. The state 91 recognizes the trees on 
obtained as the product of two identical trees. The accepting state is 90. The 
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transitions of the bottom-up tree automaton include, for all b G A: 



CaT - 


90 


f-bib - 


9i 


bb{qi,qi) - 


9i 


aea(9i,9o) - 


90 


bb{qi,qo) - 


90 



4 RPO Theory 

An RPO formula is a first-order formula constructed from terms on the unary 
signature A and the binary predicate symbols ‘V” and “=” . The formula is in- 
terpreted in T{A), with as )^rpo and = as identity. We denote by 4>{xi , . . . , Xn) 
an RPO formula with free variables xi, . . . , Xn- 

A flat formula is an RPO formula whose atoms are of type: x = y,x = ay, x = 
a,x >- y,a X or X >- a, where x, y are variables. Hence terms in flat formulas 
are restricted to types x, ax, a, where a G A, x G X. 

Using transformations that preserve solutions we can reduce the decision of 
RPO formulas to the decision of flat formulas. These transformations include 
the following abstraction rules, where a,b G A: 



dU rpo ^ 


h 


3u'(u' )^rpo V f\u' = au) 


( 1 ) 


U >~rpo CLV 


h 


3v' {u >rpo v' f\v' = av) 


( 2 ) 


abu = V 


h 


3u' {au' = V Au' = bu) 


( 3 ) 


u = abv 


h 


3v'{av' = V A v' = bv) 


( 4 ) 



These rules are completed by the decomposition rules derived from the definition 
of >~rpo, and the decomposition and clash rules for the predicate = in T{A). 

Theorem 3. Given an RPO formula 4>{xi, . . . ,x„) there exists an automaton 
that recognizes 



{u\ O . . . O I ui, . . . ,Un is a solution of (j)}. 

Proof: We can assume the formula (f> is flat. The proof will be by induction on 
the structure of (f>. The technique is classical (Q). Let U be an automaton that 
recognizes all terms. We first remark that given two automata A\,A2 for the 
solutions of (fiiflcz) and <f>2{^)i where x,y,~z are disjoint sets of variables, the 
set of solutions of A (j)2(fzy) is the intersection of the regular languages 

recognized by A\ ® {®\y\U) and {®\x\h() ® A2- 

Base case: assume that 4>{xi, . . . , Xn) is atomic. Its satisfiability is equivalent to 
the conjunction of flat atomic formulas obtained by replacing (repeatedly) every 
strict maximal subterm t in every atom by a fresh variable Xt- Automata recog- 
nizing the solutions of formula of type x > y (resp. x = ay) can be constructed 
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thanks to TheoremJ(resp.n. For the other cases {x = y,x = a,a > x,x > a) 
automata are easily obtained too. 

Step case: i) Suppose 4>{x\, . . . , Xn) = ~''i/’(xi, . . . , Xn)- By taking the intersection 
of the complement automaton for i/’(xi, . . . , Xn) with (g)„ C (product of n copies 
of C) we get an automaton for (j). ii) If 4>{x\, . . . , a;„) = 3x\ tp{xi, . . . , a;„). then 
by projection (i.e. forgetting first component) one get an automaton for (f). □ 

We can now conclude with the main result which is a direct consequence of 
the previous theorem: 

Theorem 4. The first-order theory of rpo is decidable when the signature is 
built from a finite set of constants and unary symbols. 

5 On Normal Forms and Ordered Rewriting 

5.1 The Recursive Path Ordering on Terms 

We assume that F is a finite set of function symbols given with their arity. 
T{F, V) is the set of finite terms built on F and an alphabet V of (first-order) 
variable symbols. = denotes syntactic equality of terms. T(F) is the set of terms 
which do not contain any variables. A multiset over a set A is a function M 
from X to the natural numbers. Any ordering > on A can be extended to an 
ordering ^ on finite multisets over A as follows: M'^NiiafM^N and b) 
whenever N{x) > M{x) then M{y) > N{y) for some y > x. Note that if > is 
well-founded so is 

Given a finite total precedence on functions, 

s = /(si , . . . , Sm) F rpQ giflj . . . , tn) — t 
if and only if one of the following holds: 

1. / g and s ti for all 1 < z < n 

2. f = g^m = n and {si, . . . , s^} 

3. There exists a j, 1 < j < m, such that Sj >^pg t or Sj ^rpo t. 

where ~rpo is defined as permutatively equal, or, in other words, the terms are 
treated as unordered trees. The set tj^rpo is the equivalence class of t for ~r-po- 
The multiset extension of >~rpo used above, namely >Frpo, is defined in terms of 
this equivalence. 

5.2 Ordered Rewriting 

An ordered term rewrite system (TRS) is a pair where if is a set of 

equations, and is an ordering on terms. The ordered rewriting relation defined 
by is the smallest monotonic binary relation ->-E.y on terms such that 

S(T —>E,y ta whenever s = t € E and sa >- ta. 

Let us recall that a term t is ground reducible w.r.t. a rewrite system TZ iff all 
instances ta S T{F) of t are reducible by TZ. This definition extends to ordered 
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rewriting, replacing TZ with —^e,> when E is a, finite set of (unconstrained) 
equations. 

Ground reducibility is decidable for arbitrary finite term rewriting systems 
It is undecidable for finite sets of equations 
We show it is decidable in the special case where all symbols occcurring in 
the set of equations E have arity 0 or 1, (in that case we say that the equations 
are unary) and the ordering is )^rpo with a total precedence. In fact, we can 
state a slightly more general result. An equation is said to be semiground if at 
least one member is a ground term. 

Theorem 5. Giuen a term t, and system of equations E sueh eaeh element of 
E is either unary or semiground it is decidable whether t is ground reducible by 

^ ^ rpo ’ 

Given set of terms Gi, . . . , Gn and a function symbol / of arity n we denote 
by /(Gi, . . . , Gn) the set of terms {/( 51 , ■■■ ,gn) \ 9i & Gi, . . . , gn & Gn}- 

Lemma 8. {u G T{E) \ s{u) >rpo t(u)}, for unary terms s, t is either empty or 
T{E). 

Proof: Applying the rpo definition we have that s{x))^ rpot{x) is either equivalent 
to v{x)>~rpoX or x)~rpov{x) for some term v. □ 



Lemma 9. {w G T{E) \ 3v : s{w)yrpot{v)} is either equal to T{E) or to 

{a; G T{E) \ x>~rpou}, where u is a ground term. 



Proof: s(a;) >rpo t{y) for some y iff s{x) >~rpo i(-L) where _L is the minimal constant 
in the signature. By decomposition we get the result. □ 



Lemma 10. {u G T{E) \ W^rpot} where t is a ground term, is recognizable by 
a tree automaton. 



Proof: It is by simple induction on t w.r.t. '^rpo- If t is _L this is trivial. Oth- 
erwise assume by the induction hypothesis that for all t' -<rpo t, Lt> = {u G 

T{E) I u >~rpo t'} is a regular tree language. 

Let t = f{ti,... ,tn). Assume w.l.o.g. that t\ >rpo O,-- - ,'^rpo tn- Then 
X >rpo f{ti , . . . , t„) iff either 

1. X = g{x \, . . . , Xm) and f > g and for some i\ Xi >rpo t. 

2. X = g{xi , . . . , Xm) and f ^ g and for all j: x >~rpo tj. 

3. X — f (^xi , . . . , Xn) and (a:i , . . . , Xn} rpo}t \ , . . . , 
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The language L* is regular since it can be defined as a component of the least 
solution of the following system of equations: 



Lt — Li U L2 U T3 

Li= y g{hi,. . . ,hi,. . . ,hm) where hi 

L2=\J(g{T{F),...,T{F))C^ f| Lu 

l<i<n 



Lt if i = j, 
T{F) otherwise 



^ 3 = U ^LV-^^Un)) 

l<.7<n, (T^Sn 



{ ^kl'^rpo if < J, 

Lt^ if fc = j, 

T{F) if fc > j. 



and where Sn is the permutation group of ,n}. Note that and L 3 

are regular by induction hypothesis since they are obtained by composition of 
languages of type with u ^rpo t. □ 

Since {u G T{F) \ t>~rpou} is the complement in T(F) of the language 
{u G T{F) I u>rpot} U {t} which is regular we also have: 

Lemma 11. {u G T{F) \ t>~rpou} where t is a ground term, is recognizable by 
a tree automaton. 



Now given a set of equations E satisfying the hypothesis of Theorem Hit can 
be decomposed as a set of orientable unary equations Ei union a set E 2 of 
non-orientable unary ones union a set of semiground equations. 

Hence by LemmaHand LemmaHthe set of ground and reducible terms for 
E is the set of ground terms that have a subterm in the set: 



{l{t) I l{x) = r{x) e Ei,l{x) ^rpo r{x),t eT{F)} 

U{l{t) I l{x) = r{y) G E 2 ,l{t) ^rpo r{±),t G T{F)} 

U {s I S = t G E3,S )^rpo t,t G T{F)} 

U{s I s = t G E 3 ,s>-rpo t,s GT{F)} (5) 

By Lemma and Lemma this set is a regular tree language. We denote it 
by REDe- 

Given a term t of T{F, X) it can be decided whether it is ground reducible 
by the ordered rewrite system E since in this special case it amounts to check- 
ing whether t belongs to a regular tree language. This may be obtained as a 
consequence of stronger results Q. We give here a simple direct proof. 

Let A = (Q,Qf,A) be the automaton for REDe- We may assume that 
all states are reachable. And Qf = { 9 /}. Assume that t has m variables 
Xi, . . . , Xm with possibly repeated occurrences. Let t{qi , . . . , qm) be the term 
(on an extended signature A U Q) obtained by replacing every variable Xi with 
a state qt. We can compute the result of applying the automaton to it. Let 
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sue = , Qm) I t{qi, . . . , qm) 9/}- Now it suffices to show that for 

every m-tuples of ground terms (ti, . . . ,tm) we have 

(tl , . . . , trTi) (91 , ■ ■ ■ , 9 m) € ‘S’tf C 

This is a reachability problem on the product automaton Z\"* and therefore 
is decidable. 

Remark: The result also holds for lexicographic path orderings. 



Conclusion 

Using a non-standard coding of words as trees and tree automata techniques 
we have been able to show decidability of the theory of total unary rpo. A 
question that remains open is whether the existential theory of rpo with partial 
precedence is decidable. 
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Abstract. The well-founded semantics is one of the most widely studied 
and used semantics of logic programs with negation. In the case of finite 
propositional programs, it can be computed in polynomial time, more 
specifically, in 0{\At{P)\ x size{P)) steps, where size{P) denotes the 
total number of occurrences of atoms in a logic program P. This bound 
is achieved by an algorithm introduced by Van Gelder and known as 
the alternating-fixpoint algorithm. Improving on the alternating-fixpoint 
algorithm turned out to be difficult. In this paper we study extensions 
and modifications of the alternating-fixpoint approach. We then restrict 
our attention to the class of programs whose rules have no more than one 
positive occurrence of an atom in their bodies. For programs in that class 
we propose a new implementation of the alternating-fixpoint method in 
which false atoms are computed in a top-down fashion. We show that 
our algorithm is faster than other known algorithms and that for a wide 
class of programs it is linear and so, asymptotically optimal. 



1 Introduction 



Well-founded semantics was introduced in it to provide 3-valued interpreta- 



tions to logic programs with negation. Since its introduction, the well-founded 
semantics has become one of the most widely studied and most commonly ac- 



cepted approaches to negation in logic programming | 



It was imple- 



mented in several top-down reasoning systems, most prominent of which is XSB 



Well-founded semantics is closely related to the stable-model semantics 
another major approach to logic programs with negation. The well-founded se- 
mantics approximates the stable-model semantics Moreover, computing 

the well-founded model of propositional programs is polynomial ^3 while com- 
puting stable models is NP-hard Consequently, evaluating the well-founded 
semantics can be used as an effective preprocessing technique in algorithms to 
compute stable models In addition, as demonstrated by smodels at 
present the most advanced and most efficient system to compute stable models 
of DATALOG^ programs, the well-founded semantics can be used as a powerful 
lookahead mechanism. 
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Despite the importance of well-founded semantics, the question of how fast 
it can be computed has not attracted significant attention. Van Gelder de- 
scribed the so called alternating-fixpoint algorithm. Van Gelder’s algorithm runs 
in time 0{\At{P)\ x size{P)), where At{P) is the set of atoms occurring in a 
logic program P, — ^t(P) — denotes the cardinality of At{P), and size{P) is 
the size of P. Improving on this algorithm turned out to be difficult. The first 
progress was obtained in The algorithm described there, when restricted to 
programs whose rules contain at most two positive occurrences of atoms in their 
bodies, runs in time 0{\At{P)\^/^\P\^/^), where \At{P)\ stands for the num- 
ber of atoms in At{P) and |P| — for the number of rules in P. For programs 
whose rules have no more than one positive atom in the body a better esti- 
mate of 0(|yl<(P)|3/2|P|l/2) was obtained. For some classes of programs this 
is an asymptotically better estimate than the 0{\At{P)\ x size{P)) estimate 
that holds for the algorithm by Van Gelder. A different approach to computing 
the well-founded model was proposed in QQ. It is based on the notion of a 
program transformation Q. The resulting algorithm is an improvement on the 
alternating-fixpoint algorithm. However, no formal analysis of the running time 
is offered in and it is not clear whether the algorithm proposed there is 

asymptotically faster than the algorithm by Van Gelder. 

The alternating-fixpoint algorithm works by successively improving lower 
approximations T and F to the sets of atoms that are true and false, respectively, 
with respect to the well-founded semantics. The algorithm starts with T — 
Using this estimate, it computes the first estimate for F. Using this estimate, 
it computes now a better estimate for T. The algorithm continues this process 
until further improvements are not possible and returns the sets T and F as 
the well-founded semantics. The most time-consuming part of this algorithm is 
in computing estimates to the set of atoms that are false. In the Van Gelder 
algorithm, the best possible approximation (given the current estimate for T) 
is always computed by using a bottom-up approach. Let us also mention that 
a dual version of the alternating-fixpoint algorithm is possible. We start with 
A = 0, and then alternatingly compute approximations to T and F . 

In this paper we show that new false atoms can be computed by means of 
a top-down approach by finding atoms that do not have a proof. Moreover, we 
show that it is not necessary to find all atoms that can be established to be false 
at a given stage. Finding a proper subset (as long as it is not empty) is also 
sufficient and results in a correct algorithm. 

We apply this approach to the class of programs that have at most one 
positive atom in the body. We denote this class of programs by CVi. In the main 
contribution of the paper, we describe an algorithm that correctly computes the 
well-founded semantics for programs in that class. Our algorithm alternatingly 
computes estimates for the sets for atoms that are true and false. Estimates for 
the set of false atoms are computed in a top-down fashion. In addition, while each 
new estimate for the set of false atoms may not be optimal, we show that over all 
iterations the total time needed to compute the set of atoms that are false with 
respect to the well-founded semantics is asymptotically better than in the case 




On the Problem of Computing the Well-Founded Semantics 675 



of the original Van Gelder algorithm. Specifically, we show that our algorithm 
runs in time 0{\At{P)\'^ + size{P)) . Thus, for programs with size{P) > \At{P)\^^ 
our algorithm runs in linear time and is asymptotically optimal! It is also easy 
to see that when |P| > \At{P)\, the asymptotic estimate of the running time of 
our algorithm is better than that of algorithms by Van Gelder and Berman 
et al. 

The paper is organized as follows. In the next section we provide a brief 
review of the key notions and terminology. In Section Q we describe several 
modifications to the original Van Gelder algorithm, we show their correctness 
and estimate their running time. The ultimate effect of our considerations there is 
a general template for an algorithm to compute the well-founded semantics. Any 
algorithm computing some (not necessarily all) atoms that can be established 
as false given a current estimate to the well-founded can be used with it. One 
such algorithm, for programs from the class CVi, is described and analyzed in 
Section B It constitutes the main contribution of the paper and yields a new, 
currently asymptotically most efficient algorithm for computing the well-founded 
semantics for programs in CV\. The last section contains conclusions. 

2 Preliminaries 

We start by reviewing basic concepts and notation related to logic programs and 
the well-founded semantics, as well as some simple auxiliary results. In the paper 
we consider the propositional case only. 

Let P be a normal logic program. By At{P) we denote the set of atoms 
occurring in P. Let M C At{P) (throughout the paper we often drop a reference 
to P from our notation, whenever there is no danger of ambiguity). By Pm we 
denote the program obtained from P by removing all rules whose bodies contain 
negated literals of the form not(a), where a G M. Further, by P^ we denote the 
program obtained from P by removing from the bodies of its rules all negative 
literals. Glearly, the program P^ coincides with the Gelfond-Lifschitz reduct 
of P with respect to M. The Gelfond-Lifschitz operator on the algebra of all 
subsets of At, GL (following our convention, we omit the reference to P from 
the notation), is defined by 

GL{M)=LM{P'fj), 

where LM{Q) stands for a least model of a Horn program Q. 

We now present characterizations of the well-founded semantics. We phrase 
them in the language of operators and their fixpoints. All operators considered 
here are defined on the algebra of subsets of At{P). We denote a least fixpoint 
(if it exists) of an operator O by lfp{0) . 

It is well known that GL is antimonotone. Gonsequently, GL^ = GL o GL is 
monotone and has a least fixpoint. The set of atoms that are true with respect 
to the well-founded semantics of a program P, denoted by T^fs, is precisely the 
least fixpoint of the operator GL^, that is, Tu;/s = lfp{GL^) The set of 

atoms that are false with respect to the well-founded semantics of a program P, 



676 Zbigniew Lone and Mirosiaw Truszczynski 



denoted by F-ujfs, is given by GL{T^fs) (throughout the paper, X denotes the 
complement of a set X with respect to At{P)). 

One can define a dual operator to GL'^ by 

A{M) = GL{GL(M)). 

It is easy to see that A is monotone and that its least fixpoint is Thus, 
Fwfs = ifp{A) and T^fs = GL{F^fs). 

We close this section by discussing ways to compute GL{M) for a given finite 
propositional logic program P and a set of atoms M C At{P). A straightforward 
approach is to compute the Gelfond-Lifschitz reduct P^ and then to compute its 
least model. The resulting algorithm is asymptotically optimal as it runs in time 
linear in the size of the program. However, in this paper we will use a different 
approach, more appropriate for the computation of the well-founded semantics. 
Let P be a logic program with negation. We define At~ (P) = {not(a):a G 
At{P)}. For every set M C At{P) U At~{P), we define true{M) = M C\ At{P). 
If we interpret literals of At~ (P) as new atoms, then for every set M C At{P), 
the program PU not(M) can be viewed as a Horn program. Thus, it has a least 
model. It is easy to see that 

GLp{M) = true{LM{P U not(M))). 

Here, P appearing at the left-hand side of the equation stands for the original 
logic program, while P appearing at the right-hand side of the equation stands for 
the same program but interpreted as a Horn program. Thus, using the algorithm 
of Dowling and Gallier the Gelfond-Lifschitz reduct can be computed in time 

0{size{P) + \M\) = 0{size{P)) (since M C At{P), \M\ = 0{size{P))). 

3 Algorithms 

The departure point for our discussion of algorithms to compute the well-founded 
semantics is the alternating-fixpoint algorithm from Using the terminology 
introduced in the previous section it can be formulated as follows. 



Algorithm 1 (Van Gelder) 

P:=0; 

repeat 

T := true{LM{P U not(P)); (* or equivalently: T := GL(F); *) 

F ■= LM{P^y, (* or equivalently: GL{T); *) 
until no change in P; 

return T and F. 

Let F' and P" be the values of the set P just before and just after an iteration 
of the repeat loop in Algorithm 1. Glearly, 



P" = GL{GL{F')) = A{F'). 
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Thus, after iteration i of the repeat loop, F = Consequently, it follows 

from our earlier remarks that when Algorithm 1 terminates, the set F that is 
returned satisfies F = F^^fs. Since there is no change in F in the last iteration, 
when the algorithm terminates, we have T = T^f^. That is. Algorithm 1 is 
correct. 

We will now modify Algorithm 1. The basis for Algorithm 1 is the operator 
A. This operator is not progressive. That is, M is not necessarily a subset of 
A{M). We will now introduce a related progressive operator, say B, and show 
that it can be used to replace A. Let P be a logic program and let T, F be two 
subsets of At{P). By Pf,t we denote the program obtained from P by removing 

1. all rules whose heads are in F 

2. all rules whose bodies contain a positive occurrence of an atom from F 

3. all rules whose bodies contain a negated literal of the form not(a), where 
a G T. 



Clearly, C Pt- 

We define an operator B{F) as follows: 



B{F) = LM{Pj^ j.), where T = GL{F). 

The following result gathers key properties of the operator B. 

Theorem 1. Let P he a normal logic program. Then: 

1. B is monotone 

2. For every F C At(P), A{F) C B{F) 

3. For every F C F^fs, B{F) C F.uifs 
I lfp{B) = F^fs 

5. For every F C At{P), B{F) = F A {F \ LM{P^ j)), where T = GL{F). 

Proof: B Assume that Fi C F 2 . Set Ti = GL{Fi), i = 1,2. Clearly, F 2 C Fi and, 
by antimonotonicity of GL, T\ GT 2 . By the definition of Pf,t, Pf 2 ,T 2 ^ 
Consequently, LM{Pp^ j.^) C LM{Pp^ j,^) and, so, B{Fi) C B{F 2 ). 

O Let r = GL(F). Clearly, Pft^Pt- Thus, A{F) = LM{P^) C LM{Pf^ = 

B{F)- ^ 

We have, LM{Pp^^J = Fyjfs. It follows that removing from rules with 
heads in P^/s and those that contain an atom from Pu,/s in their bodies does not 
change the least model. That is, 

BM{PkF,Tj = LM{PtJ- 

Since, = GL{F.u,fs), B{Fwfs) = Let P C P^/^. Then, by O’ 

P(P) C B{Fyjfs). Thus, we have 



P(P) C P(P„/,) = = LM{P!j;J = F^f,. 
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Q The least fixpoint of B is given by lfp{B) = lji3®(0). By lfp{B) C 
On the other hand, by ^ and iQ, ^*(0) C F®(0). Thus, = lfp{A) C lfp{B). 
It follows that lfp{B) = Fyjfs- 

Q Let T = GL{F). Since Pf,t has no rules with head in F, LM(Pprp) C F 
and, consequently, F C B{F). Thus, the assertion follows. □ 

Theorem fallows us to prove the correctness of the following modification 
of Algorithm 1. 



Algorithm 2 
F:=0; 
repeat 

T := true{LM{P U not{F)); 

AF :=F\LM{P'^p)- 

F ■=F\JAF- 

until no change in F; 

return T and F. 

By Theorem H each iteration of the repeat loop computes B{F) as the 
new value for the set F. More formally, the set F just after iteration i, satisfies 
F = F®(0). Thus, when the algorithm terminates, the set F that is returned is 
the least fixpoint of B. Consequently, by Theorem Algorithm 2 is correct. 

We will now modify Algorithm 2 to obtain a general template for an alter- 
nating-fixpoint algorithm to compute the well-founded semantics. The key idea 
is to observe that it is enough to compute a subset of AF in each iteration and 
the algorithm will remain correct. 

Let us assume that for some operator A^ defined for pairs (F,Q), where 
F C At{P) and Q is a Horn program such that At{Q) C F (the complement is, 
as always, evaluated with respect to At{P)), we have: 

(Wl) A,,(F,Q)CF\FM(Q) 

(W2) A^{F, Q) = 0 if and only if F \ LM{Q) = 0 

Let F C At{P). By the definition of Pf,t, At(Ppp) C F. Thus, we define 
Bw{F) = FU Aj^{F, Pp rp)) , where T = true{LM{P U not(F))). It is clear that 
for every F C At{P), F C B^(F) C B{F), the latter inclusion follows from 
Theorem Consequently, for every i, 

^;(0) CF*+i(0). 

It follows that B\^{%) C lfp{B) = F„/s. It also follows that there is the first i such 
that B\^{%) — Let us denote this set B\^{%) by Fq. Then Fq C Fy^j^. In 

the same time, by condition (W2), B{Fq) = Fq. Since Fyjfs is the least fixpoint 
of B, Fyjfs C Fq. It follows that a modification of Algorithm 2 in which line 

AF :=F\LM{p!^p); 



is replaced by 



AF:= A„(F,F^_j,); 
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correctly computes the well-founded semantics of a program P. Thus, we obtain 
the following algorithm for computing the well-founded semantics. 



Algorithm 3 
F:=0; 
repeat 

T := true{LM{P U not(F)); 

AF:=Z\™(F,P^y); 

F--FUAF; 
until no change in F; 

return T and F. 

We will now refine Algorithm 3. Specifically, we will show that the sets T 
and F can be computed incrementally. 

Let i? be a Horn program. We define the residual program of R, res{R), to be 
the Horn program obtained from R by removing all rules of R with the head in 
LM{R) and by removing from the bodies of the remaining rules those elements 
that are in LM{R). We have the following technical result. 

Lemma 1. Let R be a Horn program and let M he a set of atoms such that 
M n head{R) = 0. Then LM{R U M) = LM{R) U LM{res{R) U M). 

Lemmajimplies that (we treat here negated literals as new atoms and P as 
Horn program over the extended alphabet) 

LM{P U not(F U AF)) = LM{P U not(F)) U LM{res{P) U not(Z\F)). 

Thus, if the set F is expanded by new elements from AF, then the new set T can 
be computed by increasing the old set T by AT = true{LM {res{P)Unot{AF))) . 
Important thing to note is that the increment AT can be computed on the basis 
of the residual program and the increment AF. Similarly, we have 

PpuAF.TUAT = {Pf,t)aF,AT- 

Thus, computing Pf.t can also be done incrementally on the basis of the pro- 
gram considered in the previous iteration by taking into account most recently 
computed increments AF and AT. 

This discussion implies that Algorithm 3 can be equivalently restated as 
follows: 



Algorithm 3 

1 T:=F := AT := AF := 0; 

2 R := P; {R will be treated as a Horn program *) 

3 Q:=P; 

4 repeat 

5 AT -.= true{LM{R U not{ AF)); 
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6 i? := res(i? U not(Z\F)); 

7 T-.= T\JAT\ 

8 Q ■— Qaf,at', 

9 AF ■= 

10 F:=FUZ\F; 

11 until no change in F\ 

12 return T and F. 

We will now estimate the running time of Algorithm 3. Clearly line 1 requires 
constant time. Setting up appropriate data structures for programs R and Q 
(lines 2 and 3) takes 0{size{P)) steps. In each iteration, AT is computed and 
the current program R is replaced by the program res{R U not(Z\F)) (lines 5 
and 6). By modifying the algorithm from Q and assuming that R is already 
stored in the memory (it is avaliable either as the result of the initialization in 
the case of the first iteration or as a result of the computation in the previous 
iteration), both tasks can be accomplished in 0{size{R°) + \AF\ — size{R^)) 
steps. Here R° denotes the old version of R and i?" denotes the new version of R. 
Consequently, the total time needed for lines 5 and 6 over all iterations is given 
by 0{size{P) + \At{P)\ — size{R*)) = 0{size{P)) (where i?* is the program R, 
when the algorithm terminates) . The time needed for all lines 7 is proportional 
to the number of iterations and is 0{\At{P)\) = 0{size{P)). 

Given a logic program Q and sets of atoms AT and AF, it takes 0{size{Q) — 
size{Q af.at) + \AT\ + \AF\) steps to compute the program Qaf,at in line 8. We 
assume here that Q is already in the memory as a result of the initialization in 
the case of the first iteration, or as the result of the computation in the previous 
iteration, otherwise. It follows that the total time over all iterations needed to 
execute line 8 is 0{size{P) + |At(P)|) = 0{size{P)). 

Thus, we obtain that the running time of Algorithm 3 is given by 0{size{P) + 
m), where m is the total time needed to compute A^(F,Q) over all iterations 
of the algorithm. 

In the standard (Van Gelder’s) implementation of Algorithm 3, we compute 
the whole set F\LM{Q^) as At^{F, Q^). In addition, computation is performed 
in a bottom-up fashion. That is, we first compute the least model of and 
then its complement with respect to F. Such approach requires 0{size{Q^)) = 
0{size{P)) steps per iteration to execute line 9 and leads to 0{\At{P)\ x size{P)) 
running-time estimate for the alternating-fixpoint algorithm. 



4 Procedure 

In this section we will focus on the class of programs, CPi, that is, programs 
whose rules have no more than one positive atom in their bodies. We describe 
for programs from this class a particular implementation of a procedure A^ and 
provide an estimate for its running time. 

Assume that we have a procedure false that, given a Horn program Q G CVi, 
returns a subset of the set At{Q) \ LM{Q). Assume also that false returns the 
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empty set if and only if At{Q) = LM{Q). For every pair {F, Q), where F C At{P) 
and Q is a Horn program such that At{Q) C F, we define 

Z\^(F,Q) = (F\At{Q))Ufalse{Q). 

It is easy to see that this operator Au,{F, Q) satisfies conditions (Wl) and (W2). 
Consequently, it can be used in Algorithm 3. Clearly, the procedure Z\„ and its 
computational properties are determined by the procedure false. In the remain- 
der of the paper, we will describe a particular implementation of the procedure 
false and estimate its running time. We will use this estimate to obtain a bound 
on the running time of the resulting version of Algorithm 3. 

A straightforward way to compute the least model of Q and so, to find 
At{Q) \ LAI{Q), is ”bottom-up”. That is, we start with atoms which are heads 
of rules with empty bodies and use the rules of Q to compute all atoms in LAI (Q) 
by iterating the van Emden-Kowalski operator. An efficient implementation of 
the process is provided by the Dowling-Gallier algorithm 

The approach we follow here in the procedure false is ’’top-down” and gives 
us, in general, only a part of the set At (Q) \ LAI (Q). More precisely, for an atom 
a we proceed “backwards” attempting to construct a proof or to demonstrate 
that no proof exists. In the process, we either go back to an atom that is the 
head of a rule with empty body or we show that no proof exists. In the first case, 
a G LAI{Q). In the latter case, none of the atoms considered while searching for 
a proof of a are in LM{Q) (because Q G CV\ and each rule has at most one 
antecedent). The problem is that we may find an atom a that does not have a 
proof only after we look at all other atoms first. Thus, in the worst case, to find 
one new false atom may require time that is proportional to the size of Q. 

To improve the time performance, we look for proofs simultaneously for all 
atoms and grow the proofs “backwards” in a carefully controlled way. This con- 
trolled way of looking for proofs for all atoms in which we never let one search 
to get too much ahead of the other searches is the key idea of our approach and 
leads to a better performance. We will now provide an informal description of 
the procedure false followed later by a formal specification. 

In the procedure, we make use of a new atom, say s, which is not in At{Q). 
Further, we denote by header) the atom in the head of a rule r G Q and by 
tail(r) the atom which is either the unique positive atom in the body of r, if 
such an atom exists, or s otherwise. We call an atom a G At{Q) accessible if 
there are rules ri, ..., in Q such that = head{ri), for i = 1, ..., fc— 1, 

tail{ri) = s and head{rj.) = a. Clearly, the least model LAI{Q) of Q is precisely 
the set of all accessible atoms. 

In each step of the algorithm, the set of atoms from At{Q) is partitioned 
into potentially false sets or pf-sets, for short. We say that a set w C At(Q) is 
a pf-set if for each pair of atoms a,b G v there are rules ri, ...r^ in Q such that 
tail{ri+i) = head{rf) G v, for i = 1, ..., fc — 1, tail{ri) = h and head{rk) = a. It 
is clear that if ■(; is a pf-set then either all its elements are accessible (belong to 
the least model of Q) or none does (they are all false). Clearly, singleton sets 
consisting of individual atoms in At{Q) are pf-sets. With each pf-set we maintain 
its weight, that is, its cardinality. 
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Current information about the state of all top-down searches and dependen- 
cies among atoms that were discovered so far is maintained in a directed graph 
Q. The vertex set of this graph, say S, consists of {s} and of a family of pf-sets 
forming a partition of the set At{Q). The edges of Q are specified by a partial 
function pred : 5 — > 5. We write pred{v) = undefined if pred is undefined for 
V. Now, the set of edges of Q is given by {{pred{v),v):pred{v) yf undefined}. 
Throughout the algorithm we always have pred{{s}) = undefined. If both w 
and V are pf-sets (belong to 5 \ {{s}}), the existence of the edge (w,v) means 
that we have already discovered a rule in the original program whose head is in 

V and whose tail is in w. Thus, if vertices in w are accessible, then so are the 
vertices in v. Since pred is a partial function, it is easy to see that the connected 
components of the graph Q are unicyclic graphs or trees rooted in those vertices 

V for which pred{v) is undefined ({s| is one of them). A pf-set that is the root 
of a tree forming a component of Q is called active. If v is an active pf-set then 
no rule r with head{r) G v and tail{r) ^ v has been detected so far. Thus, v is 
a candidate for a set of atoms which does not intersect the least model of Q. 

We let active pf-sets grow by gluing them with other pf-sets (or we discard 
them, if we find that they consist of vertices that belong to the least model of Q) . 
However, we allow to grow only these active pf-sets whose weights (cardinalities) 
are the least. In each iteration of the algorithm the value of the variable size 
is a lower bound for the cardinalities of active pf-sets. The main loop (lines 
6-23) of the algorithm false below starts by incrementing size followed by a 
call to procedure cycle{S,pred,size,L). This procedure scans the graph Q and 
identifies all its cycles. It then modifies Q by considering each cycle and by gluing 
its pf-sets into a single pf-set that becomes active. It also computes the weight of 
each new active pf-set. Finally, it forms a list L of active pf-sets of the cardinality 
size. If no such set is found then we move on to the next iteration of the loop 
and increment size by 1. 

For each active pf-set v G L we consider the tail of each rule with head in 

V (lines 9-22). If there is a rule r with head{r) G v and tail{r) ^ v then it is 
detected (line 15). The value pred{v) is set to this element in S that contains 
tail{r) (it may be that this set is {s}). We also set the variable success to true 
(line 16). The pf-set v stops to be active. We move on to the next active pf-set 
on L. 

If such a rule r does not exist then success = false and f is a set of cardinality 
size consisting of atoms which are not in the least model of Q. This set is returned 
by the procedure false (line 21). Hence, for an active pf-set considered in the 
loop in lines 6-23, either we find a pf-set pred{v) G S \ {wj (and we have to 
consider the next pf-set on L) or v is returned as a set of atoms of cardinality 
size which are not in the least model of Q (and the procedure false terminates). 
Thus, the procedure false is completed if either a nonempty set v of atoms which 
are not in the least model of Q is found or, after some passes of the loop in lines 
6-23, the graph Q has no active pf-sets. In the latter case ^ is a tree with the 
root in {s|. Thus, At{Q) = LM{Q) and w = 0 is returned (line 24). 
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In the procedure false, as formally described below, an input program Q is 
represented by lists IN{a), a G At{Q), of all atoms b such that b is the body of 
some rule with the head a. If there is a rule with the head a and empty body, 
we insert s into the list IN{a). 

We also use an operation next on lists and elements. Let I be a list and w be 
an element, either belonging to I or having a special value undefined. Then 

, n „ / the next element after w in I if w G I 
nex [w, element in ^ if w is undefined. 

The value undefined should not be mixed with nil which indicates the end of 
a list. 

Finally, we use a procedure findset{w,S) which, for an atom w and a col- 
lection S of disjoint sets, one of which contains w, finds the name of the set 
in S containing w (it follows from our assumptions that such a set is unique). 
Elements of S are maintained as linked lists. Each element on such a list has 
a pointer to the head of the list. The head serves as the identifier for the list. 
When the procedure findset{w,S) is called it returns the head of the list to 
which w belongs. 



1 procedure false{Q)', 

2 5 := {{a;} : a; G ^t(Q)} U {{s}}; 

3 for u G 5 do pred{v) := undefined; 

4 for X G At{Q) do {w(a;) := undefined; weight{x) := 1}; 

5 size := 0; 

6 while size < \At{Q)\ do 

7 {size := size + 1; 

8 cycle{S, pred, size, L) ; 

9 for all u G L do 

10 {success := false; 

11 u := next{u, v)-, 

12 while u yf nil and not success do 

13 w{u) := next{w{u) , I N {u))-, 

14 while w{u) yf nil and not success do 

15 {if findset{w{u),S) yf v 

16 then {success := true; pred{v) := findset{w{u) , S)}; 

17 else w{u) := next{w{u), IN{u)) 

18 end while (14)}; 

19 if not success then u := next{u, v) 

20 end while (12)}; 

21 if not success then return v (* the procedure terminates *) 

22 end for (9)}; 

23 end while (6)}; 

24 return u = 0 

25 end false; 
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The following theorem formally establishes two key properties of the proce- 
dure false. 

Theorem 2. 1. The procedure false returns a set v such that v C At{Q) \ 

LM{Q). 

2. false returns the empty set if and only if At{Q) \ LM{Q) = 0. 

Proof: (1) The statement is trivially true if false returns the empty set. Thus 
assume that the returned set u yf 0. It means that the value of the variable 
success is false after all passes of the loop in lines 12-20 for some active pf-set 
V in the list L. Thus every rule in Q with the head in v has been considered. 

Suppose there is a rule r in Q with head{r) = u G v and tail{r) = b ^ v. This 
rule was considered by the procedure false when u = header) was a member 
of some pf-set, say y. Since larger pf-sets are obtained by gluing smaller ones, 
y C V. While r was being considered, the value of w{u) in the loop in lines 
14-18 was b and the value of v was y. Consequently, findset{b, 5) yf y in line 15 
because y ff v and b ^ v so b ^ y. Hence the value of success was set to true 
and pred{y) was defined to be, say, 2 = findset{b,S) in line 16. The pf-set y 
stopped to be active. Recall that v is active when the procedure stops. Hence 
y had to be glued with other pf-sets to obtain v. This is, however, impossible 
because if y were glued with some other pf-sets to form a larger pf-set x then 
pred{y) = z C x. Notice that b G z Q x Q v. We have got a contradiction with 

b ^ V. 

Hence, there are no rules r in Q with head{r) G v and tail{r) v. Thus no 
atom in v is accessible so u C At{Q) \ LM{Q). 

(2) Suppose false returns the empty set and consider the last pass of the loop 
in lines 6-23, for size = \At{Q)\. If the list L is empty then no vertex of G is an 
active pf-set. Hence, 5 is a tree with the root {s}. Thus all atoms in At{Q) are 
accessible and consequently LM{Q) = At{Q). 

If the list L is nonempty then it contains one pf-set v = At{Q). The empty set 
is returned by the procedure false so the value of the variable success in line 16 is 
true for v = At{Q). It means that for some rule r in Q with head{r) = u, w{u) = 
tail{r) ^ V = At{Q) so w{u) = s. Hence, u is accessible and, consequently, all 
atoms in At{Q) are accessible. That is, we have At{Q) \ LM{Q) = 0. 

The converse of the implication proved above follows immediately from the 
first part of the theorem. □ 

We shall now consider the procedure cycle a little bit more carefully. The 
procedure can be informally written in the following form. 



procedure cycle{S,pred, size, L) 

1 . Initialize L to empty. 

2. Find all cycles C\,C 2 , ■■■, Cp in the graph Q. Put C = {C\,C 2 , ■■■, Cp}. 

3. For every cycle C = {ui, ..., Vq}, C gC, do (i)-(iv). 

(i) set VC ■= vi U ... U Vq-, 

(ii) compute weight{vc) (sum up the weights of all vertices in C); 
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(iii) update the function pred — for every i = 1, q, if pred{z) = Vi (for 
some z G S) then pred{z) := vc', 

(iv) update the set 5 — S := {S — {ui, Ug}) U {uc}; (* vc becomes 
an active pf-set *) 

4. For every vertex of Q that is an active pf-set, if weight{v) = size, insert v 
into the list L. 

Since ^ is a directed graph whose connected components are either unicyclic 
graphs or trees, step 2 of the procedure cycle can be implemented in 0(|5|) time. 
Since pf-sets are represented as linked lists, with each node on the list pointing 
to the head of the list, step (i) can be implemented to take 0(|uc|) steps. The 
time needed for step (ii) is, clearly, 0{\C\). Each execution of step (iv) takes 
also 0{\C\). Finally, the running time of each execution of step (iii) is 0{mc), 
where me is the size of the connected component of the graph Q containing C. 
Thus, an iteration of loop 3 for a cycle C gC takes 0{\C\+ me -I- |uc|)- Clearly, 
ICI < me- Moreover, < |5| - 1 < \At{Q)\ and J2c&C \'^c\ < \At{Q)\ 

(they are all disjoint subsets of At{Q)). Thus, the total time needed for loop 3 is 
0{\At{Q)\). It is easy to see that the time needed for loop 4 is also 0{\At{Q)\). 
Consequently, the running time of the procedure cycle is 0{\At{Q)\). 

We are now in a position to estimate the running time of the procedure false. 

Lemma 2. If the procedure false{Q) returns a nonempty set v, then the running 
time of false is 0(|u| x \At{Q)\). Iffalse(Q) returns the empty set then its running 
time is 0{\At{Q)\'^) . 

Proof: Let \At{Q) \ = n and |u| = k. As we have already observed the procedure 
cycle runs in time 0{n). It is not hard to see that, since we represent all sets 
occurring in the procedure false as linked lists, with each node on a list pointing 
to the head of the list, the operations: findset and next require a constant time. 

First assume that the output v of the procedure false is nonempty. Let us 
estimate the number of passes of the while and for loops in the procedure. 
Clearly, the loop in lines 6-23 is executed k times. Hence the total running time 
of all calls of the procedure cycle is 0{kn). The number of passes of the loop in 
lines 9-22 is not larger than \Li \ + IL 2 I + ■■■ + \Lk\, where Li denotes the list L 
in an iteration i of the loop. Since Li is a list of disjoint pf-sets of cardinality i, 
\Li\ < n, for each z = 1, 2, ..., k. Hence the number of passes of the loop in lines 
9-22 can be very roughly estimated by kn. The loop in lines 12-20 is executed 
at most 

k 

^ ^ |u| < kn 

i—1 vGLi 

times. This inequality follows from the fact that the sets v in the lists Li are 
disjoint subsets of atoms so kl — vi- The estimation of the number of 

passes of the loop in lines 14-18 is a little bit more complicated. First notice 
that in each execution of the loop we check a rule of the program Q and rules 
are checked only one time. The rules r checked in the loop have either both the 
head and the tail in some pf-set v G S or head{r) G v and tail{r) is in some 
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other pf-set u G S. In the latter case pred(v) is defined in line 16. The number of 
executions of line 16 is not larger than the number of passes of the loop in lines 
9-22 so it is bounded by kn. When the procedure returns the output, the pf-sets 
have cardinalities not larger than k. Hence the number of rules with both the 
head and the tail in the same pf-set that has been checked before the procedure 
stops is not larger than 

- 1) < (fc - 1) XI ^ - 1)^- 

uGS uGS 



Thus the number of passes of the loop in lines 14-18 in the whole procedure 
false is less than 2kn. It follows that if the output v of false is nonempty then 
the running time of false is 0(|?;| x \At{Q)\). 

Now consider the case when the procedure false returns the empty set. Clearly 
the number of passes of the loop in lines 6-23 is n so it takes O(n^) time for 
all executions of the procedure cycle. Since the rules are checked in the loop in 
lines 14-18 only one time, the number of passes of this loop is not larger than 
the number m of rules in Q. Obviously m < ■nf so the running time of false in 
this case is 0{\At{Q)\^). □ 

By Lemma Hand considerations in Section 3 we get an estimation of the 
running time of Algorithm 3. 

Theorem 3. If P is a program whose rules have at most one positive atom 
in the body then Algorithm 3 can be implemented such that its running time is 
0{\At{P)\^ + size{P)). □ 

5 Conclusions 

The method for computing the well-founded semantics described in the paper 
is a refinement of the basic alternating-fixpoint algorithm. The key idea is to 
use a top-down search when identifying atoms that are false. Our method is 
designed to work with programs whose rules have at most one positive atom in 
their bodies (class CP\). Its running time is 0{\At{P)\^ + size{P)) (where P is 
an input program). Thus, our algorithm is an improvement over other known 
methods to compute the well-founded semantics for programs in the class £Vi. 
Our algorithm runs in linear time for the class of programs P € CVi for which 
size{P) > |At(P)p. However, it is not a linear-time algorithm in general. It is an 
open question whether a linear-time algorithm for computing the well-founded 
semantics for programs in the class CVi exists. 

Finally, let us note that the general problem of computing well-founded se- 
mantics still remains a challenge. No significant improvement over the alter- 
nating-fixpoint algorithm of Van Gelder has been obtained for the class of ar- 
bitrary finite propositional logic programs. This paper points to the fact that 
top-down computation of false atoms may lead to some improvement. 
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Abstract. We discuss equilibrium logic, first presented in Pearce (1997), 
as a system of nonmonotonic reasoning based on the nonclassical logic N 5 
of here-and-there with strong negation. Equilibrium logic is a conserva- 
tive extension of answer set inference, not only for extended, disjunctive 
logic programs, but also for significant extensions such as the programs 
with nested expressions described by Lifschitz, Tang and Turner (forth- 
coming). It provides a theoretical basis for extending the paradigm of 
answer set programming beyond current systems such as smodels and 
dlv. The paper provides proof systems for N 5 and for model-checking in 
equilibrium logic. The reduction of the latter problem to an unsatisfia- 
bility problem of classical logic yields complexity results for the various 
decision problems concerning equilibrium entailment. The reduction also 
yields a basis for the practical implementation of an automated reasoning 
tool. 



1 Introduction 

Equilibrium logic is a formal system of nonmonotonic reasoning proposed by the 
first author as a generalisation of inference based on stable models and answer 
sets While stable models and answer sets are defined for ground (instanti- 

ated) logic programs whose expressions have a special, restricted syntactic form, 
equilibrium logic uses an unrestricted propositional language that can therefore 
be applied also to grounded (predicate logical) theories more general than logic 
programs. The basic notions and properties of equilibrium logic are discussed 
in ^3^3- The present paper is devoted to computational issues, especially the 
problem of checking efficiently whether a given model of a theory is in equilib- 
rium and whether a given formula is an equilibrium consequence of a theory. We 
also discuss and characterise the complexity of these tasks. 

We approach computational issues using the method of signing 33, famil- 
iar from the area of automated deduction for many-valued logics. This method 
translates the problem of deciding the validity of formulas (or entailments) in 
a many-valued logic to the problem of deciding whether a certain set of signed 
formulas is unsatisfiable. The latter test can then be carried out using standard 
techniques such as TAS, tableaux, resolution, etc. To our knowledge this paper 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 688^^ 2000. 
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provides the first application of signing to a system of nonmonotonic inference 
and to the logic on which it is based: the 5 - valued logic of here-and-there with 
strong negation, denoted here by N5. This application is made possible by using 
a modification of signed logics called reduced signed logics, developed in 



rf 



In addition, we improve the signing process by using a new technique called 
signing-up. 

Since equilibrium inference is a conservative extension of the inference rela- 
tion associated with stable model semantics, the techniques and results of this 
paper apply a fortiori to stable models for logic programs. There already exist 
efficient implementations of stable model and answer set semantics, eg us- 

ing special purpose algorithms tailored to the specific syntax of logic programs. 
By contrast, the more general theorem proving techniques discussed here apply 
to the case of full propositional logic and are therefore likely to be of interest 
to those seeking to extend stable model reasoning beyond the language of logic 
programs, as for instance the approach of which considers programs with 
nested expressions. One result that may be of some significance here is that 
such syntactic extensions do not lead to an increase in the complexity of check- 
ing whether a given model is stable (ie. in equilibrium). We hope the methods 
of this paper may also be of some interest for the field of automated deduc- 
tion for nonclassical logics; in particular, by illustrating the use of signing in a 
concrete case (the logic N5) and by showing how nonmonotonic extensions of 
many- valued logics may also be amenable to treatment by these methods when 
suitably extended as here in the form of reduced signed logics. 



2 Equilibrium Logic 

Equilibrium logic can be viewed, and hence motivated, in different ways. On the 
one hand it can be seen simply as a general purpose system of nonmonotonic 
reasoning, based on a notion of negation-by-default. It is currently defined for 
a propositional language with two kinds of negation, weak and strong, and is 
therefore also applicable to ground or instantiated theories in a predicate lan- 
guage (without function symbols) . Another way to view equilibrium logic is as an 
extension of stable model or answer set programming. Answer set semantics for 
extended logic programs was developed already ten years ago Q. However there 
has recently been a pronounced revival of interest in answer sets as defining a new 
programming paradigm. There has been a growing awareness that several well- 
known types of combinatorial problems have elegant solutions when expressed 
in the form of answer set programs. In addition, efficient implementations are 
now available that make computing answer set solutions a viable task. Current 
implementations, such as dlv, are available for disjunctive as well as normal logic 
programs and can handle both weak and strong negation There are also 

frontends for diagnostic reasoning and for reasoning with inheritance. 

There has also been considerable interest in extending the basic language of 
answer set programs to a more expressive syntax. Already Lifschitz extended 
the definition of answer set to include languages with integrity constraints and 
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rules with negation-as-failure in their heads. A different but equivalent extension 
was proposed in Q. Recently, Q has treated rules whose bodies may contain 
conditionals, considers special additional kinds of rules such as (cardinality) 
constraints, and defines answer sets for programs with nested expressions, 
that is programs whose formulas comprise implications a — > /3, where a and P 
may by arbitrary boolean combinations of literals. In equilibrium logic even this 
last restriction is removed so that all the logical operators may be nested, not 
only the boolean ones. 

We start by giving the original definition of equilibrium logic in terms of 
Kripke models. Later, for the purposes of computing equilibrium inference, we 
use an equivalent definition in terms of many-valued matrices. 

Equilibrium logic is based on the logic of here- and- there with strong nega- 
tion, which we denote by Nsjwe first consider the logic of here-and-there. 
The language is the propositional language of intuitionistic logic, with formu- 
las built-up in the usual way using the logical constants: A, V, -i, standing 
respectively for conjunction, disjunction, implication and negation. A here-and- 
there (Kripke) frame T , is a pair T = {W, <), where W is a set comprising two 
points (or worlds), ’here’ and ’there’, denoted by h and t, respectively, and < is 
a partial-ordering on W, such that h < t. At each point w G W some primitive 
propositions (atoms) are verified as true, and, once verified at the point h, an 
atom a remains true at the ‘later’ point, t. A here-and-there model M. can there- 
fore be represented as a frame T together with an assignment i of sets of atoms 
to each element of W , such that i(K) C i(t). An assignment is then extended 
inductively to all formulas via the following rules: 

If Alp G i{w) iff S i{w) and ip G i{w) 

ipV Ip G i{w) iff S i{w) or ip G i{w) 

(fi ^ Ip G i{w) iff for all w' such that w < w' , ip G i{w') implies ip G i{w') 

G i(w) iff for all w' such that w < w' , <p ^ i(w'') 

These are the standard truth-conditions for Kripke models of intuitionistic 
logic. However they can evidently be simplified in the case of these two-element 
frames. For instance we see immediately that a negated formula is true ’here’ 
G i{h)) just in case (p is not true ’there’ {p ^ i{t))- 

The logical operator of strong negation adds to intuitionistic logic the in- 
sight that primitive propositions may not only be constructively verified but 
also constructively falsified. The language is accordingly extended by a new, 
strong negation symbol, with the interpretation that is true if p is con- 
structively false. A semantics can be obtained through a simple modification of 
the above Kripke-semantics. As before a model comprises a two element Kripke- 
frame iF = {W, <), where W = {h,t}, together with an assignment i. However i 
now assigns to each element of W a set of literals^such that as before i{h) C i[t). 

^ The symbol ’N’ stands for Nelson, the founder of constructive logic with strong 
negation and ’5’ expresses that we are dealing with a many-valued extension of 
Nelson’s original logic with five truth- values. 

^ We use the term “literal” to denote an atom or an atom prefixed by strong negation. 
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An assignment is then extended inductively to all formulas via the previous rules 
for conjunction, disjunction, implication and (weak) negation together with the 
following rules governing strongly negated formulas: 

Alp) G i{w) iff G i{w) or ^%p G i{w) 

Ip) G i{w) iff G i{w) and ^ip G i{w) 

^ Ip) G i{w) iff G i{w) and G i{w) 
r^^ip G i{w) iff G i{w) iff G i{w) 

Weak negation ’-i’ is definable in N 5 by: := ip ^ ^ip. A formula ip is true in 

a model M = {W, <, i) at a point w G W, in symbols A4,w \= ip, ip G i{w). ip 
is true in a model Ai, in symbols Ai ^ v?, if it is true at both points in Ai which 
is also the case if it is true at h. A formula ip is said to be valid, in symbols, ^ ip, 
if it is true in all models. Logical consequence for N 5 is understood as follows: 
ip is said to be an Ns-consequence of a set II of formulas, written II \= ip, 
for all models Ai, Ai \= II implies Ai\= ip. The logic N 5 can also be presented 
axiomatically. The above set of valid formulas can be captured via the axioms 
and rules of intuitionistic logic (see eg. ^ 3 ) together with the axiom schemata 
for strong negation due to Vorob’ev see eg. and in addition the 

following axiom for here-and-there due to Lukasiewicz 

(^a ^ /3) ^ (((/3 ^ a) ^ (3) ^ j3). 

Ns is a conservative extension of the logic of here-and-ther^ in the sense 
that any formula without strong negation is a theorem of N 5 if and only if it is a 
theorem of here-and-there. Notice that Nelson’s negation is termed ‘strong’, 
since in N 5 , — > ~^ip is a theorem. (See eg. ^^^3). The derivability relation 

for Ns is denoted by h. The Kripke semantics is complete for Ns in the sense 
that for all II and ip. 

Since we are dealing with Kripke frames containing only two points, h and t 
with h < t, it is convenient to represent an Ns-model as an ordered pair {H, T) 
of sets of literals, where H = i{h) and T = i(t) under a suitable assignment i. 
By h <t, it follows that H CT. 

The Kripke semantics for Ns can be characterised using a many- valued 
approach, specifically with a five-valued logic where the truth values set is 
5 = {— 2, — 1, 0, 1, 2}. In this approach, the connectives are interpreted in the 
Nelson algebra: 

9T=({-2,-l,0,l,2},A,V,^,-,~) 
where V = max, A = min, ~a; = —x, 

{ 2 if either x < 0 or x < y |2 ifa ;<0 

and ~^x = < 

y otherwise I —x otherwise 

® Smetanich studied the logic of here-and-there in ^3 important results about 
the logic can also be found in ^3- 

^ ie. the logic determined by formulas in the language of intuitionistic logic that are 
true on all here-and-there frames. This is the greatest logic containing intuitionistic 
logic and properly contained in classical logic. For more about N5, see ^3- 
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The relation between Kripke models and many- valued assignments is the follow- 
ing: 



a{p) = 


2 


iff 


peH 


a{p) = 


1 


iff 


p£T,p^H 


a{p) = 


0 


iff 


p^T,^p^T 


a{p) = 


-1 


iff 


eT,r^p^ 


a{p) = 


-2 


iff 


r^P&H 



This way the many- valued semantics and the Kripke semantics for N5 are equiv- 
alent. In other words, if iT is a set of formulas in N5 and ■(/> is a formula, then 
7 T ^ iff for every assignment a in N5, if a(ip) = 2 for every ip € U, then 
cr('0) = 2 

2.1 Equilibrium Models and Equilibrium Inference 

Equilibrium models are special kinds of minimal N5 Kripke models. We first 
define a partial ordering < on N5 models as follows. 

Given any two models {H, T), {H' , T'), we set {H, T) ^ {H' , T') liT =T' 
and H C H'. 

This leads to the following notion of equilibrium: if iT is a set of N5 formulas 
and (iT, T) is a model of iT. 

1 . (iT, T) is said to be total if iT = T. 

2 . (iT, T) is said to be an equilihrium model if it is minimal under < among 
models of iT, and it is total. 

Using the many-valued semantics we have the following equivalent definitions. 

Definition 1. Let II he a set of formulas in N5. The ordering a\ < (J2 among 
models cti and of iT holds iff for every propositional variable p occurring in 
iT the following properties hold: 

1 . <Ti(p) = 0 if and only if a 2{p) = 0. 

2 . If a i{p) > 1 , then ai{p) < a2{p) 

3 . If a i{p) < — 1 , then o'i{p) > o'2{p) 

Definition 2. Let iT = {pi, . . ■,Pn\ he a set of formulas in N5. A model a of 
iT in N5 is a total model if a{p) € {— 2 , 0 , 2 } for every propositional variable p 
in iT. a is an equilibrium model if it is total and minimal under the <-ordering. 

Equilibrium logic is the logic determined by the equilibrium models of a theory; 
we define it formally in terms of a nonmonotonic entailment relation. 

Definitions (Equilibrium Entailment). Let ipi, . . . ,ipn, p be formulas in 
N5. We define the relation |~ called equilibrium entailment, as follows 

1 . If II = {pi , . . . , Pn\ has equilibrium models, then ipi, . . .,ipn p if every 
equilihrium model of II is a model of (p in N5. 
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2. If either n = Q or U has no equilibrium models, then (pi, . . . ,ipn <p if 

The process of checking equilibrium entailment, II if, will be understood as 
follows: 

Step 1. Generate the total models of II. 

Step 2. For every total model of II, check the equilibrium property. If there are 
equilibrium models, then go to step 3, else go to step 4. 

Step 3. For every equilibrium model of II, check if it is a model of if. 

Step 4. If n doesn’t have equilibrium models, just check entailment in N 5 . 

Part of the interest of equilibrium logic arises from the fact that on a syntactically 
restricted class of theories it coincides with a well-known nonmonotonic inference 
relation studied in logic programming, namely that generated by the semantics 
of answer sets. This holds not only for ordinary (extended) logic programs, but 
also for the generalisation to programs with nested expressions defined in Q. 

Theorem 1. Let II be a consistent theory having the syntactic shape of a logic 
program with nested expressions in the sense of Q- ^^6 equilibrium models of 
n correspond precisely to the answer sets of II. 

Proof sketch. Written in usual logical notation, a logic program with nested 
expressions in the sense of Q comprises sets of formulas of the form a ^ P, 
where a, /3 are arbitrary boolean combinations of literal J in the language of 
N 5 . In the authors first define answer sets for programs of this form, and 
then show, via a series of program transformations, that every such program is 
(answer set) equivalent to a program whose formulas a ^ P are such that a is a 
conjunction of literals and weakly negated literals and /3 is a disjunction of literals 
and weakly negated literals. For programs of the latter kind a straightforward 
extension of the proof of Proposition 10 of shows that answer sets and 
equilibrium models coincide. Moreover, one may readily verify that the program 
transformations described in correspond to transformations of formulas that 
are logically valid in N 5 . From this fact the claim follows. 

3 Signed Logics 

Proof methods for many- valued logic have developed alongside the evolution of 
the notions of sign and signed formula. The use of signs and signed formulas 
allows one to apply classical methods in the analysis of many- valued logics. For- 
getting the set of truth- values associated with a given logic, in the metalanguage 
one may interpret sentences about the many- valued logic as being true-or-false. 

® For the case where a consistent theory has no equilibrium models, entailment can be 
defined in various different ways. Here we choose a simple option, logical consequence. 
Another option would be to consider, say, the minimal models, but these choices are 
not of great issue for the purposes of the present paper. 

® ie. combinations involving A,V,-n. 
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For example, in a 3- valued logic with truth- values {0, 1/2, 1} and with {1} as the 
designated value, the satisfiability of a formula ip can be expressed as: Is it pos- 
sible to evaluate (p in {1}? In the same way, the unsatisfiability of ip is expressed 
by: Is ip always evaluated in {0, I/ 2 }? These questions can be represented by the 
signed formulas {ly.ip and {ophy.ip which are evaluated on the set {0, 1} with the 
following meaning: 

— { 1 }::^ takes the value 1 when ip is evaluated in {1} 

— { 0 , 1 / 2 }::^ takes the value 1 when ip is evaluated in {0, I/ 2 } 

In other words, the formulas in a signed logic are constructions of the form S:ip, 
where S' is a set of truth-values of the many-valued logic, called the sign, and ip 
is a formula of that logic. The interpretations that determine the semantics of 
the signed logic are defined from the interpretations of the many-valued logic as 
follows: 

Ia{S\ip) = 1 if and only if cr{ip) € S 

The first works to provide a systematic treatment of sets of truth-values as 
signs were due to Hahnle in and Murray and Rosenthal in There the 
notion of signed formula is formally introduced. In these tools are used in 
the framework of truth tables, while in they are used to develop another, 
nonclausal proof method, that of disolution. As a result of these works, the use 
of signed formulas in the field of automated deduction has been extended, and 
has led to significant advances in this method. 

The notion of reduced signed logic was introduced in Q as a generalisation 
of previous approaches. It is developed in the general framework of propositional 
logics, without reference either to an initially given many-valued logic or to a 
specific algorithm, ie. the definition is completely independent of the particular 
application at hand. The generalisation consists in introducing a possible truth 
values function to restrict the truth values for each variable. These restrictions 
can be motivated by the specific application and they can be managed dynami- 
cally by the algorithms; for example, in these restrictions are used to improve 
the efficiency of tableaux methods. 

The conversion of a many-valued formula into a signed formula is accom- 
plished via suitable operators called signing operators, which are functions be- 
tween the many- valued logic and the signed logic. Each many-valued logic and 
each concrete problem requires a specific signing operator. For example, to study 
the validity of inference in a many- valued logic, the signing operator characterises 
validity by means of unsatisfiability in the signed logic this paper we in- 

troduce signing operators to characterise the total and the equilibrium properties 
of models in N 5 . 

3.1 Reduced Signed Logics 

The formulas in the reduced signed logics are built-up from atomic formulas 
using the connectives A and V. The atomic formulas are the u-signed literals: 
if n is a finite set of truth-values, V is the set of propositional variables and 
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w: V — > (2" \ 0) is a mapping, called the possible truth-values function, then 
the set of u-signed literals is 

LIT,^ = {S:p I S C Lo{p),p e V} U {-L,T} 

In a literal £ = S:p, the set S is called the sign of £ and p is the variable of £. 
The opposite literal of S:p is defined as S:p = {oj{p) \ S):p. 

The semantics of the signed logic valued in n by to, is defined using the 
u>- assignments. The w-assignments are mappings from the language into the set 
{0, 1} that interpret V as maximum, A as minimum, T as falsity, T as truth and 
have the following properties: 

1. For every p there exists a unique j € oj{p) such that I{{j}\p) = 1 

2. I{S:p) = 1 if and only if there exists j & S such that !{{j}:p) = 1 

These conditions arise from the objective for which signed logics were created: 
the w-assignment I over S:p is 1 if the variable p is assigned a value in S; this 
value must be unique for every many-valued assignment and thus unique for 
every w-assignment. 

An important operation in the sequel will be the reduction of a signed logic. 
This operation decreases the possible truth-values set for one or more propo- 
sitional variables. The reduction will be forced during the application of an 
algorithm but it can also help us to specify a problem using signed formulas. For 
instance, in this paper the reductions will be used to describe the equilibrium 
property in N5, using this logic. Specifically, we will use two basic reductions: to 
prohibit a specific value for a given variable, [p yf j] , and to force a specific value 
for a given variable, [p = j]\ If w is a truth- values function, then the possible 
truth- values functions oj[p ^ j] and u>[p = j] are defined as follows: 

— ^[P 7^ j]{v) = w(u) iivy£p and u;[p yf j]{p) = uj{p) \ {j}. 

— uj[p = j]{v) = w(u) if u yf p and = j]{p) = {j}. 

So, if A is a formula in we define the following substitutions: 

— A[p yf j] is a formula in obtained from A by replacing {j}-.p by T, 

{j}:p by T and S:p by {S \ {j}):p; in addition, the constants are deleted 
using the 0- 1-laws. 

— A[p = j] is a formula in obtained from A by replacing every literal 

S:p with J G S' by T and every literal S:p with j ^ S by T; in addition, the 
constants are deleted using the 0-1-laws. 

The following result is trivial from the intuitions of the preceding reductions but 
is important in later sections. 

Proposition 1. Let I be a model of a formula A in S^j." 

— If I (p) yf j, then (the restriction of) I is a model of A[p yf j] in 

— If I {p) = j, then I is a model of A[p = j] in S,^[p=j] . 
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4 Signability of N 5 

As we saw, the application of signed logics in automated deduction for many- 
valued logics allows us to take a formula in an n-valued logic and construct a 
signed formula in S„ whose unsatisfiability is equivalent to the validity of the 
initial formula. Once this transformation is realised, one can apply the various 
satisfiability tests for signed logics. A special case is created by tableaux algo- 
rithms in which one does not carry out an explicit conversion of formulas; rather 
one uses the conversion rules as expansion rules for the tableaux. 

The conversion process described earlier is denoted generically as signing 
and the process of conversion now being considered is called the signing trans- 
formation. In general, the size of a signed formula obtained by conversion can be 
different from that of the initial formula. In fact, there are only two possibilities: 
(i) the size of the signed formula diminishes or grows linearly with respect to the 
size of the initial formula, or else (ii) it grows exponentially. If it is possible to 
define a signing transformation with the property (i) for all formulas, then the 
logic is called signable. Several families of signable logics have been described, 
for example logics with regular connectives ^3 and the super-family of logics 
with ortho-regular connectives 

Here we shall introduce the signing transformation not only for validity but 
also to generate total models and to check the equilibrium property. 

4.1 Signing N 5 for Validity: Signing-Down and Signing-Up 

Let S' be a set among the following ones: [< jo] = {j £ 5 I j < Jo}, [> Jo] = {j £ 

5 1 J > Jo}, for jo G 5. We define the operators (S:) : N5 ^ S5 as follows: 



1. 


[> 


j]:(y> VV>) 


= J> j]-V> V 


> j]:'*/’ 


10. 


{-2},(^y>) = {2},V3 


2. 


[< 




= 1< j]-P A 


< j]-'^ 


11. 


^ Ip) = 




3. 


[> 


j]:{ipAip) 


= 1> j]-P A 


> j\-f’ 




V {2}:1p V {{-2,-1 ,0,1}: Ifi A {l,2}:’lp) 


4. 


[< 


j]:{(pAip) 


= ]< j]-P V 


< j\-'P 


12. 


[> Ip) 


= 1< 0]:V2 V [> j]:ip, 


5. 


[> 


j]:(~V5) = 


]< -j]-‘P 








ifjG {-1,0,1}. 


6. 


[< 


j]:(~‘P) = 


[> -j]:V5 




13. 


]< j]:(v5 ^ f/’) 


= ]> If-^PA [< j\.ip, 


7. 


[> 


j]:(^V3) = 


1< 0]:y), J G 


{0,1.2} 






ifj G {-2,-l,0}. 


8. 


[> 


-l]:(-7^) 


= ]< l\.p 




14. 


{-2 -1,0,1}, (y; 


-^ip) = 


9. 


[< 


j]-{^p) = 


{1,2},V5, J G ■ 


-1,0,1} 




({1,2},V3A{-2,- 


l,0}:Tp)\/ {{2}:giA{-2,-l,0,l}:Tp) 



These operators can be used to describe a tableaux prover for the N5 logic 
using the approach of and if we apply them to transform the formulas 

as shown in the following theorem, we can employ other algorithms such as 
TAS or resolution. 

Theorem 2. 1 . ipi, . . . ,ipn \= 4 ’ if and only if the following signed formula is 

unsatisfiable in Ss.' {2}-.Lpi A ■ ■ ■ A {2}:(^„ A {-2,-i,o,i}:ip 
2. Let II = {(^1, . . . , Lpn} be a set of formulas of N5 and Mn = { 2 }-.g}i A ■■■ A 
{2}:Lpn, in S5. Then there is a bijection between the models of II and the 
models of Mjj : a is a model of II if and only if la- is a model of Mjj where 
Ia{{j}-p) = 1 if and only if a{p) = j. 
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For example, to study the validity of the formula (p = {p ^ ^q) — > (g ^ ^p) we 
use {-2,-i,o,i}:((p ^ ~^q) ^ {q^ ~^p)) =: 

((({-2,-l,0}:p V {-2,-l,0}:(7) A {l,2}-.q A {1,2}:/)) V (({-2, -1,0}:/) V {-2,-l,0}:(/ V 
({-2,-l,0,l}:/) A {-2,-l,0}:g)) A (({1,2}:^ A {1,2}:/)) V ({2}:^ A {1,2}:/))))) 



Items 11 and 14 in the definition of the intermediate operator indicate that the 
logic N5 is not signable. To improve the definition of intermediate operators we 
can add more rules to take account of more general schemata of formulas. For 
example we can replace the rules 11 and 14 by the following: 

lla. {2}:{ip ~'1p) = {-2,-l,0}:ip V {-2,-l,0}:1p 

llb. { 2 }:{-^Lp ^ Ip) = {l, 2 }:ip V { 2 }: 1 p 

lie. {2}:(<^ — > ^/)) = {-2,-l,0}:(^ V {2}-.1p V ({-2,-l,0,l}:<^ A {l,2}:1p) 
if p ~^ip' and ip ^ -^ip' 

14a. {-2,-l,0,l}:(^(/> ^ 1 p) = {- 2 ,-l, 0 }:ip A {- 2 ,-l, 0 ,l}: 1 p 
14b. {-2, -1,0, !}:((/) ^ ~'1p) = {l,2}:(/> A {l,2}.1p 

14c. {-2, -1,0, !}:((/) ^ Ip) = {{l,2}:(fi A {-2,-l,0}:l/>) V ({2}:(/> A {-2, -1,0, !}:)/>) 
if ip ~^ip' and p) yf -'ip' 

With this definition, the signed formula for the example above left is: 

{-2,-i,o,i}:((/) ^ ^q) {q^ ^p)) = 

((({-2, -1,0}:/) V {-2,-l,0}:(/) A (l,2):q A {1,2}:/))) V 

V (({-2, -1,0}:/) V {-2,-l,0}:(/) A {l,2}:q A {1,2}:/)))) 

The improvement obtained with the added rules arises from the fact that a 
formula of the form ^(p only takes values in the set {—2, —1, 2}. Generalising this 
line of reasoning, we can once more improve on the definition of the operators, 
taking account for example of what happens to a formula of type (p —> ip if we 
know that ip can only take values in {—2, —1, 2} but neither ip nor ip are negated 
formulas. 

To make use of this information we introduce the following notation. Let ip 
be a formula in N5 and S' C 5; we write ips if every assignment in N5 evaluates 
ip on S, ie. ip is S -tautology, and there is no S' such that S' C S and ip is 
S'-tautology. For every formula ip, the process called signing-up calculates the 
set S such that ips, partially evaluating the function represented by ip in the 
Nelson algebra (form the variable to the main connective), in contrast to the 
signing process which passes down the sign from the principal connective until 
it reaches the variables, signing- down. In this way, the original rules 11 and 14 
can be replaced by the following: 

11a’. {2}:((/){_2 -1,2} ^ p2s) = {-2, -!}:(/) V { 2 }: 1 p. 

11b’. {2}:((^s ^ -0{_2 -1,2}) = {-2,-l,0}:(/) V {2}:1p. 
lie’. {2}:((/>s ^ IpS') = {-2,-l,0}-.ip V {2}-.1p V ({-2, -1,0, !}:(/) A {l,2}-.1p) 
if S 7^ {-2, -1, 2} and S' 7^ {-2, -1, 2}. 
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14a’. {-2,-1,0.1}:(v 5{_2,-1,2} ^ V’s) = A {-2,-l}:'0. 

14b’. {-2 -1,0,1}:((^S ^ ^/>{_2,-l,2}) = {2}:(p A {-2 -l,0,l}:^/>. 

14c’. {-2,-l,0,l}:((^S ^ 4 ’S') = ({1.2}:<^ A {-2,-l,0}:^/>) V ({2}:(^ A {-2,-l,0,l}:^/>) 
if S ^ {-2, -1, 2} and S' 7 ^ {-2, -1, 2}. 

In the previous example, the size of the formula resulting from the signing is 
similar to that of the initial formula in N 5 

{-2,-l,0,l}:((p ^ ~^q) ^ (9 — > ^p)) = ({-2,-l,0}:p V {-2,-l,0}:g) A {l,2}:q A {l,2}:p 

4.2 Signing for the Generation of Total Models 

Total models evaluate the propositional variables in the set 3 = {—2, 0, 2}, and 
therefore we only need to sign over the logic S 3 in order to generate these models. 
For this we will use the intermediate operators (S:): N 5 ^ S 3 for the sets S 



among the following: [> 2] 




{2}, [> 0] 


= 


{0.2}, [< - 


-2] = 


{-2}, [< 0] = {-2 


The 


definitions are: 














1. 


[> V z/>) 


= [> j\-T 


V 


[> 


7 


{2}:(^(^) 


= {0.2}:(^(/2) = {-2,0}:(^ 


2. 


[< V z/>) 


= [< 3]-T 


A 


[< 3]-^ 


8 


l-2}:(^(^) 


= {- 


2,0}:(^(/2) = {2y.if 


3. 


[> Mt A if) 


= [> 3\-T 


A 


[> 


9 


{2}:((^ ^ 


if) = 


{-2,0}-.ip V {2}-.lf 


4. 


[< A if) 


= [< 3\-T 


V 


[< j]:^ 


10 


{0,2}:((^ - 


^ = 


= {-2,0}-.ip V {0,2}-.lf 


5. 


[>M-t) = 


[< -3\-T 






11 


{-2}:((^ - 


" = 


= {2}::<3 A {-2}:z/> 


6. 


[<M-v>) = 


[> -3\'T 






12 


{-2,0}:(V5 


^ V’) 


= {2}-.p A {-2,0}-.lf 



Theorems. Let II = , (p„} a set of formulas 0 / N 5 and let Tn the 

formula in S 3 defined as follows: Tn = A ■■■ A { 2 }:(^„. Then there is a 

hijeetion between the models ofTn in S 3 and the total models of IT : I is a model 
of Tn if and only if aj is a total model of II , where (Ji{p) = j if and only if 

libhp) = 1 - 

The inverse of the bijection in this theorem is defined in a natural way: if a is 
a total model of II, then /o- is a model of Tn, where Ia{{ 3 }-p) = 1 if and only if 
a{p) = j. Therefore, we can use any model generator for signed logics applied 
to S 3 (like tableaux Q or TAS and then translate these to total models 
using the bijection. 

4.3 Signing to Check the Equilibrium Property 

Given a total model cr of a set of formulas II we want to decide if this model is 
in equilibrium, ie. to decide whether it is minimal wrt ^ in the set of all models 
of n . Then, the question is: is there another model of II, a' such that a' ^ cr? 
Assume that {pi, . . . ,Pm} is the set of propositional variables in 7T and: 

(j{pi) = —2 if 1 < z < fc; cr{pi) = 0 iffc + l<z<^; (j{pi) = 2 if^ + l <i<m 

where 1 < fc < ^ < m. If the model a' < a exists, then it must verify that: 

a'{pi) < —1 if 1 < z < fc; a' (pi) = 0 iffc+l<z<^; cr' (pi) >liil+l<i<m 
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and in addition, a' ^ a. Then we are looking for another model of Mjj with 
these restrictions; that is we are seeking another model for the formula: 

En.cr = Mn[pi ^ 0,pi ^ l,pi ^ 2, . . . ,pk ^ 0,pk ^ l,Pk 2, 

Pk+i = 0,...,pi = 0, 

Pl+l ^ ‘^iPl+l ^ ^iPl+l Oj ■ ■ ■ ) Pm ^ 2,, Pm ^ 1) Pm ^ 0] 

By PropositionJ/o- is a model of if 77 , 0 - and thus a is in equilibrium if and only 
if io- is the unique model of En,a- 

Actually, the formula Eu^a is a formula in a reduction of S 5 given by the fol- 
lowing possible truth-values function: ^^(p) = {—2, —1}, if cr(p) = —2; ^^(p) = 
{0}, if (t(p) = 0; and ijJ^{p) = {1, 2}, if a{p) = 2. Using just its definition, com- 
puting iTo- can be very complicated, however this formula can be obtained with 
a signing operator over the reduction To describe this process efficiently, 
we are going to use the signing-up method introduced earlier, but we need the 
following property. 

Lemma 1. Let u he a function such that, for every propositional variable p, 
either uj{p) = {-2,-1}, or uj{p) = {0}, or uj{p) = {1,2}. Then, for every 
formula p in N^, just one of the following properties holds. 



a) P{- 2 - 1 } b) ip{o} 



c) P{1,2} 



Thus, the required intermediate operators are: 



1. Si:{ips2) = T, if Si n ^2 = 0 
Si:(v 5S2) = T, ifS2CSi 
Si:(v5S2) = {Si n S 2 )'.<p, otherwise. 

2. {2 }:(v 5{1,2} ^ '*/’{!, 2}) = V {2y.fl 

3. {1}}P{1,2} ^ V’{1,2}) = {2hpA {lyfi 

4. {-2}:(y!{i^2} ^ ^{-2,-1}) = t-2}:V' 

5- {-1}-(<P{1,2} ^ ^>{-2 -1,0}) ={-1}:}* 

6 . {- 2 }:^(v 2 {i, 2 }) = {2yyi 

7. {-1}:^(v3{1,2}) = 

8 . { 2 }:~(v 2 {- 2 ,-l}) = {- 2 }::^ 

9. {1}:~(v2{-2,-1}) = {-1}^P 



10 . {-2}:~(v3{1,2}) = { 2 }::p 

11 . {_i},~((p^j 2 }) = { 1 }:<P 

12. {2}:(v2{i,2} V fls) = { 2 y(fi V {2}:'i/>S 

13. {i}:(v2{i,2} V Tps) = {lyyi A {- 2 ,-i,o,iyfis 

14. {-2}:(v 2{_2,-1} V V'{-2,-l}) = 

{- 2 }:P A {- 2 yfl 

15. {-i}:(v3{i,2> V fis) = {-iy.(p V {-lyipS 

16. {2}:(v2{i,2} a i/’{1,2}) = {2}:<P A {2}:'!/’ 

17. {1}:(v3{-2,-1} a i/){_ 2,_1}) = {!}:<p V {lyfl 

18. {-2}:(y!{_2,_l} A ^s) = {-2):ip V {-2yfjs 

19. {-I}:(y>{_ 2 ,- 1 } A fis) = 

{-1};V2 a {-1, 0,1, 2}-. fls 



Theorem 4. Let LI = {<pi, . . . , Pn\ be a set of formulas in N 5 , a a total model 
of LI and let us consider the signed formula in .' 



En,cr = {2}:pi A • • • A [2y.ipn 

Then a is in equilibrium if and only if I^- is the unique model of En,a- in . 



Example 1. Let us consider the set LI = {p, q ^ r, r — > g}; thus, Tn = { 2 }-.p A 
({- 2 ,o}p V { 2 }-.r) A ({- 2 ,o}:r V { 2 }:q). The models can be easily obtained by using 
any model generator for signed formulas. So we obtain the following total models 



for IT: 





p q r 


CTl 


222 





pgr 


CT2 


200 





p q r 


0-3 


20-2 





p q r 


CT 4 


2-20 





p q r 


C 5 


2 -2 -2 
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1. For (Ti: En,ai = {2}:_p A ({i}:g V {2}-.r) A ({i}:r V {2}-.q) has a second model, 
given by: T\{p) = 2, T\{q) = 1, ri(r) = 1; therefore t\ < a\ and a\ is not an 
equilibrium model. 

2. For G2'- En,a-2 = {2}:_p has a unique model, <T2, and thus (T2 is an equilibrium 
model. Actually, this is the unique equilibrium model of II. 

5 Complexity of Equilibrium Model Generation 

The logics used to check the equilibrium property have the following im- 
portant properties: if a{p) = 0, the signed literals with variable p are logical 
constants, {oy.p = T, 0 :p = _L; if a{p) = 2, then {i,2}-.p = T, 0 :p = _L and {ly.p 
and {2}:p are opposite literals; if a{p) = —2, then {-2,-iy.p = T, 0 :p = _L and 
{-ly.p and {-2}:p are opposite literals. Therefore, the logics actually form 
a classical logic. We can define bijections between classical formulas and oja- 
formulas and between classical assignments and Wo--assignments. If CL denotes 
classical logic with formulas in negation normal form, the bijection E : ^ CL 

is defined as follows: 

1. 'E{{2y.q) = q and <I'{{iy.q) = ~^q for every q with a{q) = 2. 

2. tf'({-2}:p) = p and <F({-i}:p) = ~^p for every p with a{p) = 2. 

3. E{Ay B) =E{A)VE{B) 

4. E{AAB) =e\a)Ae\b) 

The bijection between the sets of assignments, denoted by E, is defined in a 
natural way: if / is an Wc-assignment, E(I)(p) = 1 if and only if either I({2}:p) = 
1 or I{{-2}:p) = 1 

Therefore, these bijections have the following property: for any Wcr-formula 
A and every Wo--assignment I, I{A) = !F(/)(tf'(A)). 

Trivially, we see that: / is a model of a signed formula A in if and only if 
<F(/) is a model of 'P{A) in classical logic; therefore, A is valid in if and only 
if 'F{A) is valid in classical logic. As a consequence we observe that verifying 
the equilibrium property for a total model can be carried out by means of a 
satisfiability test for classical logic (although the transformation is not needed 
for describing an algorithm), and so this problem is also NP-hard. 

Actually, the problem of checking the equilibrium property is NP-complete. 
This fact is also a consequence of the bijection above. From a classical formula 
we can construct a signed formula with a total model; then using the signing 
transformation in the reverse direction, we can construct a formula in N5 with 
the same total model and the property: the model is in equilibrium if and only 
if the initial classical formula is satisfiable. Because the described process is 
polynomial, we have reduced the satisfiability problem in classical logic to the 
problem of checking the equilibrium property. This yields a proof sketch for the 
following theorem. 

Theorem 5. The problem of deciding if a model I of a set of formulas is an 
equilibrium model is NP-complete. 
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Because the problem of generating the models of a signed formula is coNP-hard, 
we obtain the following consequence of this result. 

Corollary 1. (1) The problem of deciding whether a set of formulas has equi- 
librium models, equilibrium consistency, is S 2 -hard. (2) The decision problem 
for equilibrium entailment is II 2 -hard. 

6 Conclusions 

We have presented equilibrium logic as a system of nonmonotonic reasoning 
based on the nonclassical logic N5 of here-and-there with strong negation. Equi- 
librium logic provides a conservative extension of answer set inference, not only 
for extended, disjunctive logic programs, but also for significant extensions such 
as the programs with nested expressions described in Q. The paper provides 
proof systems for N5 and for model-checking in equilibrium logic. The reduc- 
tion of the latter problem to an unsatisfiability problem of classical logic yields 
complexity results for the various decision problems concerning equilibrium en- 
tailment. The reduction also yields a basis for the practical implementation of 
an automated reasoning tool, which could be based on the TAS methodology 
developed by the (second and third) authors Q, or, eg. using a system such as 
QUIP (see B) which implements various nonmonotonic formalisms by translat- 
ing given problems into quantified boolean formulas and applying a QSAT prover 
to solve the corresponding decision problem. There is currently considerable in- 
terest in practical answer set programming and in extending current systems like 
smodels and dlv ^ to a richer syntax. Equilibrium logic provides a sound 
theoretical basis for this, and the method of signed formulas applied here may 
also yield a basis for practical implementations. 
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Abstract. The goal of this paper is to extend classical logic with a gen- 
eralized notion of inductive definition supporting positive and negative 
induction, to investigate the properties of this logic, its relationships to 
other logics in the area of non-monotonic reasoning, logic programming 
and deductive databases, and to show its application for knowledge rep- 
resentation by giving a typology of definitional knowledge. 



1 Introduction 

One of the original ideas underlying the declarative semantics of logic programs 
with negation as failure was to interpret a logic program as a definition of its 
predicates. This view is underlying both the least model semantics of van Emden 
and Kowalski and Clark’s completion semantics Q. In Q, the relationship 
between logic programming and existing formalisations of inductive definitions 
in mathematical logic is investigated more closely. Standard work on positive 
or monotone induction was done by Moschovakis and Aczel Q. As shown 
in the abstract positive inductive definition logic defined in Q is formally 
isomorphic with the formalism of propositional Horn programs under least model 
semantics. 

Not all forms of induction in mathematics are monotone induction. One im- 
portant application of non-monotone induction is found in the context of induc- 
tive definitions in well-founded sets. Perhaps the best-known example of this is 
the definition of the powers of a non-monotone operator in Tarski’s least fixpoint 
theory of monotone operators As shown in induction in well-founded sets 
is in general non-monotone. In the context of mathematical logic, non-monotone 
forms of induction have been studied in the area of Iterated Inductive Definitions 
(IID) As argued in Q, the idea underlying such formalisms corresponds 

to stratification in logic programming. Negative induction appears when the do- 
main of the defined concept (s) can be stratified (possibly in transfinitely many 
of levels) such that higher level instances of the concept are defined positively 
or negatively in terms of lower level instances of the predicate. The concept can 
then be constructed by iterating the principle of positive induction for increasing 
levels. 
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As illustrated in Q, encoding even simple inductive definitions in systems 
of IID requires extremely tedious encoding, which makes these systems rather 
useless for practical knowledge representation. The main contribution of Q was 
to show that the principle of well-founded model in logic programming 
is a suitable mathematical principle that generalises both monotone and non- 
monotone induction. The well-founded model is obtained as the least fixpoint 
of the 3- valued stable operator The latter operator is a general and robust 
implementation of the principle of positive induction; negative induction is dealt 
with by iterating this positive induction operator in a least fixpoint computation. 

The study of the role of definitions in knowledge representation has already 
a long tradition in A. I. As an outcome of a series of investigations to the se- 
mantics of semantic network^ Brachman and Levesque Q observed that an 
important component of expert knowledge is knowledge of the defining proper- 
ties of concepts, and that it is crucial to distinguish between defining properties 
of concepts and assertional knowledge on concepts. Description logics are based 
on this idea, and consist of a Tbox to represent definitional knowledge and an 
Abox to represent assertional knowledge. In the context of non-monotonic rea- 
soning, definitions have received little attention so far. However, Reiter and 
Amati et al Q observed that an important method for analysis and computation 
in common sense knowledge representation is to compile non-monotonic theories 
into first order definitions (i.e. Clark completions). They argue that the advan- 
tages of this compilation are that it clarifies the meaning of the original theory 
and that it yields theories that are better suited for computational purposes. 
Recently | and investigated the use of inductive definitions to represent 
temporal and causal knowledge. 

Consequently, a study of inductive definition could not only lead to a bet- 
ter understanding of the declarative semantics of logic programming but also to 
a natural and useful knowledge representation logic and a better understand- 
ing of the role and contribution of logic programming in the area of knowledge 
representation. In Q, generalised induction is investigated in the context of an 
abstract infinitary propositional definition logic extending Aczel’s positive induc- 
tion logic. The goal of this paper is to lift this propositional logic to a predicate 
logic and to show the application of this logic for knowledge representation and 
for the study of the semantics of logic programming and its extensions. 

The structure of the paper is as follows. Section H defines an extension of 
classical logic with generalised inductive definitions, suitable for representing 
definitions in the context of uncertainty and incomplete knowledge. Section | 
investigates a number of formal properties and methodological guidelines of this 
logic. In section^ some of applications of this logic for knowledge representation 
are sketched and some typology of definitional knowledge is given. Section | 
discusses the relationship with logic programming and its extensions. 

Proofs of theorems are omitted due to lack of space. 



^ See for a discussion of this topic. 
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2 An Abstract Logic of Inductive Definitions 

In Q, I proposed an extension of Aczel’s logic for general monotone and non- 
monotone inductive definitions. The result is isomorphic with the formalism 
of infinitary propositional logic programs (with negation) under well-founded 
semantics. An abstract inductive definition (ID) D in this logic defines a set 
Defined{D) of symbols, called the set of defined symbols, by a set of rules of 
the form 

p <— i? 

where p is a defined atom and B a set of positive or negative literals. The other 
atoms are called open atoms; their set is denoted Open{D). 

In Q it was argued that Przymusinski’s 3- valued extension ^3^3 of Gelfond 
and Lifschitz’ stable model operator 33 ^ general and robust implementation 

of the principle of positive induction, and that its least fixpoint, the well-founded 
model 33 naturally extends the ideas of Iterated Inductive Definitions and gives 
the right semantics to generalized inductive definitions. 

In general, given an ID D and an interpretation / of the open symbols of D, 
there is a unique well-founded model extending I. This model will be denoted I . 
An interpretation M is a model of D iff M = Mo where Mo is the restriction 
of M to the open symbols. In general, a model of an inductive definition is a 
partial (3-valued) interpretation. However, for broad classes of definitions, the 
well-founded model is known to be total (2- valued). 

3 ID-Logic: Classical Logic with Definitions 

This section defines a conservative extension of classical logic with definitions. 
An ID-logic theory T (based on some logical alphabet S) consists of a set of 
classical logic sentences and a set of definitions. A definition D is a pair of a set 
Defined{D) of predicates and a set Rules{D) of rules of the form: 

p(t) ^ F 

where p G Defined{D) and F an arbitrary first order formula based on E. Pred- 
icates of Defined(D) are called the defined predieates of D; other predicates are 
called open predieates of D. A definition defines the defined predicates in terms 
of the open predicates. More precisely, given some state of the open predicates, 
the rule set of the definition gives an exhaustive enumeration of the cases in 
which the defined predicates are true; any defined atom not covered by a rule is 
defined as false. 

A definition will be formally represented as in the example: 

{ even{0) ^ 1 

even{S{x)) ^ odd{x) > 
odd{S{x)) ^ even{x) J 

This is one definition defining two predicates simultaneously. 



706 



Marc Denecker 



In ID-logic, definitions are considered as sentences. An ID-logic theory based 
on E consists of sentences and may contain different definitions, even for the 
same predicates. An A-interpretation is a model of an ID-logic theory iff it is a 
model of all its sentences. So, it suffices to define what is a model of a definition. 

The semantics for propositional definitions of section can be lifted quite 
easily to the predicate case by use of the grounding technique: the technique 
of reducing a predicate definition to an infinitary propositional definitioi| In 
the context of ID-logic, this grounding of a definition is constructed using the 
domain, the functions and open predicates of some (general non-Herbrand) in- 
terpretation I. The intuitive idea is that in the context of the interpretation I, 
the predicate definition is a shorthand notation for its grounding. The grounding 
is obtained in three simple steps: instantiation of the free variables in the rules 
with domain elements of I, evaluation of the compound terms in the head of 
these ground instantiations and replacement of the formula F in the body of 
each ground instantiation by any partial model of F, i.e. any set of literals of 
defined predicates that makes F true. 

To define the grounding the following terminology is needed. Given an alpha- 
bet A and a A-interpretation I, define the alphabet A/ by adding the domain 
elements of / as constants to / is naturally extended to A/ by defining 
I{x) = X for each domain element x of /. The evaluation of a ground term t of 
A/ (which may contain domain elements of I) is defined inductively as usual, 
and is denoted \t\^ . Likewise, truth value of a sentence of A/ is defined by the 
usual truth recursion. 

Given some partial (3- valued) interpretation I and a definition D, Iq denotes 
the restriction of I to the constant, functor and open predicate symbols of D. 
Atj denotes the set of all atoms p{d) where p is a defined predicate of D and d 
is a tuple of domain elements of /. A ground instance of a rule p(t[ir]) <— 
with X the tuple of all its free variables, is a rule p{t[d]) <— F[cf] obtained by 
substituting domain elements d for x. 

Note that there is a one-to-one correspondence between partial interpreta- 
tions extending lo and consistent sets of At/-literals, i.e. sets that do not contain 
a pair of complementary literals p{d ) , ~^p(d) . Each partial interpretation J ex- 
tending lo defines a unique consistent set Sj of all literals I of Atj that are true 
in J. Vice versa, each consistent set S defines a unique partial interpretation Js 
extending lo such that Js{l) = t iff ^ G S'. Moreover, Jsj = J. 

Definition 1. Given an interpretation I, the grounding of a definition D w.r.t. 
I, denoted F grounding (D), is the propositional definition defining all atoms of 

^ In an alternative way of defining the well-founded semantics of predicate rules is 
proposed; it is based on a different treatment of positive and negative occurrences of 
predicates in the body of rules. I believe both techniques are equivalent but haven’t 
proven this. 

® Note that Ej may be infinite, even non- count able. This is mathematically and philo- 
sophically non-problematic because Ei is purely used as a semantic device, namely 
to define the grounding. 
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At I and consisting of all rules 

p{\t\d]\') - Sj 

such that p{t[d\) ^ F[d\ is a ground instance of a rule of D and J is a partial 
model of F[d\ extending Iq- 



Definition 2. A 3-valued interpretation I is a justified interpretation of D iff 
Si is the 3-valued (well-founded) model of the grounding of D w.r.t. F I is a 
justified interpretation of a theory T iff it is a justified interpretation of all its 
definitions and a (3-valued) model of the classical logic sentences ofT. 

An interpretation I is a model of a definition D, resp. theory T, iff it is a 
total (i.e. 2-valued) justified interpretation of D, resp. T. 

The above model theory is based on total, general non-Herbrand models. As 
a consequence, ID-logic is an extension of classical logic. The restriction to total 
models is not only necessary to get a extension of classical logic, but also because 
of methodological constraints on the use of definitions, as explained in the next 
section. 



Example 1. The first example shows that different definitions are independent 
and interact in a monotonic way. Consider the theory consisting of three defini- 
tions. 

( father :: { father {x, y) ^ parent{x, y) A male{x) } 

J mother :: { mother{x, y) ^ parent{x, y) A female{x) } 
parent{x, y) ^ father{x, y) 1 
parent{x, y) ^ mother{x, y) J 



parent :: 



Note that in the first definition, father depends on parent, while in the third, 
parent depends on father. However, the semantics of a set of definitions is 
monotonically composed of the semantics of its definitions. Since none of these 
definitions is recursive, each is equivalent with its completed definition. Conse- 
quently, this triple of definitions is equivalent with the FOL theory: 

{ father{x, y) ^ parent{x, y) A male{x) ) 
mother{x, y) ^ parent{x, y) A female{x) > 
parent{x, y) ^ father{x, y) V mother{x, y) \ 



One can observe that if male{x) —•female{x) holds, then the definition of 
parent is redundant. 

Compare this theory with the simultaneous definition obtained by merging 
the three definitions in one: 



father, mother, parent 



{ father{x, y) 
mother{x, y) 
parent{x, y) 
parent{x, y) 



parent{x, y) A male{x) 

- parent{x, y) A female{x) 
father{x, y) 
mother{x, y) 



This new definition is positive recursive. This has the unintended effect that in 
each model, father, mother and parent are interpreted as the empty relation- 
ships. 
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Example 2. A theory can contain more definitions for the same concept. E.g. 

f even(O) 

even } / \\ / \ 

yeven{s{x)) ^ -^even[x) 

even :: { even(O) ^ ^odd(x) } 

In the context of the natural numbers, the first definition defines even as the set 
of even numbers. The second definition defines even as the complement of odd. 
Though this theory does not contain a definition for odd, it entails that odd and 
even are complements, and hence that odd is the set of odd numbers. 




Definition 3. A definition is recursive iff a defined predicate appears in the 
body of a rule. A definition is positive recursive iff all occurrences of the defined 
predicates in the body of the rules are positive (i.e. occur in the scope of an even 
number of negations) . A simultaneous definition defines more than one predicate. 
A stratified definition is one in which the defined predicates can be semi-ordere^ 
such that each defined predicate occurring positively, resp. negatively, in the body 
of a rule is less, resp. strictly less, than the predicate in the head. 

A definition hierarchy is a set T> of definitions such that each predicate is 
defined in at most one definition of T> and T> can be ordered such that each open 
predicate appearing in a definition is not defined in a later definition. 

Below, I define the concept of a well-founded definition. This concept gener- 
alizes the principle of definition in a well-founded set. 

Definition 4. A definition D is well-founded in some collection X of total in- 
terpretations of the open predicates of D iff for each I G X, there exists a 
well-founded order on the atoms of Atj such that for each ground instance 
pfffdf) <— F\d\, the body F\3\ has the same truth value in all partial interpreta- 
tions that extend I and are identical on all atoms less than p(|t[c?]|^). 

The following theorem states an interesting property of well-founded defini- 
tions. 

Theorem 1. If D is well-founded in X, then each justified interpretation M of 
D extending an element I ofXis total (and hence a model) and coincides with 
the least model of the 3-valued completion of D Q extending I. M is the unique 
model of the Clark completion Q of D extending I. 



Example 3. Consider the definition of even numbers: 

J evenfff) ^ 

even .. ^ -^even{x) 

In the context of the natural numbers, this definition is well-founded and the jus- 
tified interpretation is total. However, in any interpretation where the successor 
function contains cycles, the justified interpretation is partial. 

^ A semi-order is a reflexive, transitive relation. 
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4 Properties of Definitions 

4.1 Well-Defining Definitions 

The aim of an inductive definition is to define its defined predicates. Therefore, a 
natural quality requirement is that those justified interpretations that are total 
in the open predicates, should define truth of all defined predicates, i.e. they 
should be total in all predicates. As shown by ExampleHthe property of having 
total justified interpretations is context dependent. 

Definition 5. A definition T> is well-defining in a collection T of total interpre- 
tations of its open predicates iff each justified interpretation of V extending an 
element of I is total. Otherwise, T> is called an unfounded definition ini. 

Part of the knowledge representation methodology for representing defini- 
tions is to show that each definition in the theory is well-defining in the collec- 
tion of relevant interpretations of its open predicates. For this purpose, practical 
mathematical techniques must be developed. 

Theorem 2. Assume that a theory T can be split up in a sequence of theories 
T\, ..,Tn such that for each i, the predicates with a definition in Ti do not appear 
in Ti, and for each model I o/ Ti U .. U Ti_i, the definitions in Ti are 

well-defining in I . 

Then each justified interpretation ofT, total for the subset of predicates with- 
out definition in T, is total. 

Some syntactic properties that guarantee that a definition is well-defining in 
every context are well-known from the logic programming literature: 

— non-recursive definitions 

— positive recursive definitions 

— stratified definitions 

Other properties guarantee well-defining definitions in some specific context. 
Inductive definitions corresponding to acyclic | or locally stratified logic pro- 
grams Q are well-defining in the context of Herbrand interpretations. It follows 
from theorem H that a well-founded definition in context I is also well-defining 
in I. 

A syntactical criterion that guarantees well-foundedness and hence well- 
defining-ness is the following. 

Definition 6. Define a relativized definition w.r.t. some strict order < as a 
definition of a predicate p{x,y) that consists of rules: 

p{x,t) ^ F[x] 

such that each p-atom in F is of the form p{z,t) and appears in the scope of a 
subformula of F[a;] of the form \/z.z < x ^ G or 3z.z < x A G. 
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Relativized definitions are well-founded when < represents a well-founded 
order. 

Theorem 3. A relativized definition (w.r.t. to <) is well-founded in each inter- 
pretation that interprets < as a strict well-founded order. 

Corollary 1. (of Theorem^^. A relativized definition is well-defining in each 
interpretation that interprets < as a strict well-founded order. 



4.2 Equivalence of Definitions 

In a logic for knowledge representation, there should be a well-understood notion 
of equivalence. The following example shows that one cannot simply replace 
bodies of rules by equivalent bodies (w.r.t. 2- valued semantics). 

Example f. The definitions p r. { p ^ t } and p :: {p^pV^p} have different 
justified interpretations, respectively the interpretations (represented as literal 
sets) {p} and {}. Note that their bodies are equivalent w.r.t. 2-valued semantics 
but not w.r.t. 3- valued semantics. 

Some important cases of equivalence preserving rules are sketched below: 

— A rule pft\x]) ^ F can be replaced by p(y) ^ Ax.y — t\x] A F. 

— In a definition, two rules p(f) *— F\ and p(f) <— F^ can be replaced by one 
rule p(f) <— Fi V F 2 . Together with the first rule, it follows that a finite set 
of rules defining a predicate can always be replaced by one rule. This rule is 
similar to the Clark completed definition of a predicate. 

— The substitution of a sub- formula E[ir] in the body of a rule of a formula by 
a formula G\x\ is equivalence preserving if E[5] and G\x] are equivalent in 
3-valued logic, i.e. if Vx.F[x] ^ G[x] is a tautology in 3- valued logi(| 

— Define the composition of two definitions Predi :: { Gi } and Pred 2 ■■ {G 2 } 
as the definition Pred\UPred 2 { Gi U G 2 }. In general, substituting a pair 
of definitions by their composition is not equivalence preserving. presents 
an extensive study of when merging definitions is equivalence preserving in 
the context of open logic programming, a sub-formalism of the logic defined 
here. One important example is that a definition hierarchy (Definition^ is 
equivalent with its composition. Note that the composition of a definition 
hierarchy of positive recursive definitions is a stratified definition. 



4.3 Monotonicity or Non-monotonicity? 

To be able to represent common sense knowledge, elaboration tolerant logics are 
needed; elaboration tolerant logics are necessarily non-monotone This is 

the foundational argument for the study of non-monotonic logics. 

Here the strong Kleene truth table for must be used. 
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On the other hand, monotonicity is important as well. A classical argument 
in favour of the logical approach to knowledge representation in A.I. is that logic 
allows for a modular representation of knowledge independent properties of 
the problem domain can be represented by independent modules (i.e. the axioms) 
which can be added together to one theory. Obviously though, composing a new 
theory out of different independent modules should be modular , i.e. should 
preserve the semantics of each module; this property is assured if models of 
the composition are the models of the independent modules. It is obvious that 
modular composition implies that extension of one module with another is a 
monotone operation. 

Non-monotonicity is a necessary condition for elaboration tolerance; mono- 
tonicity is a necessary condition for modular representation. How can a logic 
reconcile these seemingly contradictive requirements? The solution lies in a clean 
and well-understood distinction between monotone and non-monotone compo- 
sition and modules. In ID-logic, the distinction is particularly clear: 

— Definitions and axioms are monotone modules. Adding a new definition or 
new axiom to a theory is a monotone operation. This follows trivially from 
the definition of model. 

— Rules in a definition constitute nonmonotone modules. Extending a defini- 
tion with one or more new rules is in general a non-monotone operation. 



4.4 Other Formalizations 

The well-founded semantics defines a uniform principle of inductive definition, 
and gives the correct semantics to a broad class of definitions. 

— The well-founded semantics of a non-recursive definition is the semantics of 
the Clark completion of this definition. 

— The well-founded semantics of a well-founded definition in a well-founded 
order is the semantics of the completion of this inductive definition. 

— The well-founded semantics of a positive recursive definition is the least 
relation (or set of relations) that satisfies the rules. Its semantics can be 
expressed via circumscription. 

— The well-founded semantics of a stratified definition is the semantics of the 
composition of the positive recursive definitions that constitutes it, and can 
be expressed via a set of circumscription axioms, one per stratum. 



5 Applications of Definitions 

Below some applications of ID-logic are given. 

Tables. 

The simplest way of defining a concept is by exhaustive enumeration of its 
elements. A table, as in the context of databases, can naturally be viewed 
as a definition by exhaustive enumeration. Tables are commonly used to 
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define concepts, not only in databases but also in common sense knowledge 
representation, e.g. to define some scenario. 

Definitional versus Assertional Knowledge. 

As mentioned in the introduction, a major conclusion from the logical anal- 
ysis of semantic nets in the seventies is that a knowledge representation 
formalism should support the representation of definitional knowledge and 
assertional knowledge. The following example recalls the difference and il- 
lustrates how to express it in ID-logic. 

As an example, take the following definition of an elephant: 

{elephant :: { elephant(x) <— animal(x) A grey{x) A hasJrunk{x) }} 

Suppose we knew that Clyde is an elephant satisfying this definition. This 
is assertional knowledge and is represented by adding elephant {Clyde) as 
a FOL axiom. The extended theory entails that Clyde is a grey animal 
with a trunk. Alternatively, suppose that Clyde is an elephant but pink 
(due to a skin disease). To represent this, the definition must be extended 
with the atomic rule elephant{Clyde). This atomic rule represents a new 
case of the definition. Additional FOL assertions are needed: animal{Clyde), 
pink{Clyde), has_trunk{Clyde). 

Temporal Reasoning. 

In it was shown that Reiter’s situation calculus has an equivalent 
formalization by a set of positive recursive definitions of the fluent predicates 
and of the effects of actions. Using general inductive definitions (with positive 
and negative induction), the formalization can be further simplified in ID- 
logic. Below, I sketch how to do this. 

The definition defines all fluent symbols and all causal predicates by simul- 
taneous induction on the poset of situations. I introduce for each fluent / 
three new predicates: initially f to represent the initial state of /, and causej 
and cause^f, representing initiating and terminatiM causes for /. For each 
fluent symbol /, the definition contains three caseij 

f{x, So) <— initially f {x) 

f{x, do{a, s)) ^ causef{a, s, x) 

f{x, do{a, s)) <— /($■, s) A -^cause^f(a, s, x) 

Note that in contrast to Reiter’s situation calculus, this rule set does not 
contain a rule of the form: 

~^f{x,do{a,s)) ^ cause^f{a, s,x) 

However, it is easy to show that the completion of the above 3 rules entails 
the formula: 



^/(do(a, s)) <— ~^causef{a, s, x) A cause^f{a, s, x) 

We assume a many-sorted version of ID-logic, with situation, action and user defined 
sorts. 
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which reduces to the causal rule for if the natural requirement is added 
that an action cannot cause / and in the same situation. This requirement 
is formalised by the clause: 

<— cause^f{a, s), causef{a, s) 

This illustrates a general methodological principle of using inductive def- 
initions. In an inductive definition, one defines a concept by enumerating 
the positive cases; given such an enumeration, the closure mechanism of the 
semantics yields the negative cases. 

In addition, per initiating effect of some action represented by an action term 
A[y], there is a case: 

causef{A^],s,x) s,a;] 

such that the only term in S' of the situation sort is s and it appears purely 
in fluent symbols. Likewise, for each terminating effect there is a case: 

cause^f{A^],s,x) <— s,ir] 

Theorem 4. A definition consisting of the above rules is well-founded in 
the collection of all interpretations that satisfy the Unique Names Axioms 
(UNA) axioms and the second order induction axiom for the situation 

It follows from theorem ^that the semantics of this inductive definition co- 
incides with its Clark completion. Note that the completion of this definition 
is very similar to Reiter’s state successor axioms. 

The inductive definition representation of situation calculus in ID-logic rep- 
resents initiating and terminating effects in a case-by-case way. This results 
in a modular, elaboration tolerant representation of the domain in the sense 
that one can easily add new cases or drop or refine existing ones. This def- 
inition can be further extended with definitions for defined fluents, e.g. the 
definition of the transitive closure of physical connections in a computer 
network, in the context in which these physical connections may change: 

connected{cl, c2, s) <— physical _connection{cl, c2, s) 
connected{cl, c2, s) ^ connected{cl, c3, s) A connected{c3, c2, s) 

Also, similarly as in ^3, ramification rules can be added to this theory. 

Inductive Definitions as an Approach to Causality. 

In ^ we argued that inductive definitions are a suitable formalization of 
causality. Causality information is an example of constructive information. 
Effects and forces propagate in a dynamic system through a constructive 
process in the following sense: 

^ The order of the atoms, needed to establish the well-foundedness of the definition is 
the order generated by the atoms /(.., do(a, s)) > causef{a,s,..),cause^f{a,s,..) > 
g{..,s), with /, g arbitrary fluents. 
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— There are no deus ex machina effects. Each effect has a cause; it is caused 
by a nonempty combination of actions and other effects. 

— The causation order among effects is a well-ordering. I.e. there is no 
pair of effects each of which have caused the other; stronger, there is no 
infinite descending chain of effects each of which has been caused by the 
previous one in the chain. 

The construction process of an inductive definition formally mimics this 
physical process of the propagation of the causes and effects. Based on this 
idea, Q proposes a general solution to model ramifications. One point of Q 
was that effects may easily depend on both presence and absence of other 
effects. For example, in the case that one latch of a suitcase is open, the effect 
of opening the second latch produces a derived effect of opening the suitcase, 
but only if the first latch is not closed simultaneously. As a consequence, if 
fluents mutually can influence each other, descriptions of ramifications may 
easily contain positive and negative loops. As shown in the well-founded 
semantics deals well with these loops. 

Induction Axioms; Domain Closure Axiom (DCA). 

As a conservative extension of classical logic, ID-logic assumes uncertainty 
on the domain of discourse (due to the non-Herbrand interpretations). The 
Domain Closure Axiom (DCA) expresses that the domain of discourse con- 
tains only named objects. In McCarthy showed how the DCA can be 
represented by a combination of circumscription on a set of rules and a FOL 
assertion. The mapping to ID-logic is straightforward. The set of rules is an 
inductive definition of a new predicate U ; it consists of one case per constant 
C and per functor /: 



U{C)^ 

U{f{x)) ^ U{xi), ..,U{Xn) 

This defines U as the set of all named ^jects. The FOL axiom expresses 
that all objects in the domain are namec^ 

\/x.U{x) 

The DCA is a generalized induction axiom. In the case of the language of 
the natural numbers (0 and S'/I), the above formalization of the DCA is 
equivalent with Peano’s second order induction axiom. The induction axiom 
for situations as needed in Reiter’s situation calculus can be expressed in a 
similar way. 

The semantics of many logics, e.g. logic programming and deductive data- 
bases, is based on Herbrand interpretations. This introduces the implicit 
ontological constraint that all terms in the domain of discourse are named. 




Note here the distinction between defining knowledge and assertional knowledge. If 
one would add the FOL assertion as a case to the inductive definition, then U would 
be defined to be the complete domain of discourse. 
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This constraint is absent in classical logic and in ID-logic but can be explicitly 
formalized by the pair of the DCA and the Unique Names Axioms (UNA) 
or the Clark Equality Theory (GET) Q. It is easy to show that each 
model of DCA-hUNA is isomorphic with a Herbrand interpretation. 

6 Relationship to Logic Programming Extensions 

Logic Programming can be embedded in ID-logic in a straightforward way. Some 
of its extensions can be embedded as well. Abductive logic programming (or 
open logic programming, as it is called in Q) can be embedded also in ID-logic. 
An abductive logic framework is a triple < A, P, T > of a set A of abducible 
predicates, a set P of rules defining non-abducible predicates and a set T of FOL 
axioms, called constraints. Its embedding in ID-logic is trivial: it is the theory 
T\j{Dp} where Dp is a definition with Rules{D) = P and with Defined{D) the 
set of non-abducible predicates. In this embedding, the semantics of an abductive 
logic program is given by general non-Herbrand well-founded models. 

One important implication of this is that the computational techniques de- 
veloped in Abductive Logic Programming can be used to reason on ID-logic 
theories. Experiments with the use of abductive solvers for solving satisfiability 
problems in ID-logic are found in Q. 

A question is whether extensions of logic programming with two negations 
and disjunction have a natural embedding in ID-logic. I believe the answer 
is negative. Extensions with two negations fit in the view of Logic programming 
as a sub- formalism of autoepistemic logic or default logic. This view is based 
on various embeddings of Logic Programming in these non-monotone modal 
logics (for an overview, see Q). A common feature of these embeddings is that 
negation as failure literals not p are mapped to modal literals (e.g. ^Kp in 
autoepistemic logic). 

On the other hand, ID-logic has no modal operator and has only one negation 
symbol. Moreover, its negation symbol is really objective negation, similar as 
in classical logic. Indeed, a close look at the semantics of ID-logic shows that 
negative literals are evaluated in the context of one interpretation. In contrast, 
the modal operator of autoepistemic logic and default logic are evaluated with 
respect to a set of beliefs. 

For this reason, in H I raised the hypothesis that the autoepistemic and 
default view on logic programming and the definition view are two fundamentally 
different declarative interpretations of logic programming. They may lead to 
different knowledge representation methodologies and different extensions. 

Logic programming extensions were introduced to cope with problems of the 
pure logic programming formalism for knowledge representation. However, the 
analysis of what these problems are exactly, depends on which view is taken. In 
the default view, the problem of logic programming was that no definite negative 
information could be represented; consequently it was natural to introduce strong 
or classical negation. On the other hand, in the definition view, the problem of 
pure logic programs is that the semantics assumes that all predicates are defined. 
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Consequently, it is hard to represent incomplete knowledge. The natural idea 
here is to introduce open predicates that have no definition, as in ID-logic. 

Further analysis of the exact relationship between the inductive definition 
view and the default or autoepistemic view is needed. 
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Abstract. To explain positive observations and unexplain negative ob- 
servations from nonmonotonic background theories, Inoue and Sakama 
(1995) extended traditional abduction by allowing removal as well as ad- 
dition of hypotheses. In this paper, we propose a new characterization 
of extended abduction in which a background theory is written in any 
logic program possibly containing disjunctions. In this characterization, 
both removal of hypotheses and anti-explanations can be represented 
within the framework of traditional abductive logic programming. Using 
this transformation, updating knowledge bases represented in logic pro- 
grams as well as restoring consistency for them can also be computed by 
existing proof procedures for logic programming. 



1 Introduction 

Abduction is recognized as an important form of reasoning in both AI and logic 
programming. Since first studied by Peirce, abduction has been defined as an 
inference to seek explanations, from which, together with the background theory, 
the given observation is deductively derived. The background theory is usually 
represented in either classical logic or logic programming. The use of logic pro- 
gramming is often more appropriate to perform abduction in several application 
domains BD- paper, we thus consider general extended disjunctive pro- 

grams ^3^3, which belong to the most general class of logic programs. Formally, 
given a general extended disjunctive program as the background theory, and a 
literal G as an observation, traditional abduction defines an explanation E of G 
as a set of hypotheses satisfying 

1. KUE^G, 

2. AT U if is consistent, and 

3. if is a set of pre-specified literals and/or rule^ called abducibles^ 

^ Abducible rules are introduced by Poole ^3 for hypotheses in the form of first-order 
clauses and by Inoue ^3 for rules in extended logic programs. 

^ Often, there are other conditions to be satisfied by abduced explanations, for exam- 
ple, E being better than any other set E' satisfying the conditions 1-3, according 
to the given preference criterion. 
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Inoue and Sakama extended this traditional abductive framework in two 
ways as follows. 

First extension in Q is concerned with how to change the theory with ab- 
ducibles. The issue of abductive theory change has to be considered in a dynamic 
domain. In an evolving world, abductive explanations can be obtained not only 
by addition of new hypotheses, but also by removal of old hypotheses that be- 
come inappropriate. Consider, for example, the extended logic program Kf: 

light <— switch-on, 

-flight ^ switch-of f, 

where switch-on and switch-of f are abducibles. Given the observed fact light, 
we can abduce switch-on, which is then assimilated into our belief Kl : 

KI = Kl U {switch-on}^ 

Next, we observe later that flight holds. To explain this new observation, 
we have to remove the old hypothesis switch- on and add the new hypothesis 
switch-of f, otherwise the theory becomes contradictory. So the new theory Kf 
becomes: 

Kf = {KI \ {switch-on}) U {switch-of f} = Ki U {switch-of f}. 

A situation in which removal of hypotheses is necessary can happen even in more 
static cases. In particular, when a background logic program K is nonmonotonic, 
that is, negation as failure appears in K, contraction of a part of K can lead to 
a derivation of new literals. For example, consider the well-known bird example: 

: flies{x) ^ bird{x),not ab{x), 
ab{x) <— broken-wing{x), 
birdftweety) <— , 
bird(opus) <— , 
broken-wingftweety) <— . 

where broken-wing is an abducible predicate. If we observe fliesftweety), the 
abducible broken-wingftweety) can be removed from to account for the 
observation. In kind of extended abduction deals with removal of ab- 

ducibles by introducing the notion of “negative explanations” . Given a back- 
ground theory K and an observation G, a negative explanation N oi G is defined 
as a set of hypotheses satisfying 

1. K\N^G, 

2. K\N is consistent, and 

3. Af is a set of abducible literals/rules. 

® Throughout this paper, an abduced literal L is identified with the rule L <— . 
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An explanation P satisfying K U P ^ C? is then called a positive explanation. 
Usually, both removal and addition are necessary at the same time to explain 
the observation, as seen in the above example programs K^, Kf. Namely, a 
pair (P, N) is a (mixed) explanation of G if 

1. (a: \ TV) u p h gI 

2. {K \ N) U P is consistent, and 

3. P, TV are sets of abducible literals/rules. 

The second extension in is concerned with types of observations in ab- 
duction. Observations are usually seen by observers, but in an evolving world, 
they may not be observable later. Such an unwanted observation is called a 
negative observation, while the usual one is called a positive observation. Then, 
the notion of “anti-explanations” is introduced to itnexplain negative observa- 
tions. For example, suppose that an agent with her belief later notices that 
opus does not fly. Since \= flies{opus) holds, we can revise to block the 
derivation of flies(opus) by assuming broken-wing{opus)\ 

K) = U {broken-wing(opus)} . 

As in the case of negative explanations, a situation in which anti-explanations 
are necessary can happen even in a static world. For example, when we have 
rules: 



Kg : suspect <— motivated, not alibi, 
motivated <— , 

in order to prevent one from suspecting a person with a motive, the person must 
have an alibi. In other words, alibi is an anti-explanation of suspect. Formally, 
given a background knowledge base K and a negative observation G, a pair 
(P, N) of hypotheses is called an anti- explanation of G if 

1. {K\N)\JP\^G, 

2. {K \ N) U P is consistent, and 

3. P,N are sets of abducible literals/rules. 

Note that the introduction of anti-explanations is necessary for negative obser- 
vations even in monotonic background theories. In fact, negative observations 
are similar to the concept of negative examples in classical inductive learning. 

Extended abduction is thus essential to abductive theory revision as well as 
abduction in nonmonotonic theories. Other applications of extended abduction 

^ In the original form of extended abduction and following papers the 

updated theory is represented as {KuP)\N instead of {K\N)UP. Here, we changed 
the order of operations by removing the old abducibles N first and then adding the 
new abducibles P. This new representation is more appropriate to formalize theory 
revision in terms of contraction, c.f., the Levi identity in the context of Note 
that {KUP)\N={K\N)UP whenever P n A = 0. 
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include view update in deductive databases theory update ^3, contradic- 
tion removal ^^^3, the system repair problem with model checking Q, and 
inductive logic programming ^3- 

One of the major concerns on extended abduction is the question: whether or 
not extended abduction is reducible to traditional abduction. There are some at- 
tempts to establish the relationship between extended abduction and traditional 
abduction. In transaction programs are introduced to compute extended ab- 
duction when the background theory is represented in an acyclic normal logic 
program. In ^ 3 > update programs are proposed to compute several types of 
update problems when the background theory is represented in an extended 
logic program. Both transaction programs and update programs are logic pro- 
grams specifying changes on abductive hypotheses. However, their computation 
requires some special treatment for uses of existing proof procedures for logic 
programming. 

In this paper, we provide a new characterization of extended abduction. This 
new one is attractive for at least the following reasons. First, the new character- 
ization completely embeds extended abduction to traditional abduction in a very 
simple and intuitive way. Second, the proposed translation is applicable to any 
abductive program in which the background theory is represented in any class 
of logic programs. Hence, the applicability is larger than any other previously 
proposed method. Third, any proof procedure for traditional abductive logic 
programming or any procedure to compute answer sets of logic programs can be 
used to compute extended abduction. The simplicity of the new translation also 
contributes to fast computation when extended abduction is applied to various 
update problems. Note that the fact that extended abduction can easily be em- 
bedded in normal abduction never implies that extended abduction is useless; 
Because extended abduction has a wide range of applications, the importance of 
the concept of extended abduction remains unchanged. 

This paper is organized as follows. Section 2 introduces a theoretical back- 
ground in this paper, and discusses about previous studies on extended abduc- 
tion. Section 3 presents a simple characterization of extended abduction, which 
transforms extended abduction into traditional abduction. Section 4 applies the 
new characterization of extended abduction to restore consistency for inconsis- 
tent logic programs. Section 5 presents related work, and Section 6 concludes the 
paper. Due to the lack of space, we omit the proofs of theorems in this paper. 

2 Extended Abduction 

2.1 Definitions 

The definition of extended abduction is originally given in autoepistemic logic 
in ^3- III tliis paper, we consider a fairly wide subclass of autoepistemic logic 
which can be represented in logic programming. A knowledge base is represented 
in a general extended disjunctive program (GEDP) ^ 9 ^ 3 , or simply called a 
program, which consists of rules of the form: 

, • • • , Tfc, not , * • * , not Li < , . . . , Lm 5 not L/^n-^-i 5 ■ ■ ■ 5 not 
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where each Li is a literal (n>m>l>k>Q), and not is negation as failure 
(NAF). The left-hand side of the rule is the head, and the right-hand side is 
the body. A rule with the empty head is an integrity constraint. A rule with 
variables stands for the set of its ground instances. A GEDP is called an extended 
disjunctive program (EDP) if it contains no NAF in the head of any rule 
(i.e., k = 1). An EDP is called an extended logic program (ELP) if it contains no 
disjunction {I < 1), and an ELP is called a normal logic program (NLP) if every 
Li is an atom. 

The semantics of GEDPs is given by the answer sets. The following definition 
is due to Q. First, let AT be a GEDP without NAF (i.e., k = I and m = n) and 
S C £, where £ is the set of all ground literals in the language of K. Then, S is 
an answer set of AT if 5 is a minimal set satisfying the conditions: 

1. For each ground rule Ai; • • • ; A/ ^ A/+i , . . . , Lm from AT, {A/+i, . . . , A^} C 

S implies {Ai, . . . , A/} n S' 0; 

2. If S contains a pair of complementary literals A, ^A, then S = £. 

Second, given any GEDP AT (with NAF) and S C £, consider the GEDP (with- 
out NAF) obtained as follows: a rule Ai; • • • ; Afc ^ A/+i , . . . , Lm is in if 
there is a ground rule of the form 

£\i ‘ ' 1 £k: not Afc_|_i , * * * , not Li < A/_|_i , . . . , Lm , not Lm-j-i , ■ • ■ , not A^ 

from AT such that {Lk+i , . . . , A/} C S and {Lm+i, . ■ A„} n S = 0. Then, S is 
an answer set of AT if S is an answer set of . An answer set is consistent if 
it is not £. A GEDP is consistent if it has a consistent answer set. An answer 
set S of AT is minimal if there is no other answer set S' of K such that S' C S. 
Every answer set of any EDP is minimal Q, but the minimality of answer sets 
no longer holds for GEDPs ^3- For example, the program containing only the 
rule 

A; not A <— 

has two answer sets, {A} and 0. This type of rules has been used to express the 
class of abductive programs in terms of GEDPs 

The following definition of abductive programs is a generalization of one from 
^3- abductive program is a pair (K,A), where AT and A are GEDPs. Each 
element of A and its any instance is called an abducible. When a rule (resp. 
literal) is an abducible, it is also called an abducible rule (resp. abducible literal). 

For an abductive program {K,A), we assume that each abducible in A can 
be associated with its unique name ^3^9- When an abducible rule H <— B, 
where H is the head and B is the body (or abducible literal when H is a literal 
and B is empty), has the name R and free variables x, we often write the rule 
as i?(x) = {H ^ B). Also, for such a rule A(x) and literals Ai, . . . , A^, we also 
write 

(A(x) ^ Ai, . . . , Afc) = (AI ^ A, Ai, . . . , Afc). 

Now, we give a formal definition for extended abduction, which is a slight 
modification of one from ^^^^^3- Let (K,A) be an abductive program. 
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1. A pair (P, N) is a scenario for (K,A) (c.f. if P, N are sets of instances 

of elements from A and {K \ N) U P is a consistent program. 

2. Let G be a ground literal. 

(a) A pair (P,N) is an explanation of G wrt (K,A) if (P,N) is a scenario 
for {K,A) such that {K \ N) U P \= G. 

(b) A pair (P,N) is an anti- explanation of G wrt {K,A) if (P,N) is a 
scenario for (K,A) such that {K \ N) U P ^ G. 

(c) An (anti-) explanation (P, N) of G is minimal if for any (anti-) explanation 
(P', N') of G, P' CP and N' C N imply P' = P and N' = N. 

Remark 1. There are two remarks on the definition of extended abduction, which 
have not been discussed in previous papers. 

First, the entailment relation ^ is used in the definition. There are two 
notions for entailment, credulous and skeptical ones. A GEDP K skeptically 
entails a literal L, if L is included in every answer set of P. On the other hand, 
K credulously entails P if P is included in an answer set of P. Similarly, the 
relation ^ can also be defined in either credulous or skeptical way. We say (P, N) 
is a credulous (resp. skeptical) (anti-) explanation if in the above definition ^ is 
defined credulously (resp. skeptically). In this paper, unless otherwise specified, 
we do not commit ourselves to which definition is used for entailment. In fact, 
the translation proposed in the next section can be used for both definitions. 

Second, when sets S', T of literals/rules contain variables, any set operation o 
is semantically defined on ground programs as S oT — ground(S) o ground{T), 
where ground(S) is the ground instances of elements from S. For example, S CT 
is defined as ground(S) C ground(T). For another example, when p{x) S K, 
{p{a)} \ K = $ and K \ {p(a)} = {K \ {p(a;)}) U {p{y) \ y ^ a}. Here, the set 
{p{y) I y 7 ^ fl} can also be written in the rule p{y) <— y a. In general, a set 
{P(x) I X ti, . . . , X tfc} can be written as a rule P(x) ^ x ti, . . . , x y^ t^, 
where x and are tuples of variables and terms, respectively. 

Thus, to explain positive observations and unexplain negative observations, 
extended abduction not only introduces hypotheses to a program but also re- 
moves them from it. On the other hand, traditional abduction only introduces 
hypotheses to explain positive observations. Hence, traditional abduction is a 
specialization of extended abduction, and is called normal abduction hereafter. 
Formally, a set E is a scenario for (K,A) (under normal abduction) iff (P, 0) 
is a scenario for {K,A) (under extended abduction) . Also, E is an explanation 
of G wrt {K,A) (under normal abduction) iff (P, 0) is an explanation of G wrt 
(K,A) (under extended abduction) . 

2.2 Previous Characterization of Extended Abduction 

There are some previous work on reduction of extended abduction to normal 
abduction In Q, transaction programs are produced from an abductive 

program (K,A), in which the background theory K is limited to an acyclic 
NLP and A is a set of abducible atoms. A transaction program is a disjunctive 
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logic program, and can provide a declarative specification of update in deductive 
databases. However, for computing extended abduction, a proof procedure for 
transaction programs requires an additional task for rewriting literals. 

In ^ 3 , update programs are produced from an abductive program (K,A), 
in which K is an ELP and ^ is a set of abducible literals or rules. An update 
program is an ELP, and can be used to compute view update, theory update, 
and inconsistency removal. For computing extended abduction, the only extra 
task is to select the U-minimal answer sets of an update program, where the 
U-minimality means that update is actually done with minimal change. This 
method essentially separates the abducibles from the program K, that is, con- 
siders K\A, and then reconstructs a consistent theory K' such that (i) K' is 
the closest to the original program K, and (ii) K' can derive (or cannot derive) 
the observation. Such a reconstruction is done by the choice rules of the form: 

A ^ not A ' , 

A' <— not A, 

for every A G A. Here, the choice A' means that the abducible A is not abduced. 
The set of choice rules guarantees that every answer set contains complete in- 
formation on assumed and unassumed hypotheses. Then, the method is compu- 
tationally weak in that it does not fully take the existence and non-existence 
of abducibles in the program into account. Then, the minimal change is only 
realized by selecting the closest one from all the possible scenarios. 

Sakama and Inoue also consider another translation of extended abduc- 
tion into normal abduction. Let ( AT, A ) be an abductive program, and G an 
observation. For any P C A \ K and any N C An K such that P n IV = 0, it 
holds that (AT \ TV) U P h G iff (AT \ A) U ((AT n A) \ IV) U P h G. Then, G 
has an explanation (P, N) wrt (K,A) (under extended abduction) iff G has an 
explanation H = ((AT H A) \ N) U P wrt ( A" \ A, A ) (under normal abduction). 
Here, (P, N) can be extracted from H as P — Hn{A\K) and N = {KnA)\H. 
Again, this relationship converts {K,A) into ( AT \ A, A), which separates the 
abducibles from K and reconstructs a consistent theory that is the closest to AT. 

In the next section, we show a new translation of extended abduction into 
normal abduction, which solves the above problems in previous methods. 

3 Prom Extended Abduction to Normal Abduction 

We now show that extended abduction is reduced to normal abduction. The 
proposed reduction method completely embeds extended abduction to normal 
abduction in a very simple and intuitive way. The proposed translation is ap- 
plicable to any class of GEDPs, and therefore the applicability is larger than 
any other previous method. We neither separate the abducibles from the back- 
ground theory, nor use the choice rules for abducibles. Then, the translated 
program remains stratified Q whenever the original background theory is a 
stratified program. Minimal change with abducibles is realized more naturally 
without resorting to the search in the space of all scenarios. 
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3.1 Translation of Explanations 

Here, we present a method to translate removal of abducibles from programs to 
addition of abducibles to programs in order to explain positive observations. The 
idea is very simple. We give a name to an abducible, but the name can be given in 
two different ways, according to whether the abducible is to be added or removed. 
For addition of abducibles, we just give a standard name for them like for 
each rule i?(x), its name is addn{x.), where x is the free varaibles appearing in R. 
For removal of abducibles, we give a name through NAF by not delfi{x.). Then, 
deletion of an instance R{t) from the abducibles i?(x) is realized by addition of 
deln{t) to the program. This simple way of naming through NAF is considered 
by Satoh to identify the minimal source of inconsistency in a program, but 
it turns out to be easily accommodated in extended abductionj 

Let ( AT, A ) be an abductive program. The translation v is defined as a map- 
ping from {K, A) to v{K, A) = {K' , A') as follows. 

1. For each R{x) G A\K, 

R{x) addji{x) 

is in K'; 

2. For each R{x) £ K r\ A, 

R(x) <— not deln{x) 

is in K'; 

3. For any R £ K \A, Ris in K'; 

4. A! is the set of literals of the form addn{x) and deln{x). 

The translation v can be simplified in the case of addition of abducible literals. 
In the above 1, if R{x) is an abducible literal in A \ AT and there is no rule whose 
head contains R(x), then we can just put R(x) into A', instead of introducing 
R(x) <— addn{x) to K' with the new abducible addnix) in A! . 

The next theorem establish a 1-1 correspondence between extended abduc- 
tion and normal abduction wrt the translated program. 

Theorem 1. (P, N) is a minimal explanation of G wrt {K^A) under extended 
abduction iff A is a minimal explanation of G wrt v{K^ A) under normal abduc- 
tion, where P = {P(t) | addn{t) £ E} and N = (R(t) | deln{t) £ E}. 

Note that when R has the free variables x, both addition and removal of 
abducibles are performed at the instance level, that is, variables are always in- 
stantiated. In particular, we can remove some set N of instances of a hypothesis. 
Now, let us consider the case that such explanations are assimilated into the 
background theory. In the translated abductive theory for normal abduction, 
suppose that an explanation is obtained as a set: 

E = {delniti ), . . . , delnitk), addR^i&i ), . . . , addR^i&i)}. 

® Satoh recently extended his inconsistency removal method to cover the class of NLPs 
nsing a similar naming technique for both addition and removal of abducibles 
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Then, as explained in Remark on the definition of extended abduction in Sec- 
tion 2.1, the original rule can be replaced with a rule with inequalities in the 
body. For example, since N = {R{ti), . . ,,R{tk)} is removed from K, the ab- 
ducible rule i?(x) in K is replaced with i?(x) ^ x ^ ti,...,x ^ tfc. Similarly, 
since P = {i?'(si), . . . , is added to K, a new rule can be represented as 

R'(x) ^ (x = si;...;x = s/). 

In removal of abducibles with variables cannot be performed at the 
instance level, but the abducible itself is removed from the program. Using the 
above name technique through NAF, we can parameterize hypotheses for removal 
as well as addition. This is more suitable in extended abduction. 

Example 1. Let be an abductive program: 

: flies{x) ^ bird{x), 
bird{x) <— bigj)ird{x), 
big_bird{tweety) <— , bird{polly) ^ , 

Aj : flies{x) ^ bird{x), 

^flies(x) <— bigjbird(x). 

Then, according to the definition of extended abduction, the observation Gi = 
-^flies{tweety) has an explanation (Pi,iVi): 

({ flies{tweety) <— bigj)ird{tweety) }, { flies{tweety) <— bird{tweety) }). 
Now, let us translate extended abduction into normal abduction: 

: f lies{x) ■>— bird{x), not delb f{x), 

~^flies{x) bigj)ird{x), addbbnf{x), 
bird{x) big_bird{x), 
bigJbird{tweety) ^ , bird{polly) <— , 

: delbf(x), addbbnfix). 

Then, the observation Gi = flies {tweety) has the minimal explanation: 

El = { delbf{tweety), addbbnf{tweety) }, 

which corresponds to the above explanation (Pi,7Vi) for extended abduction. 

In assimilating this explanation into ^ the new theory becomes 

K] : flies{x) ^ bird{x), x ^ tweety, 

^flies(x) ^ bigj)ird{x), x = tweety, 
bird{x) <— bigjbird(x), 
bigj)ird{tweety) ^ , bird{polly) <— . 

On the other hand, a minimal explanation of G\ is defined as {P[,N[) = 
{{ ^flies{x) ^ bigj)ird{x)},{ flies{x) <— bird{x)}) in Assimilating this 
explanation into results in the theory that does not contain flies{x) <— 
bird(x) any more, so that we lose the information of flies{polly) . 
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3.2 Translation of Anti-explanations 

Next, we convert the problem of finding anti-explanations in extended abduction 
into the problem of finding explanations in normal abduction. To do so, we 
first translate anti-explanations into explanations within extended abduction as 
shown by This can be done for a negative observation G by associating the 
new rule: 

G' ^ notG, 

where G' is a new atom. Then, G has an anti-explanation iff G' has an explana- 
tion. Strictly speaking, the entailment relation is given as follows. 

Theorem 2. Let {K,A) be an abductive program, and G a literal. 

1. {P, N) is a credulous anti- explanation of G wrt (K,A) (i.e., there is a con- 
sistent answer set of {K \ N) U P in which G is not true) iff (P, N) is a 
credulous explanation of G' wrt {K Li {G' ^ notG}, A) (i.e., there is a 
consistent answer set of {K U {G' <— notG} \ N) U P in which G' is true). 

2. {P, N) is a skeptieal anti- explanation of G wrt {K,A) (i.e., {P, N) is a 
scenario for (K,A) such that G is not true in every consistent answer set 
of {K \ N) U P) iff (P, N) is a skeptical explanation of G' wrt ( A U { G' ^ 
not G},A) (i.e., (P, N) is a scenario for ( A U { G' ^ not G},A) such that 
G' is true in every consistent answer set of (A \ N) UP). 

Translation of anti-explanations into explanations in normal abduction is 
now easy as we have shown the translation v from extended abduction to normal 
abduction in the previous subsection. 

Example 2. Consider the abductive theory ( ,A\) in Example^ where A® = 
A\. Suppose that we are now unsure about whether or not polly can fly. Then, the 
minimal anti-explanation of G 2 = flies{polly) is (P 2 , N 2 ) = (0, { flies{polly) <— 
bird{polly) }). In assimilating this explanation into Ki} , the corresponding new 
rule becomes 

flies(x) ^ bird{x), x yf tweety, x yf polly. 

Now, considering the abductive theory v{K} U {G'^ <— notG 2 },A\), G'^ has 
the minimal explanation A 2 = { delb f {polly)} under normal abduction, which 
corresponds to the anti-explanation (P 2 , A 2 ) of G 2 under extended abduction. 

3.3 Computing Extended Abduction 

We have shown that extended abduction can be reduced to normal abduction. 
Then, computation of extended abduction can be done using any proof proce- 
dure for normal abduction It is also known that abducibles can be 

represented in either choice rules disjunctive rules without NAF 

or disjunctive rules with NAF in heads Q. Then, according to the class of re- 
sultant programs, we can also use procedures to compute answer sets of ELPs 
ly, FDPs ^3^0, or GFDPs Q. 

The computational complexity of extended abduction can also be derived 
from results for abductive programs by Eiter et al. | and those for GEDPs and 
abductive EDPs by Inoue and Sakama See also some results in 
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4 Restoring Consistency 

In this section, we formalize a method of restoring consistency when a GEDP is 
inconsistent. Inoue and Sakama ^3 consider a general framework for restoring 
consistency in autoepistemic logic. We consider the logic programming fragment 
of this framework, and characterize it in normal abduction. 

A GEDP may not have a consistent answer set. For example, the program 

Kc = {^p^, ^notp} 

has no answer set. Historically, Doyle resolved such inconsistency by making 
some disbelieved atoms true through dependency-directed backtracking in Truth 
Maintenance System. Employing not only expansion but also contraction, a 
stronger method is proposed for restoring consistency in ^3- Let K and F 
be GEDPs. The theory r{K) = {K \0)UI, where I, O are sets of instances from 
elements of T, is called a most coherent theory of K wrt F if 

1. r(AT) is consistent, and 

2. for any pair (/', O') such that {K \ O') U F is consistent, F C I and O' Q O 
imply that F = I and O' = O. 

Notice that r{K) = K if K is consistent. By definition, each most coherent theory 
r{K) restores consistency by minimally introducing or removing appropriate 
rules from F. Obviously, most coherent theories can be formalized in extended 
abduction. That is, r{K) = {K \ O) U / is a most coherent theory of K wrt F 
iff (/, O) is a scenario for (K,F) such that for any scenario (/', O') for (K,F), 
F Cl and O' CO imply that F = I and O' = O. 

There are several ways to determine F for restoring consistency. In ^3> 
F is set to C. Then, inconsistency of the above Kc can be removed with the 
scenario (/, O) = {{p}, {^p}), which provides the most coherent theory r{Kc) = 
{p , <— notp}. In ^3i on the other hand, F is set to K. In this case, only 
contraction is performed to restore consistency, and no new rule nor literal is 
added. For the above ATc, we then get r{Kc) = { ^p ^ }. Satoh ^3 sets T as a 
part of K (see also ^3)> ^>^4 again contraction is only allowed. 

In any case, we can translate the framework of restoring consistency into 
normal abduction using the translation v in Section 3.1. 

Theorem 3. Let K and F be GEDPs for restoring consistency. Define the ab- 
ductive program {K',A') = v{K,F) Then, r{K) = (AT \ O) U / is a most 
coherent theory of K wrt A iff A is a scenario for {K' , A') (under normal ab- 
duction) such that no scenario E' for {K',A') satisfies that E' C E, and that 
I = {i?(t) I addji{t) G E} and O = {A(t) | deln{t) G E}. 

Example 3. (Satoh originally from Borgida Q) Suppose K^s is an ELP: 

father{sr, charlie) <— , age{sr, 14) <— , 

<— father{x, y), age{x, z), z < 14, 

<— father{x, y), age{x, zl), age{y, z2), zl < z2. 
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Let lbs be a revisable part of K^s, which consists of the two integrity constraints. 
Then, = v{Kbs,rbs) is: 

Lfjg : father{sr, charlie) <— , age{sr, 14) <— , 

<— father{x, y), age{x, z),z < 14, not delid{x, y, z), 

<— father{x, y), age{x, zl), age{y, z2), zl < z2, delic 2 {x, y, zl, z2), 
A'bs- dekci{x,y,z), dehc 2 {x,y, zl, z2). 

We have the minimal scenario {delid{sr, charlie, 14)}, which corresponds to the 
most coherent theory of Kbs- Assimilating this change into Kbs, the first integrity 
constraint becomes 

<— father{x, y), age{x, z),z < 14, ~^{x = sr,y = charlie, z = 14). 



5 Related Work 



Our extended abduction makes an explicit choice of hypotheses that should be 
removed from the theory. On the other hand, removal of formulas from a theory 
is implicitly considered by Lobo and Uzcategui [9 in their abductive change 
operators, where contraction is done within the standard revision operator Q. 
When a formula F should be explained from the theory, first contracts 

before adding F with abduced hypotheses. Hence, their abductive change 
operators are not defined as normal abduction. 

It is well-known that abduction is used for view update in deductive databases. 
There are two major operations in view update, insertion and deletion, which 
are respectively characterized as explanations and anti-explanations in extended 
abduction This kind of update can be extended to update with programs 
called theory update, which can be again formalized as extended abduction . 
Kakas and Mancarella characterize view update through normal abduc- 
tion, but deletion is defined rather procedurally. They use a top-down abductive 
procedure for computing view update, which works correctly for locally strati- 
fied NLPs. There are also several approaches to formalize update without using 
abduction. Fernandez et al. | realize database update through construction 
of minimal models that satisfy an update request. Alferes et al. Q propose a 
framework of dynamic logic programming to realize theory update for a subclass 
of GEDPs without disjunctions in heads. 

There are some work on removing inconsistency in ELPs, e.g., 

Inoue ly resolves inconsistency of an ELP by considering a maximally consis- 
tent set of rules from the original program. This is formalized in an abductive 
framework with the notion of extension bases, which corresponds to extensions 
in Poole’s default theories Q rather than abduction. Inoue also considers an 
abductive framework (K,A) which is used to explain observations. His method 
gives a name <5_r(x) to each rule in A, and defines the abducibles as the col- 
lection of Sr atoms. In this kind of abduction, Inoue considers only expansion 
of a program by formulas. On the other hand, Satoh formalizes a minimal 
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revised program with a new rule in the case that the background knowledge 
is represented in a Horn program. This can be done by translating a revisable 
part of Horn clauses into rules with NAF of the form not de^fl(x) in an NLP, 
and defines the abducible set as the deln atoms. Hence, Satoh considers only 
contraction of formulas from a program. In fact, we do not have to consider 
expansion in restoring consistency of an inconsistent Horn theory. As discussed 
in Section 3, the translation method proposed in this paper takes advantage of 
both translation methods in 

Damasio and Pereira Q remove inconsistency in ELPs with abducible literals 
under the three- valued well-founded semantics. Removal of abducibles in our 
extended abduction can be simulated in their abductive system by changing 
the truth-value of literals from true to false or undefined. In this sense, their 
abductive framework cannot be defined as normal abduction. 

Witteveen and van der Hoek defines a logical framework for theory re- 
covery from inconsistent nonmonotonic theories. In their definition, constructing 
a scenario (P, N) for {K,A) in our extended abduction is classified as a mixed 
recovery approach, in which both expansion and contraction are necessary at 
the same time. They show that under some conditions, a mixed recovery can be 
replaced with a successful expansion. Although their formalization is different 
from ours, their result is related to our transferability of extended abduction 
into normal abduction in the case of restoring consistency. 

6 Concluding Remark 

In this paper, we have shown a simple reduction of extended abduction into 
normal abduction. The new method embeds extended abduction to normal ab- 
duction without introducing the source of complexity, and is applicable to ab- 
duction with any class of GEDPs. The simplicity of the new translation also 
contributes to fast computation when extended abduction is applied to various 
update problems. 

Contraction of instances of a rule in our method is based on an associated 
unique name through NAF in the body of the rule. In a sense, such a rule is 
weakened by adding an extra condition of the form notdelfi{x). In fact, this 
operation is called specialization of rules in machine learning. Inoue and Kudoh 
show a framework for learning default rules in ELPs by specializing general 
rules with NAF of the form not abni^)- Hence, there must be a close relationship 
between removal of rule instances and identification of exceptions of rules. In 
our method, instances of delnix) are collected for rule R to unexplain negative 
observations or restore consistency. Then, these removed instances can also be 
seen as exceptions to rule R. Often, we would like to generalize such instances 
and exceptions as 

abhf{x) ^ bigJjird{x), 

which plays the role of a default cancellation rule. In this case, instead of assim- 
ilating the removed instances into R as 

flies{x) <— bird{x), x yf tweety, x yf polly , . . . , 
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we can just keep the default rule as 

flies{x) ^ bird{x), not abbf{x), 

together with default cancellation rules. In this way, knowledge assimilation is 
performed using both abduction and induction. Formalization and automation 
of this kind of knowledge evolution is important future work. 

Acknowledgements. The author would like to thank Chiaki Sakama for com- 
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Abstract. A new equational foundation is presented for the Fluent Cal- 
culus, an established predicate calculus formalism for reasoning about 
actions. We discuss limitations of the existing axiomatizations of both 
equality of states and what it means for a fluent to hold in a state. Our 
new and conceptually even simpler theory is shown to overcome the re- 
strictions of the existing approach. We prove that the correctness of the 
Fluent Calculus as a solution to the Frame Problem still holds under 
the new foundation. Furthermore, we extend our theory by an induction 
axiom needed for reasoning about integer-valued resources. 

Stream: Knowledge Representation and Non-monotonic Reasoning. 



1 Introduction 

Research in Cognitive Robotics aims at explaining and modeling high-level intel- 
ligent agents acting in a complex dynamic world. Among the established predi- 
cate calculus formalisms for reasoning about actions, the Fluent Calculus stands 
out in offering a solution not only to the representational but also the inferen- 
tial Q aspect of the fundamental Frame Problem. The basic solution has proven 
its versatility by allowing extensions regarding a variety of aspects, such as non- 
deterministic actions, resource-sensitivity, concurrency, ramifications, natural ac- 
tions in combination with continuous change, sensing actions, and recursive and 
conditional plans implementation of the fluent calculus by 

means of binary decision diagrams is under way |. 

Central to the Fluent Calculus, which is a many-sorted first-order language, is 
the representation technique of reification Terms are used instead of atomic 
formulas as formal denotations for fluents, i.e., the atomic properties of the 
world state whose truth- values may change in the course of actions. In the Fluent 
Calculus these ‘atomic’ fluent terms are composed to state descriptions by means 
of a binary function, written as “o”. More precisely, any term of sort fluent is 
also of sort state, and if zi and Z 2 are of sort state then so is zi o Z 2 - For 
example, if the term Occupied{x) is of sort , representing the (temporary) 

property of a room x to be occupied, and if variable z is of sort state, then 
the term 



(Occttpied( AMT-101) o Occupied {AMT -20Q)) o z (1) 



J. Lloyd et al. (Fds.): CL 2000, LNAI 1861, pp. 733 
@ Springer-Verlag Berlin Heidelberg 2000 
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describes a world state in which the two rooms AMT-101 and AMT-206 are 
occupied and in which other fluents z holdj 

Based on the concept of state terms, the fundamental Frame Problem is 
solved in the Fluent Calculus by so-called state update axioms, which specify 
how the states of the world before and after an action are related From the 
Situation Calculus, we adopt the concept of a situation as a history of the actions 
that have been performed Let the expression State{s) be a denotation of 
the world state in situation s, let Do{a,s) denote the situation reached after 
performing action a in situation s, and let the atom Pass {a, s) denote that 
action a is possible in situation s. Then a state update axiom for an action A 
with parameters x is of the form, 

Poss{A{x),s) D (A(x,s) D PA,A[State(Do(A(x), s)), State(s)] ) (2) 

where Z\( a; , s) is a first-order formula which describes the conditions on x and 
situation s under which the two states prior and after the action are related 
in the way specified by Pa, A- In the simple case. Pa, A is a mere equational 
relation between the states: 

(3y) State{Do{A{x), s)) o 'd~{x, y) = State(s) o i)'^(x, y) (3) 

where the sub-terms and which are of sort state, contain, respectively, 
the negative and positive effects of action A under condition A. 

Consider, for example, the action denoted by Move{x, y) of sending everyone 
from room x to room y. Suppose that this action has the effect of x no longer 
being occupied and of room y becoming occupied instead. Suppose further that 
the action be possible if x is currently occupied and y is not. The following 
two axioms are a suitable encoding of this specification in the Fluent Calculus: 

Poss{Move{x,y), s) D 

State{Do{Move{x,y), s)) o Occupied(x) = State{s) o Occupied{y) ^ 

Poss{Move{x,y), s) = Holds{Occupied{x), s) /\ ^Holds{Occupied{y), s) (5) 

where Holds{f,s) means that fluent / holds in situation s. 

In order that axioms like these entail reasonable conclusions, an axiomatic 
account of two properties of states is required: 



^ A word on the notation: Predicate and function symbols, including constants, 
start with a capital letter whereas variables are in lower case, sometimes with 
sub- or superscripts. Free variables in formulas are assumed universally quantified. 
Throughout the paper, action variables are denoted by the letter a, situation 
variables by the letter s, fluent variables by the letter /, and state variables by 
the letter z, all possibly with sub- or superscript. Multisets, i.e. collections, that 
can contain elements more than once, are written as {/i, . . . ,/n}, and multiset 
operations are marked by a dot above the operation symbol. 
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1. What makes two states equal, and what makes them unequal? 

2. When does a fluent hold in a state associated to a situation, and when does 
it not? 

An answer to the first question is crucial for solving the representational and in- 
ferential Frame Problem by state update axioms whose consequences are 
equations of the form Q: If a fluent is contained in State{s) and is not among 
the negative effects 'd~{x, y), then the fluent should be contained in 
State{Do{A{ x ), s)); and if a fluent is not contained in State{s), then it should 
also not be contained inState{Do{A{ x ), s)) as long as it is not among the pos- 
itive effects '&~^{x , y )|An answer to the second question is needed to evaluate 
both action preconditions and the condition part of state update axioms, and in 
general to draw any interesting conclusions concerning the values of fluents in 
situations. 

The existing equational foundation of the Fluent Calculus, developed in Q, 
gives an answer to the two questions based on the equational theory of a com- 
mutative monoid along with the notion of unification completeness Q. In the 
following section we show the limitations of this approach when it comes to incor- 
porating domain-specific equalities or the definition of functions among domain 
entities. In Section H ^ and conceptually simpler equational foundation is 

developed, which is shown to overcome the restrictions of the existing account. 
In Section Q we prove some fundamental properties of the new axiomatiza- 
tion, which in particular ensure that the Fluent Calculus solution to the Frame 
Problem still is correct under the new foundation. In Section ^ a second-order 
extension of our theory is presented to enable reasoning about the consumption 
and production of integer-valued resources. This extension is proved to axiomat- 
ically characterize the sort state as the finite multisets over the sort fluent. We 
conclude in Section^ 

2 Unification Completeness and Its Limitations 

The Fluent Calculus uses classical logic with equality, that is, where the equality 
relation is assumed to be interpreted as real equality among domain elements. 
On this basis, the existing equational foundation of the Fluent Calculus consists 
of the following axioms: 

— Equational theory ACl, 

(zi o Z2) o Z 3 = Zi O (Z 2 O zflj 

Zi o Z2 = Z2 0 Zi (A.C1) 

z o 0 = z 

(where 0 is a constant of sort state, denoting the empty collection of flu- 
ents); 

— An ACl-uniflcation complete theory ACl* (details given below). 

^ We assume throughout the paper that i?"*" and are disjunct and do not contain 
any fluent more than once. 
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Theory ACl essentially says that the order in which the fluent terms occur in 
repeated applications of o is irrelevant, so that, say, OccMpzed(AMT-206) o (zo 
Occupied{kMJ-\Q\)) and Q denote the very same state. (Justifled by the law 
of associativity, we will omit parentheses in nested applications of o in the rest 
of the paper.) Based on the equational foundation, the notion of fluents holding 
in states and situations, resp., is defined via two macros which stand for pure 
equality sentences: 

Holds{f,z) = (3z') z = f o z' (Holds) 

Holds{f,s) = Holds{f, State (s)) 

That is, a fluent holds in a state or a situation, resp., if it is contained in the 
respective state terms. 

Negating the left and right hand sides of definition , a fluent / does 

not hold in a state z if for all z' we have z f ° z' . Deriving inequalities of 
this kind requires to axiomatize that states not composed of the same fluents are 
unequal. The ACl-uniflcation complete theory ACl* serves this purpose Q. Its 
definition relies on a complete ACl-uniflcation algorithm, and it comprises an 
infinite set of axioms which contains the following axiom for any pair of terms 
ti,t 2 of sort state and without occurrence of function State: 

ti = t2 D \J 9= ( 6 ) 

O^Oaci {ti ,^2) 

where 6 >aci(^i,^ 2 ) is a complete []] set of ACl-uniflers of ti,t 2 and where 0= 
is the equational formula Xi = ri A . . . A a;„ = r„ if 9 = {x\/ri, . . . , a;„/r„}. 
In particular, if two terms are not ACl-uniflable, then the disjunction evaluates 
to falsity, hence the implication simplifies to ti ^ t 2 - Inequalities of state terms 
can thus be derived from their not being ACl-uniflable. 

The rigorousness of unification completeness, however, has the important 
limitation of making it impossible to add simple domain-specific equalities or to 
define functions among domain entities. 

Observation 1. Consider a Fluent Calculus signature with the two constants 
AMT-101 and MainLectureHall of the domain sort room and with function 
Occupied : room 1 — > fluent . Then 

MainLectureHall = AMT-101 (7) 

and ACl* are inconsistent. 

Proof. By the standard interpretation of equality and Q it follows 

Occupied {MainLectureHall) = Occupied{ AMT -101) 

But the terms Occupied{MainLectureHall) and Occupied{AMT-10T) of sort 
state are not ACl-uniflable; hence, entails 

Occupied{MainLectureHalt) ^ Occupied{AMT-10T) 
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Observation 2. Consider a Fluent Calculus signature with constant AMT-206 
of domain sort room, constant Peter of domain sort person, and functions 
RoomOf : person i— > room and Occupied: room i— > fluent. Then 

RoomOf {Peter) = AMT-206 (8) 

and ACl* are inconsistent. 

Proof. As above. □ 

The only way of incorporating domain-dependent equalities or definitions of 
functions without sacrificing the idea of unification completeness is to use an 
A-unification complete theory instead of simply ACl* where E consists of the 
axioms ACl plus all domain-dependent equations. This approach, however, has 
severe drawbacks: First, the foundational axioms on equality of state terms are 
domain-dependent so that they need to be adapted to any additional equation 
or inequality. Second, if the equational theory E is not finitary then the cor- 
responding unification complete theory includes axioms with an infinite number 
of disjuncts. Finally and most importantly, the definition of an A-unification 
complete theory appeals to complete sets of if-unifiers so that the existence 
of such a set for any two terms needs to be proved for any particular domain 
axiomatization in order that the definition is not rendered meaningless. 

The equational foundation for the Fluent Calculus is accompanied by the 
following foundational axiom, which stipulates non-multiplicity of fluents in state 
terms that are associated with a situation: 

State{s) f o f o z (NonMult) 

Assuming non-multiplicity instead of stipulating idempotency of o is crucial in 
order not to annul the solution to the Frame Problem offered by state update 
axioms. To see why, suppose State{s) = f o z for some /, s, z, and consider the 
equation State{Do{a, s)) o f = State{s), where / is specified as negative effect. 
However, neither idempotency of o would allow to conclude that / does not 
occur in State{Do{a, s)), nor would this follow without axiom 

3 A New Equational Foundation 

The limitations of the existing equational foundation for the Fluents Calculus can 
be overcome by a paradigm shift away from the inference-oriented viewpoint of 
unification completeness towards a more semantic-oriented view. Intuitively, two 
state terms shall be equal only if they contain equal fluents. Indeed, a simple, 
finite first-order axiomatization of this intuition is possible under which the 
Fluents Calculus solution to the Frame Problem is still valid| 

® In a later section, we will show that it is moreover possible to give a finite but 
second-order extension of these axioms so as to obtain a characterization of equality 
of state terms precisely up to the ordering of the fluent sub-terms — in other 
words, where in every interpretation the sort state is isomorphic to the finite 
multisets over the sort fluent. 
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Fig. 1 . The Levi axiom: If some state (symbolized by a square) can be partitioned 
into zi,Z2 as well as into 23,24, it ca n be p artitioned into Za, Zb, Zc, Zd such 
that the same areas denote equal (wrt. ^^3) parts of the terms. 



Definition 1 . The new equational foundation for the Fluent Calculus comprises 
the following axioms: 



— Equational theory ACl; 

— an axiom which specifies that a fluent is an irreducible (wrt. o) element of 
state : 



z = f D zy^0A[2= z'oz" D 2' = 0 V 2" = 0 ] (Irred) 
the so-called Levi-axiom^ 



Z1OZ2 = Z3OZ4 D { 3 Za,Zb,Zc,Zd) 



2i = ZaOZb A 23 = ZaOZc A 



22 = ZcOZd A 24 = ZbOZd 
Fig. ^^gives a graphical interpretation of this axion^^ 



(Levi) 



These axioms are domain-independent. By EUNA we denote their union along 
with a set of domain- dependent unique names-axioms UNA. 

To demonstrate the gained expressiveness of the new foundation, recall the 
observations made in Section^ Suppose given the initial state 

State(So) = Occupied (AMT - 206 ) ( 9 ) 



^ The axiom postulated here is proven as a lemma called Levi ’s lemma in trace 
theory Q. Since the set of finite multisets with multiset union as an operation is 
isomorphic to a trace monoid over the same set where all symbols are independent, 
we turn its role around and postulate this property as an axiom characterizing 
multisets. 

® It should be noted that the picture may be a bit misleading: In case 21, 22, 23, 24 
contain multiple occurrences of sub-terms, the states Za, Zb, 2c, 24 are not necessar- 
ily uniquely determined, as the reader may verify with the example (aoa)o(aoa) = 
ao(aoaoa) . 
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along with the axioms UNA[Occupied], t/A7A[AMT-101, AMT-206]| and 

MainLectureHal Z=AMT-101 (10) 

Note that this equation does not contradict the axioms of DehO as opposed 
to the old foundation of the Fluent Calculus (c.f. Observation^. Suppose fur- 
ther we want to move the current lecture from room AMT-206 to the main 
lecture hall since the former is too small. This action leads from situation Sq 
to Do{Move{AMT-20Q, MainLectureHalt), So)- By applying and 

to Q and Q it follows that Poss(Mowe(AMT-206, MainLectureHal!) ^ Sq). Thus, 
from Q and Q we conclude that 

State{Do{Move(AMT-206, MainLectureHal!) , Sq)) o Occupied {AMT -20Q) = 

O ccupied{ AMT -206)o Occupied ( MainLectureHal!) (11) 

While axioms and ^9 suffice to show that ^9 is satisfied by 

State{Do{Move{AMT-206, MainLectureHal!), Sq)) = Occupied {AMT -1Q\) (12) 

our new axioms are needed to prove that ^9 holds: Applying ^9 to 1^9 
get 



State{Do{Move{AMT-206, MainLectureHal!) , So))o Occupied{AMT-206) = 

OccMpied(AMT-206)oOccMpie(i(AMT-101) (13) 

According to ^^9 we find Za,Zb,Zc, Zd such that 

State{Do{Move{AMT-2QQ, MainLectureHal!) , Sq)) = ZaOZb (14) 

Occupied{AMT-206) = ZcOZd (15) 

Occupied {AMT -206) = ZaOZc (16) 

Occupied{AMT-10T) = ZbOZd (17) 



Employing 



we apply case distinction to 



Zd = Occupied {AMT -206) contradicts equation 
UNA[AMT-101, AMT-206], and Q 



Q. The case Zc = V and 
in view of UNA[Occupied], 
In case Zc = Occupied {AMT -206) and 
Zd = 0 , fromJ^S ^^9 it follows that Zb = Occupied {AMT -\0T)', further- 
more, from ^9^ §®t Za = % according to . Hence, ^9 ^^9 

entail the desired conclusion ^9- 

The example derivation shows that the new equational foundation success- 
fully handles the domain-dependent equality ^9- ^ similar fashion we can 



For domain dependent assumptions of unique names we adopt from 9 the standard 
notation UNA[h\, . . . , hn] as an abbreviation for the formula 



/\ hi{x) A hj{y) A /\{hi{x) = hi{y) Z) x ^ y) 

i^j i 






740 



Hans-Peter Storr and Michael Thielscher 



now introduce functions among domain entities by equations like Q without 
producing inconsistency. Admittedly, calculating with pure and 

looks rather cumbersome. However, in the next section we will derive two com- 
putation rules as logical consequences of our axiomatization, which are of great 
help when calculating state equations. One of the two rules, for instance, leads 
directly from to 



4 Results 



We have seen that our new foundation for the Fluent Calculus allows the in- 
corporation of domain-dependent equations and inequalities. In this section, we 
prove the crucial result that state update axioms solve the Frame Problem also 
under the new axioms. More specifically, we prove that the core of a state update 
axiom, an equation of the form 

(3y) State {Do{A{x), s)) o y) = State{s) o y) (18) 



satisfies the following: 

1. All fluents in a; , y ) (the positive effects of the action) do hold in the 
successor state State{Do{A{x), s)); 

2. all fluents in 'd~{x , y) (the negative effects of the action) do not hold in 
the successor state State{Do{A{ x ), s)); 

3. all fluents not contained in or 'd~ hold in State{Do{A{x), s)) if and 
only if they hold in State(s); 

4. the equation is consistent with foundational axiom 

The proof is based on two computation rules, the Cancelation Rule and the 
Distribution Rule. Both are logical consequences of our axiomatization, and they 
are of great practical value when it comes to calculating with state equations. 

Proposition 1. (Cancelation Rule) In all models of EUN A we have 



foz = foz' D z = z' (Cancel) 

Proof. Assume foz = foz'. By we find Za, Zb, Zc, Zd such that 

/ = ZaOZb A Z = ZcOZd A / = ZaOZc A z' = ZbOZd 

By E 



3 we distinguish two cases: 

If Za = 0, then implies f = Zb = Zc, thus z = fozd and z' = fozd, 

and hence by symmetry and transitivity of equality, z = z' . 

If Zb = %, then f = Za by ^^3- Applying^^^E we conclude / yf 0; 
therefore, / = ZqOZc implies Zc = 0, again by ^^^JTlIence, z = % o Zd = z' . 

□ 



The Cancelation Rule allows to cancel out equal fluent terms on both sides 
of a state equation. Note, for instance, that by this rule the rather complicated 
derivation of 1^3 from ^3 of the preceding section follows directly. 
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Proposition 2. (Distribution Rule) In all models of EUNA we have 

/i 7^ /2 3 fiozi = f 2° Z2D Holds {fi,Z2) (Distrib) 

we find 



Proof. Assume fi ^ /2 and fiozi = f2°Z2 ■ Following 
Za, Zb, Zc, Zd such that 



fl = ZaOZb A Zi = ZcOZd A /2 = Za°Zc A Z2 = ZbOZd 

By we conclude that either Za = ^ A Zb = fi or Za = fi A Zb = 0 . 

The latter case would imply /2 = f\ozc, which contradicts given that 

fii^ f 2- Thus, Za = ^ A Zb = fl, hence Z2 = fiozd, hence Holds{fi, Z2). □ 

The Distribution Rule in combination with Cancelation allows to rewrite 
state equations so as to project onto a particular sub-term. A typical application 
is to rewrite the equation State{Do{a, s))of~ = State{s)of'^ to {3 z) {State {s) = 
f~ o z A State{Do{a, s)) o f~ = f~ o zo /+), and then to apply the Cancelation 
Rule to obtain the projection (3z) {State{Do{a, s)) = zo/+ A State{s) = f~oz). 

We are now in a position to prove the abovementioned main result. As in Q 
we make the following assumption of consistency: State update axioms are de- 
signed in such a way that if an equation is entailed, then the positive and 
negative effects, 1?“'" and 'd~ , do not share a fluent, contain no fluent more 
than once and no fluent is specified as positive effect via if it holds in 
State{s) itself. From we furthermore know that no fluent occurs 

twice in State {s). 

Theorem 3. Consider a set UNA of unique names-axioms and let the terms 
= ff o ... o f^ and = f^ ° ° ff[ be finite, possibly empty sequences 

of fluent terms joined together with o such that UNA ^ fi^ ^ ffj for all i,j, 
and UNA \= f~ ^ f~ as well as UNA \= ^ fij' for all i ^ j. Then in all 

models for EUNA we have that 

zi o 'd~ = Z2 o 'd'^ A /y ~^Holds{f^ , Z2) A {^ f) ^Holds{f o f, Z2^ 

j = l...n 

implies each of the following. 

1 . Holds{f'^ , zi) (for all j = 1 ,... , n); 

2 . ^Holds{f~ , z\) (for all i = l,...,m); 

3 . {y f) {^ Holds {f,j)~ o'd~^) D [Holds{f, zi) = Holds{f, Z2)]) ; 

4 - {yf)^Holds{fof,zi). 

Proof. 

1. Follows from UNA ^ f~ fj~ for all f~ in j)~ by repeated application 
of the Distribution Rule. 

^ where Holds{z, z) = (3z') z = z o z' 
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2. If = /. o z' for some in d and some z', then 

fr °z' ° fi ° fi o ■ • ■ o /m = ^2 o (19) 

From UNA ^ f~ ^ for all in d’*' and by n-fold application of the 
Distribution Rule it follows that (3z") Z 2 = /j~ ° z" \ hence, implies, 
using the Cancelation Rule, 

(3z") z' o f- o . . . o /- o ...o f-= z" od+ 

With a similar argument we conclude that (3z'") z" = f~ oz'"] consequently, 
(3z'") Z 2 = f~ o f~ o z"', which contradicts (V/) ^Holds{f o /, Z 2 ). 

3. Follows by repeated application of the Distribution Rule. 

4. Follows from (V/) o /, Z 2 ) and Aj=i n ^ 2 ) with a 

similar argument as used in the proof of item 2. □ 



5 An Induction Axiom 



While our new equational foundation for the Fluent Calculus does not affect the 
solution to the basic Frame Problem, the axiomatization presented so far is lim- 
ited when it comes to modeling resources. Generally, the Fluent Calculus offers a 
very natural way of reasoning about the production and consumption of integer- 
valued resources, namely, by simply not letting foundational axiom 
apply to resources. A state may then contain multiple occurrences of a resource. 
For example, given that wheels (of a certain diameter) and axles (of a certain 
length) are different things, i.e., UNA[ Wheel, Axle], axioms EUNA entail that 
Wheel{6") o Wheel{6") o Axle{3.5') yf Wheel{6") o Axle{3.5') o Axle{3.5'), read: 
having available two wheels and one axle is different from holding just one wheel 
but two axles. An example for a state update axiom talking about resources is 
the following, which specifies the action AsserrMe(l,d) of assembling a chassis 
of length I and with two wheels of diameter 

H olds {Axle (1) o Wheel (d) o Wheel{d), s) D 

State{Do{Assemble{l, d), s)) o Axle{l) o Wheel{d) o Wheel{d) 

= State{s) o Chassis{l,d) 

For an adequate treatment of resources, our axiomatization of Section J is 
insufficient because it admits models in which equations like zof = z are true: 

Observation 4. EUNA LI {z o f = z} is satisfiable. 



Proof. We construct a model as follows. Let the domain for sort state be the 
natural numbers IN (inch 0) augmented by the element uj. The only domain 
element of sort fluent shall be 1. Let 0 be interpreted by 0 and o by the 
function 



Am, n. 



m + n if m yf w and n yf w 
to otherwise 



® Below, Holds{z,s) = (3z') State{s) = z o z' . 
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This function is associative, commutative, and has 0 as unit element; hence, 
holds in the model. Furthermore, 1 ^ 0 , and if 1 = m + n then either 
3 holds. Finally, if ni + n2 = + n4, then 



m = 0 or n = 0; hence, 
is satisfied by 



Ua = min(m, ns) ric = U2 - Ud 

Ub = ni- Ha Ud = min(n2, Ui) 



in case rii + U2 ^ tu. In case ni + U2 = ns + U4 = uj, let us assume without 
loss of generality that ni = ns = w. If none of ri2, n.4 equals uj, then is 

satisfied by 



Ua = UJ Uc = U2 - Ud 

Ub = max( 0 , ri4 — 712) Ud = min(u2, 714) 

else if one and only one of U2 , 774 equals w, say U2, then is satisfied by 

Ua = UJ A 77b = 774 A Uc = UJ A 77rf = 0 

else if 772 = 774 = w, then is satisfied by Ua = nb = Uc = Ud = uj. 

Having proved that we have constructed a model for EUNA, the claim follows 
by interpreting z hy uj and / by 1 , because uj + 1 = uj . □ 

The reader may note that this observation does not contradict the Cancelation 
Rule, which allows only fluents to be canceled out. The observation is to be 
contrasted to the old foundation of the Fluent Calculus, where the unification 
complete theory ACl* includes the axiom zo f ^ z since the two terms are not 
ACl-unifiable. 

Observation Jis unproblematic in the non-resource case, because the equa- 
tion State ^ o f = State{s) is unsatisfiable in view of foundational axiom 
1 But if we remove the non- multiplicity condition in order to deal 
with resources, then we need means to prevent such unintended models. 

In this section, we introduce two additional axioms through which this prob- 
lem is solved. Speaking algebraically, we extend EUNA in such a way that in 
every model A 4 of that extension we have that the sort state-^ is isomorphic 
to the set of finite multisets over the sort fluent^, where 0 represents the 
empty multiset and o the union of multisets. The additional axioms are, first, 
an induction axiom, which says that the sort state contains exactly the terms 
which can be constructed by applying o to 0 and elements of sort fluent ; and 
second, an axiom which specifies that 0 has no proper divisor: 

(VP) [P( 0 ) A (V/,z) {P{z) D P{foz)) D (Vz)P(z)] (Ind) 

zoz' = 0 D 2 = 0 (ZeroDiv) 

EUNA augmented by and (we call this theory EUNA + ) is 

consistent: 

® Repeated application of the Distribution Rule to State(s)of = State(s) yields 

{3z)State{s) = fofoz. 
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Proposition 3. Axioms EUNA + are satisfiable. 



Proof. We can construct a model for EUNA + as follows: Let the domain for the 
sort fluent be a set of singleton multisets {{a} : a G A^, and let the domain 
for the sort state be the set of finite multisets over A. It is easy to verify that 
and are true. Furthermore, any instance of is 

satisfied by setting 



Za = ZiA Z3 
Zb = Zi\ Za 



Zc = Z2\ Zd 
Zd = Z2f)Z4 . 



The proof for is straightforward by well-founded induction over the set of 

finite multisets over fluent with the ordering relation C . □ 



In the following, we prove stepwise that for each model of EUNA + , the 
following function g is an isomorphism. The function is a mapping from finite 
multisets of fluents onto fluent terms: 




ki times kn times k± times kn times 



Terms which are constructed by applying o to 0 and terms of sort fluent , like 
the one on the right side of this equation, are called constructor state terms. 

First, we prove that £) is a homomorphism, that is, every equation using 
0 and U which holds between multisets of fluents, also holds after trans- 
forming the operands into the Fluent Calculus via g and where 0 and o replace 
0 and U . 

Proposition 4. In every model of g is a homomorphism from 

(Mfinifluent)- 0; U) 

into {state] 0 ; o), where M.fin{fluent) is the set of finite multisets over fluent. 

The proof is straightforward using the fact that both U and o are associative 
and commutative and that 0 and 0 are the respective unit elements. 

Splitting a constructor state term with o into two parts, the parts are con- 
structor state terms themselves: 

Proposition 5. In every model of EUNAU for every multiset z 

of fluents we have 



g{z) = Z1OZ2 D {3zi,Z 2) [zi = g(zi) A Z2 = g(z2) A i = iiUi 2 ] (21) 



Proof. The proof is by induction over the well-founded set of finite multisets with 
C as ordering relation. If i = 0 then is trivially satisfied by ii = Z 2 = 0 due 
to .If i 7 ^ 0 then we can find some / and z! such that i = |/| U z! . 



Assume g(z) = Z1OZ2, hence fog{z') = z\oz2. We can then apply and 

construct z\ and Z 2 using the induction hypothesis for z! . □ 
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PropositionHlays the foundation for proving that g is an injective homomor- 
phism, that is, which maps different multisets onto different elements of state: 



Proposition 6. In every model of EUNA U we have 

z ^ z' g{z) ^ g{z') (22) 

Proof. The proof is by induction over the sum s = |i:| -I- |i:^| of the cardinalities 
of i and z' . We distinguish three cases. The case of both i and z' being 
empty is trivial. If just one of them is empty, say z! = 0 , we choose /Gi and 
obtain g(z) = fog(z \ {/}); and by and it follows g{z) ^ 0 = 

g(z'), hence 1^3- case z ^ 0 A z' ^ 0 we find /, /' such that /Gi and 
f'&z' . Suppose that g{z) = g(z^). Then we can apply to fog{z\{f}) = 

f'og{z' \{f'}) and prove z = z! by case distinction and repeated application 
, Proposition^ and the induction hypothesis. □ 

We are almost done. What remains to be shown is that every element of 
state corresponds to a finite multiset over fluent : 

Theorem 5. EUNA specifies that the elements of the sort state correspond 
to multisets of elements of sort fluent. 

Proof. In addition to Proposition^we have to prove that g is an isomorphism. 
Since we know that it is an injective homomorphism (Propositions J and it 
remains to be shown that g is surjective as well, that is, for every element z of 
state there is some z such that g{z) = z. Let P be a monadic relation over 
state such that P{z) holds iff there is some z such that g(z) = z. Then P{0), 
and if P{z) then P{foz) holds as well since foz = g ^zU j/}^ . Thus, by 
P holds for all elements of the sort state . □ 

6 Conclusion 

We have presented a new, conceptually simpler equational foundation for the 
Fluent Calculus which allows for incorporating domain-dependent equations, 
inequalities, and function definitions. In so doing we have overcome an impor- 
tant limitation of the Fluent Calculus in comparison with the Situation Calculus 
of 33 . The new axiomatization already proved invaluable for a case study where 
we have successfully applied the Fluent Calculus to the Traffic World, a complex 
dynamic domain which has recently been posed as a challenge to the scientific 
community 33 and which involves actions with ramifications in nondeterminis- 
tic, concurrent, and continuous domains ^^3- 

We have presented two variants of our new equational foundation. The basic 
axiomatization of Section Hhas been shown sufficient for guaranteeing that the 
Frame Problem is still solved by state update axioms. In Section ^ we have 
presented the extended theory EUNA + , which additionally allows for modeling 
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the concept of resources and by which the sort representing states is made iso- 
morphic to the set of finite multisets of fluents. Theory EUNA + proved useful 
as the theoretical foundation for the ongoing implementation of planning with 
resources in the Fluent Calculus by means of BDDs pH - 
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Solving the Entailment Problem in the Fluent 
Calculus Using Binary Decision Diagrams 
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Abstract. It is rigorously shown how planning problems encoded as a 
class of entailment problems in the fluent calculus can be mapped onto 
satisfiability problems for propositional formulas, which in turn can be 
mapped to the problem of finding models using binary decision diagrams 
(BDDs). The mapping is shown to be sound and complete. First exper- 
imental results of an implementation are presented and discussed. 



1 Introduction 

In recent years propositional methods have seen a surprising revival in the field 
of Intellectics. Greedy satisfiability testing and its variants [17] and the various 
procedures for answer set computing (e.g. [16, 9]) are just two examples. But 
only recently researchers have started to investigate whether BDDs may also 
help to increase the efficiency of algorithms solving typical problems in Intel- 
lectics like, for example, planning problems [5, 6, 8]. This comes to a surprise 
because model checking using BDDs has significantly improved the performance 
of algorithms and enabled the solution of new classes of problems in areas like 
formal verification and logic synthesis (see e.g. [3, 4]). Can we adopt this tech- 
nology for, say, problems occurring in reasoning about situations, actions and 
causality? Can we enrich these techniques by exploiting the experiences made in 
the state of the art implementations of propositional logic calculi and systems 
mentioned at the beginning of this paragraph? 

This paper reports on an attempt to find answers for these and related ques- 
tions in the context of the fluent calculus. The fluent calculus is a formal system 
for reasoning about situations, actions and causality which admits a well-defined 
semantics as given in [11] and [20]. In Section 2 a restricted fragment of the fluent 
calculus is considered, which allows for the specification of planning problems 
as entailment problems in the spirit of [14]. In Section 3 a transformation is for- 
mally defined which maps these entailment problems onto satisfiability problems 
in propositional logic. The mapping is shown to be sound and complete. Thus, 
the decidability of the abovementioned fragment of the fluent calculus is estab- 
lished. In Section 4 it is shown how the shortest plan solving the given planning 
problem can be extracted from the propositional encoding. Finally, in Section 5 
first and promising findings of an implementation using BDDs are presented. In 
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Table 1. Notational conventions. 



Symbol 


/ 


F,G,.. 


■ F 


. z g s t 


Element of 


Af/ 


C 


2^ No 


Sv,st Sv,Fi Ev,sit constructor state term 



this implementation, the propositional logic formulas are represented by reduced 
and ordered BDDs and techniques from model checking are applied to search for 
models. A discussion of the achieved results in Section 6 concludes the paper. 
Due to lack of space most of the proofs had to be omitted. They can be found 
in detail in [12]. 

2 Foundations 

In this section some notions and notations concerning logics, planning problems, 
the fluent calculus and binary decision diagrams are presented. 



2.1 Logics 

Let Ay, Up and Sp denote disjunct sets of variables, function symbols and 
predicate symbols respectively. Ay is countably infinite, whereas Ep and Ap 
are finite. The set of {first order) formulas is denoted by A(Ay U Ap U Ap) ; we 
abbreviate this set by C if the sets Ay , Ap and Ap can be determined from 
the context, ct denotes a substitution and Xa the instance of the syntactic 
object X under a . 

Table 1 depicts some notational conventions in the sense that, for example, 
whenever we use z , we implicitly assume z G Aysi . The sets Ap/ , Ev,st , 
Ev,Pi , Ev,Sit as well as constructor state terms are defined in Section 2.3. All 
symbols are possibly indexed. 

The entailment problem IF \= F consists of a set T of formulas and a 
formula F and is the question whether F entails F . 



2.2 Planning 

In this paper we consider planning problems having the following properties: 
(i) The set of states is characterized by a set of propositional fluents, i.e., a 
set of propositional variables, which can take values out of the set {T, A} of 
truth values, (ii) The actions are deterministic and their preconditions as well 
as effects depend only on the state they are executed in. (iii) The goal of the 
planning problem is a property which depends solely on the reached state. This 
class of problems corresponds roughly to the problems from track 1 and 2 of 
the planning competition held at the 4th International Conference on Artificial 
Planning Systems (AIPS98). There, planning problems were formulated within 
a language called PDDL [10]. Unfortunately, PDDL lacks a formal semantics. As 
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shown in [18] this can be rectified by a translation from PDDL into the fluent 
calculus. 

As an example of such a problem consider the so-called Gripper class: 
A robot equipped with two grippers G\ and G 2 can move between two rooms 
A and B . Initially the robot is in room A together with a number of balls 
Bi, ... , Bn . The task is to transport these balls into room B . The problems 
differ wrt the number of balls and are then called Gripper-1, Gripper-2. 

2.3 The Fluent Calculus 

The fluent calculus is a calculus for reasoning about situations, actions and 
causality. It is based on the idea to consider states as multi-sets of ffuents and 
to represent such states on the term level. The latter is done with the help of a 
binary function symbol o , which is associative, commutative and has a constant 
0 as unit element [11, 19, 20] but is not idempotent. In this paper we consider 
a restricted version of the calculus as specified in this section. 

Formally, the fiuent calculus is an order-sorted calculus with sorts action , 
SIT, FLUENT, and STATE and ordering constraint fluent < state. The set 
By of variables is the union of the disjunct sets By , a , By^sit , By^pi and 
TIv,St , be., it consists of a countable set of variables for each sort. The set Bp 
of function symbols is the union Ba U Bsu U Af/ U Bst U Bq , where Ba is 
a set of function symbols denoting action names, Bsu = {S'o, do} is the set of 
function symbols denoting situations, Bpi is a set of constant symbols denoting 
fiuent names, Bst = {0, state} is the set of function symbols denoting states. 
All sets are mutually disjoint and finite. The mentioned function symbols are 
sorted as follows: 

So : SIT O : STATE X STATE — > STATE 0 : STATE 

do : ACTION X SIT ^ SIT state : SIT ^ state 

The set Bp of predicate symbols contains only the equality = with sort 
STATE X STATE . The macros holds and set with sorts fluent x sit and state 
respectively are often used: 

holds{f,s) {3z) state{s) = f o z (1) 

set{z) ‘^= -n{3f,z) z = f o f o z 

The language Cpc of the fiuent calculus is the set of all well-formed and 
well-sorted first-order formulas over the given alphabet. State terms of the form 
0 o /i o . . . o /„ , where /i , . . . , /„ G fluent , m > 0 , are pairwise distinct, are 
called constructor state terms. 

The axioms IF of the fiuent calculus considered in this paper are the union 

Fun U Fmset U Fs„ U Fms U Fgu ■ 

— Fun is a set of unique name assumption for fluents combined with a domain 
closure axiom for fluents: 

d^un = {-/i = /2 I fi, /2 G Bpi and h M u {(V5) V 5 = /} ■ 

fS^Fl 
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— J^mset is a set of axioms ensuring that the sort state denotes finite multisets 
of fluents[19]. It consists of the following formulas: 

• the standard axioms of equality 

• the axioms ACl for o and 0 : 



(Vz) z o 0 = z 

(Vzi, Z2) Zi o Z2 = Z2 O Zi 
(Vzi, Z2, Z3) (zi o Z2) o Z3 = Zi o (Z2 O Z3) 

• an axiom that guarantees that fluents and 0 are the only irreducible 
elements of sort state wrt. o : 

(Vz) [(3g) z = gVz = 0 <-^- (Vz', z") z = z' o z” z' = 0 V z" = 0 ] 

• a property called Levi’s axiom after a lemma used in the theory of trace 
monoids: 



(Vzi, Z2, Z3, Z4) Zi o Z2 = Z3 o Z4 ^ ( 3 Za, Zh, Zc, Zd) 

[Zi = ZaO Zb A Z 2 = ZcO Zd Zs = ZaO Zc A Z 4 = Zb O Zd] 

• an induction axiom: 

(VP) [P(0) A (V 5 ,z) (P(z) ^ P{goz)) ^ (Vz) P(z)] . 

— Tso contains a single axiom <Pi{state{so)) of the form state(so) = t de- 
scribing the initial state, where t is a constructor state term. 

— Tms contains an axiom specifying that in each state each fluent may occur 
at most once: 



Pms = {(Vs, z) ^(3g) state{s) = g o g o z} 



Tsu is a set of state update axioms of the form 

3\p(s) A A holds{g,s) A A ^holds{g, s) 

(^) I geiJ- gei?+ 

^ state{do{a, s)) o = state{s) o 



(2) 



where and V"*" are constructor state terms denoting the negative and 
positive direct effects of an action a under condition Ap{s) € Cpc respec- 
tively, s G Sv,s and (V) denotes the universal closure. Ap{s) is a boolean 
combination of formulas of the form holds{f, s) . In the following A(s) will 
be used to denote the antecedent of (2). 

To exemplify !Fsu and !Fso consider the Gripper class. There are three 
actions: (i) The robot may move from one room to the other, (ii) The robot 
may pick up a ball if it is in the same room as the ball and one of its grippers 
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is empty, (iii) the robot may drop a ball if it is carrying one. These actions are 
specified by the state update axioms: 

d-.su = { holds {at-robby{r i), s) A ^holds{at-robby{r 2 ), s) 

state{do{move{ri,r 2 )), s) o at-robby{ri) = state{s) o at-robby{r 2 ) , 

holds {at{b, r), s) A holds {at-robby{r), s) A holds {f r ee{g), s) 

A ~^holds{carry{b, g) , s) 

state{do{pick{b, r, g)), s) o at{b, r) ofree(g) = state(s) o carry{b, g) , 

holds {car r y{b, g), s) A holds {at-robby{r), s) A ^holds{at{b,r), s) 

A ~^holds{free{g) , s) 

state(do(drop(b, r,g)),s)o carry(b, g) = state{s) o at{b, r) ofree{g) } 
The initial state of a Gripper class problem is specified by 

Tso = {state{So) = at{Bi, A)o. . .oat{Bn, A)ofree{Gi)ofree{G 2 )oat-robby{A)}, 

where n is instantiated to some number, at{x, y) denotes that ball x is in room 
y , free{x) that gripper x is free and at-robby{x) that the robot is in room x . 

Reasoning problems themselves are specified as entailment problems in the 
fluent calculus. For the Gripper class we obtain the entailment problem 

J- \= {3s) holds{at{Bi, B), s) A . . . A holds{at{Bn, B), s). 

Expanding abbreviation (1) this can be reformulated as 

T \= (3s) [(3^) state{s) = at{Bi , B) o z A . . . A {3z) state{s) = at{Bn, B) o z], 
which itself is equivalent to 

J- 1= (3z) [(3s) state{s) = z A 

{3z') z = at{Bi, B) A ... A {3z') z = at{Bn, B) o z'] . 

In general, reasoning in FC amounts to solving an entailment problem of the 
form 

B 1= (3z) [(3s) z = state {s) A <d>G{z)'\^ (3) 

where ’Pg{z) is a boolean combination of terms of the form (3z') : z = z' o f 
for some fluent / . In other words, one is looking for a situation, in which some 
boolean combination of fluents holds. One should observe that 'Pg{z) is inde- 
pendent of Tsu U IFso because it does not contain an expression of sort SIT . 

The fluent calculus FC considered in this paper is restricted wrt the general 
calculus as follows: (i) Only constants are allowed as as fluents, (ii) States are 
effectively sets of fluents due to IFms ■ (hi) The initial state is completely spec- 
ified. (iv) The state update axioms specify only deterministic actions without 
ramifications or other constraints. The first restriction implies that the set of 
fluents is finite if Epi is finite. The second restriction implies that there are 
only finitely many different states uniquely characterized by the set of fluents, 
which hold in each state, if Epi is finite. As will be shown in this paper these 
restrictions are sufficient conditions to ensure that the entailment problem (3) 
in FC is decidable. 
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2.4 Binary Decision Diagrams 

The idea of BDDs is similar to decision trees: a boolean function is represented 
as a rooted acyclic directed graph. The difference to decision trees is that there 
is a fixed order of the occurrences of variables in each branch of the diagram, 
and that isomorphic substructures of the diagram are represented only once.^ 
This can lead to exponential savings in space in comparison to representations 
like decision trees or disjunctive or conjunctive normal form. 

Bryant has shown in [2] that, given a fixed variable order, every boolean func- 
tion is represented by exactly one BDD. Moreover, propositional satisfiability, 
validity and equivalence problems are decidable over BDDs in linear or constant 
time. Of course, the complexity of the mentioned problems does not go away: 
the effort has been moved to the construction of the BDDs. But as Bryant has 
shown as well, there are efficient algorithms for logical operations, substitutions, 
restrictions etc. on BDDs, whose cost is in most cases proportional to the size 
of its operands. BDDs may be used as a theorem prover, i.e., by constructing 
a BDD corresponding to a logical formula, and checking the BDD for inter- 
esting properties, but more often they are used as an implementation tool for 
algorithms which are semantically based on boolean functions or, equivalently, 
propositional formulas, or, via the characteristic functions, sets. In the imple- 
mentation these formulas or sets are always represented as BDDs. The use of 
BDDs in this paper follows this spirit. 



3 Mapping the Fluent Calculus onto Propositional Logic 

The envisioned implementation will recursively generate sets of states which 
are reachable from an initial state by applying actions until one of these states 
satisfies the goal condition. This two-step behavior is already reflected in (3): 
The first conjunct expresses the fact that we are looking for a state z such 
that z is obtained from state(So) by applying state update axioms, whereas 
the second conjunct expresses the fact that in z certain fluents should or should 
not hold. Starting with the first step and aiming at finding a propositional logic 
characterization of IF ^ (3s) z = state{s) a relation T(z, z') is defined which 
holds iff the state z' is a successor state of z wrt the state update axioms.^ 
Moreover, this transformation allows for an encoding of the reasoning process 
into propositional logic. 

One should observe that after expanding the macro holds the precondition 
Z\(s) of each state update axiom 

(V) [2i(s) ^ state{do{a, s)) o = state(s) o G IFsu] (4) 

^ Thus, the BDD is ordered and reduced, also called ROBDD. These properties are 
so useful that they are required in almost all BDD applications, so many authors 
include these properties into the definition of BDDs. 

^ This corresponds to the transition relation in finite state systems. 
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effectively depends on state(s) , and this term contains the only occurrences 
of terms of sort SIT occurring in the precondition of (4). To explicitly express 
this dependence we will write A{state{s)) instead of ^(s) . Making use of this 
notation the expression A(z) denotes the formula A , where each occurrence of 
state{s) has been replaced by 2 . 

For each state update axiom of the form (4) we define 

‘^= A(z) A z' 019 - = zoi9+, (5) 

and for the set Tsu of state update axioms we define 

T{z,z') y (6) 

4>(a)&^ev. 

This definition is motivated by the following result. 

Lemma 1. Let t and t' be two constructor state terms and T ^ state (s) = t . 

^ state(do(u, s)) — t iff U mset ^ ) /or some ua- 

A binding of the form zjt , where t is a constructor ground term is called 
constructor state binding. A substitution consisting only of constructor state 
bindings is called constructor state substitution. In the sequel, a will always 
denote a constructor state substitution. 

The task to encode entailment problems in the fluent calculus into satisfia- 
bility problems in propositional logic seems to be impossible on the first glance, 
because there are infinitely many terms of the sorts SIT and state , whereas the 
set of valuations of a finite propositional program is finite. Fortunately, however, 
one is primarily interested in logic consequences of the form (3s) state(s) = z 
in which the only free variable z is of type state . From axiom tFms one learns 
that the values for z may contain each fluent at most once. Because there are 
only finitely many fluents in FC, the set of possible bindings for z is also finite. 

More precisely, we want to show that whenever a is an answer substitution 
binding z for the entailment problem 

T ^ ((3s) [z = state(s) A <Pg{z)]) , 

then there exists a propositional valuation Bs{<j) such that is a model for 

an appropriately generated propositional logic formula. This formula is obtained 
by giving an equivalent representation of the entailed formula in terms of d>j{z) , 
T{z,z') and d^ciz) and specifying a mapping B which maps this representation 
to a propositional formula. 

The basic idea underlying Bs is as follows. Suppose Spi = {fi, ■ ■ ■ , fm} ■ 
Each variable z occurring in a constructor state substitution ct = {z/t} is 
represented by m propositional variables z/j , . . . , z/^ such that in the propo- 
sitional valuation v = B{o') one obtains v{zf^) = T iff /i occurs in t . A 
formula F is represented by a propositional formula B{F) such that a ground 
constructor substitution a is an answer substitution for Fun U Fmset H 
the valuation Bs{<j) fulfills B{F) . We turn now to a formal definition: 
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Ground Constructor Substitutions: Let z/t be a binding of a constructor state 
substitution. Then Bs{z/t) is the valuation v defined by v{zf) = T iff / 
occurs in t , for all / G Spi ■ Let ct be a constructor state substitution. Then 

Bs{<j)= U Bs{z/t). 

zjt^a 

Constructor State Terms: Let 0 denote the exclusive or. For each / G Spi 
define: ^ 

S/(0) = T Bf{z) = zf 

Bfif) = T iff / = /' Bfih o t 2 ) = Bfih) © Bf{t 2 ) 

Goal Formulas: Recall that each goal formula d>a{z) is a boolean combination 
of formulas of the form (3z') z' = z o f . Define: 

Bg{{3z') z = z'of)= zf, BahC) = ^Bg{G), 

Bg{GAH)^Bg{G)ABg{H). 

F Formulas: In the proof of the Theorem 1 B has to be applied to formulas of 
the following form. Let F be the set of formulas defined by (i) z = t G F and (ii) 
if F{z) G F and T(z, z') as defined in (6), then (3z) [set{z) A F(z)AT(z, z)] G 
F . For this class of formulas define: 

Bf{z = t) = A/6.^p, {zf ^ Bf{t)) 

Bf{{3z) [set{z) A F(z) A T(z, z')]) = (3(z/)/ei:.,) [^f(F(z)) A St(T(z, z'))], 
where 

St(T(z,z')) = V^(a)6F,„^T(T^(a)(©^')), 

BT{T^ia){z, z')) = Bg{A{z)) a (^/(^' ° ^~) Bf(z o d+)) , 

{3{zf)feSFi)F = (3z/J . . .(3z/^)F and 
(3z/)F = F[zf/T] V F[zf/±] 

assuming that BT{T',p(a)(z, z')) is defined as in (5) and Spi = {fi, ■ ■ ■ , fm} ■ 
Furthermore, in the last equation F denotes a propositional logic formula and 
F[z//T] and F[z//T] denote the formulas obtained from F by replacing all 
occurrences of z/ in F by T and T respectively. 

Initial State. Recall that the initial state is characterized by a formula 
<P[{state{so)) with T>i{z) = {z = t) . 

Bi{z = t)= f\ Zf A A 

/ occurs in t f does not occur in t 



In the sequel we will omit the index associated with B if it can be determined 
from the context to which class of syntactic objects B is applied. 

Thus, B{a) \— Bf{ta) is true iff fluent / occurs an odd number of times in ta . 



3 
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Lemma 2. Let F be either ^i{z) , (Lg{z) or an F formula and a a con- 
structor state substitution such that Fa does not contain any free variables. 
hF un C F mset h Fa iff B{a) h B{F) . 

Thus, Lemma 2 provides a way to transform a restricted subset of fluent 
calculus formulas (which includes T(z,z') ) into satisfiability-equivalent propo- 
sitional formulas. This is the base to transform entailment problems in FC into 
satisfiability problems in propositional logic. The steps of this transformation 
are described in the proof of the following theorem. 

Theorem 1. Each entailment problem (3) in FC can be mapped onto a propo- 
sitional satisfiability problem SAT, such that (3) is solvable iff SAT is solvable. 

Proof. Consider the entailment problem in the fluent calculus: 

F \= (3z)[(3s) z = state (s) A <Pg(z)], 

By Fms this holds iff there is a constructor state substitution a such that 
F ^ (3) za = state{s) A (Lciza)], or, equivalently: 

{a \ F \= (3s) za = state(s) A <l>Giza)} yf 0. (7) 

Because conjunction can be mapped onto set intersection (7) is equivalent to 

{a \ F \= (3s) za = state{s)} H tj 0, (8) 

where G = {o' \ Fmset U Fun H ^G(za)}. Let m be the number of fluent 

constants. Because of axiom Fms there are at most 2"^ different states and 
because preconditions and effects of actions depend only on the current state, 

the length of the shortest plan can be at most 2"^ (such that every state is 

visited once). Thus (8) is equivalent to 

rym 

[a\F V„=o (3(ai)i<i<n) za = state(a„ . . .ai^o)} C ^ y^ 0, (9) 

where (ai)i<j<„ denotes a sequence of actions of length n . Because disjunction 
can be mapped onto set union (9) is equivalent to 

[fnlo n 5 0, (10) 

where Zn = {a \ F \= (B(ai)i<i<n) za = state(an . . .oiSq)}. (11) 

Because state{Sf) depends only on Fsq = {d> j{state{sf)){ and by Lemma 1 
equation (11) can be computed recursively by 

Zq = [o \ Fmset^ Fun\= ’^l{za)}, (12) 

Zn = [a\ Fmset U Fun h T(2CT, Za) , a G 71 > 0. (13) 



With 



Zo(z) = ^i{z), 

Z„(z) = (35) [set{z) A Z„_i(5) A T(5, 2 )], 77 > 0, 



(14) 

(15) 
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(12) and (13) can be equivalently combined to 

Zn = {a\ Tmset U Tun h Z„(2 (t)}, 71 > 0. (16) 

From Lemma 2 we conclude that (16) is equivalent to 

Z„ = {a \B{a) B{Z„{za))},n>0. (17) 

Finally, an application of Lemma 2 to ^ guarantees that (10) is equivalent to 

U'lo n {a I B{<J) h B{-Pg{z<j))} ^ 0, (18) 

where Z„ is specified in (17). This, however, is equivalent to the propositional 
satisfiability problem 

{a I B{<j) h (yr=o ^(Zn)) A B{<Pg{z<j))} ^ 0 , 
where Z„ is specified in (14) and (15). □ 

The following corollary is an immediate consequence of Theorem 1 and the 
decidability of propositional logic. 

Corollary 1. The entailment problem (3) in FC is decidable. 

4 Plan Extraction 

In practical applications it is not only relevant whether a sequence of actions 
(or plan) solving the problem exists, but in most cases one would like to know 
how such a plan looks like. As it turns out, it is possible to extend the decision 
procedure presented in the previous section such that a plan can be recovered. 
Very pleasantly, the extended algorithm returns always the shortest plan. 

The main idea for extracting the plan is the following: The sets Zi con- 
structed in the proof of Theorem 1 characterize the states reachable from the 
initial state after i actions. Thus, if 2^0 5 7^0, i-e., if Zi contains a goal state, 
then there must be a plan of length i . The plan can now be reconstructed step 
by step by taking a substitution a (characterizing a state za ) from the intersec- 
tion, computing the intersection of the set of states from which this state may be 
reached and Zi-i , and repeating this process until eventually the initial state is 
encountered. Thus, we find a sequence (Jq, . . . , (t„ of substitutions representing 
the states zcto, . . . , zcr„ , where the first one is the initial state specified by IFso , 
the last one fulfills the goal d>G{zan) and zat+i , 0 < z < n is reachable from 
the previous state zai by executing an action. The final step is to find actions 
which transform each zai to zai+i by finding a state update axiom 4>{a) such 

that un U mset ^tp{a)^Zaij Zai-\-i) . 

In the implementation of the algorithm all sets and formulas are represented 
by in their BDD representation B . Please note that it suffices to compute the 
sets (Zi)i=o,i,... until either a solution is found or it can be determined that all 
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reachable states have been visited (such that the sequence becomes stationary 
or cyclic). 

Algorithm 1. Let Zi , i = 0 < i < 2™ be the sets computed by equation (17). 
If (18) is not fulfilled return “unsolvable” , else take the smallest n such that 

n {a I B{a) h B{<pG{za))} + 0 

and choose a sequence (Jq, . . . , cr„ of substitutions and a sequence oi, . . . , a„ of 
actions such that 



Un € Z„n{cr I B(cr) ^ B(^g(zo-))}, 

(Ji_i G Zi_i n {a I B{a) ^ B{T{z, zai))} and 
Qi such that B(T^(^ai){zai-i, zai)) = T 

Then s = a„ . . . ai^o corresponds to a shortest plan wrt the goal <Pg ■ 

Theorem 2. Algorithm 1 is correct and complete. 

In other words, the algorithm always proves either that there is no plan or returns 
a shortest plan solving the problem. 



5 An Implementation Using BDDs — First Resnlts 

The theoretical results presented in the previous two sections can be applied 
to use a BDD implementation as the inference engine for solving entailment 
problems (3) in FC and computing plans. The implementation closely follows 
the structure of the constructions used in the proofs. Starting from a fluent 
calculus specification of the entailment problem, the inference engine constructs 
for each action a the BDD-representations for B(T^i^a)(z, z')) , and computes 
their disjunction B(T(z,z')) by (6). The BDDs of the formulas B{Zi{z)) are 
computed iteratively by application of (14) and (15) translated by B. Thus, 
BDD representations of the sets Zi are computed iteratively until either an i 
is reached such that Zi = or Zir\{a \ B{a) ^ B{(I>G{za))} yf 0 . Similarly, 
Algorithm 1 can be implemented using BDDs. 

This approach is an implicit^ breadth first search. In each single step the 
whole breadth of the search tree in depth i is searched. The sets Zi can get 
quite complex and their BDDs quite large. Even more so, the size of the BDD for 
B{T{z, z')) , can quickly become too large to be handled in a graceful manner. 
Thus, a number of techniques were invented to limit a potential explosion in its 
size. In the sequel some of these techniques and their effects are sketched using 
examples from [15]. 

^ It is called implicit because the calculated sets of states are never explicitly enu- 
merated, but represented as a whole by a BDD, whose size depends more on the 
structure of the set, than on its actual size. 
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Variable Order. It is well known that the variable order used in a BDD has 
a large influence on the size of the BDD. Unfortunately it is still a difficult 
problem to And even an near optimal variable order.® Often, a good variable 
order is found by empiric knowledge and experimentation. In experiments it has 
turned out that fluents, which directly influence each other, should be grouped 
together. We have developed a variable ordering called sort order, which employs 
this idea by grouping fluents by their arguments, since fluents sharing arguments 
are likely to influence each other. In planning problems that use sorts to restrict 
the considered argument values for fluents, arguments belonging to large sorts 
are preferred in this ordering. Due to lack of space a precise definition of this 
heuristic can not be given here. On some problems this ordering lead to im- 
provements of orders of magnitude in the size of the BDDs if compared to a 
simple lexicographical ordering, but this depends on the domain of the problem 
(of course) . 

Partitioning of the Transition Relation. The maximal size of a BDD is expo- 
nential in the number of propositional variables it contains. Thus, the BDD 
representing B(T(z, z')) , which contains twice as many propositional variables 
as the BDDs representing the Zj , is prone to get very large. A way to reduce 
this problem is to divide the disjunction T(z, z') into several parts Ti(z, z') , 
. . . , T„(z, z') , which correspond to subsets of the state update actions. In ex- 
periments, partitioning led to a reduction in the size of the BDDs in most of the 
tested problems. 

On the other hand, such a decrease in the size of the BDDs does not necessar- 
ily lead to a decrease in computation time. In each step, the results of applying 
the parts of the transition relation to the set of states reached so far have to be 
put together, and this takes time. Nevertheless, partitioning may be useful even 
if the computation time increases. In the experiments, one problem (Mprime-x- 
1) could only be solved after a partitioning of the transition relation; otherwise, 
the memory exceeded before a solution was found. 

Frontier Simplification explores the fact, that the algorithm for solving the en- 
tailment problem in the fluent calculus works also if the following two conditions 
are enforced for all i > 0 : (i) Zi represents all states which may be reached by 
executing i actions, but not by executing less than i actions, (ii) Zi does not 
represent any states which cannot be reached by executing at most i actions. 
The sets Zi can be chosen freely within these limitations. Hence, it is desirable 
that the algorithm chooses the Zi such that their BDD representations are as 
small as possible. In our experiments, frontier simplification has sometimes lead 
to moderate improvements both in computation time and memory requirements. 

To the end of this section the experimental results on the Gripper class are 
discussed. These problems were quite hard for the systems taking part in the 
AIPS98 competition. The difficulty is rooted in the combinatorial explosion of 

® The problem to find the optimal variable order is NP-complete. 
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Fig. 1. Runtimes of different planners on Gripper class problems (in milliseconds) with 
different numbers of balls. Planners marked with opt provided optimal (i.e., shortest) 
plans, planners marked with -adl work on the sorted version of the domains, the others 
on the STRIPS-version. 



alternatives due to the existence of two grippers. In Fig. 1 the runtimes of these 
planners® are compared to our system, BDDplan.^ Only one planner (HSP) was 
able to solve all of the problems of this class, but it generated only suboptimal 
plans by using only one of the two grippers, whereas BDDplan generates the 
shortest possible plan by design. 



6 Discussion 

We have formally specified a mapping from entailment problems in a restricted 
fluent calculus to satisfiability problems in propositional logic, which is sound 
and complete, and we have reported some first experimental results of an im- 
plementation using BDDs. We are still in the process of investigating how opti- 
mization techniques well-known in the area of model checking using BDDs can 
be adapted such that they increase the efficiency of the implementation. 

The mapping is tailored to a specific class of fluent calculus formulas. It seems 
likely that there is a more general way to translate the formulas of a larger 
fragment of the fluent calculus while keeping the restriction to propositional 
fluents, such that we could introduce recent work on the fluent calculus like 
ramification [20, 21] into the planner without modifying the translation and the 
proofs. The concept of ramification within the fluent calculus involves a limited 
use of constructs of second order logic, namely a calculation of the transitive 
closure of a relation over states, but this does not seem to pose a difficult problem 
as the set of states is finite and there are algorithms to compute this transitive 
closure using BDDs [7]. 

Although the problems considered in this paper admitted only a single initial 
state (i.e, Zq is unitary), the algorithm itself is not restricted to this case. If 

® See http : //ftp. cs . yale . edu/pub/mcdermott/aipscomp-results .html. 

^ The runtime of BDDplan is measured on a different machine, so it is only accurate 
up to a constant factor. 
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the initial situation is incompletely specified then there are several initial states, 
which leads to a set Zq containing more than one element. 

At present, our algorithm is closely related to model checking algorithms [3] 
which perform symbolic breadth first search in the state space. It generates a 
series (Zi)j=o,... of propositional formulas represented as BDDs, which repre- 
sent sets of answer substitutions that encode logical consequences of the fluent 
calculus specification describing the set of reachable states. This process is exe- 
cuted until a goal state is found or until unsatisfiability of the problem can be 
determined. The approach has the advantage that it always generates shortest 
plans, and is able to prove that there is no plan if there isn’t one. Unlike plan- 
ning algorithms based on planning as satisfiability [13] and Graphplan [1] the 
algorithm presented here is not limited to the generation of polynomial length 
plans. On the other hand, each time step may take space exponential space, since 
the maximum size of BDDs is 0(2”) for n propositional variables. However, 
the experimental results achieved so far indicate that in practice the BDDs are 
much smaller than the theoretical limit. 

Still, the size of the encountered BDDs is the main problem limiting the seal- 
ability of the algorithm and is a topic of further research. Since the maximum size 
of BDDs is exponential in the number of propositional variables, the reduction 
of this number is a foremost concern. Unlike the approach taken in [6], which 
explores new possibilities in the generation of plans for non-deterministic do- 
mains using BDDs, we can avoid the encoding of the actions with propositional 
variables in order to reduce the BDD sizes. 

The encoding we use at present is “naive” in the sense that each fluent 
corresponds to a single propositional variable. We assume that the use of do- 
main dependent properties of fluents provides a large space for improvements, 
as discussed in [8] for the BDD based planning system Mips, which is used to ex- 
plore automated generation of efficient state encodings for STRIPS/ADL/PDDL 
planning problems and the implementation of heuristic search algorithms with 
BDDs. 

To sum up, our BDD based implementation shows some promising initial 
results but it is too early to completely evaluate it yet. 



Acknowledgment 

We benefited from discussions with Sven-Erik Bornscheuer and Enno Sandner. 



References 

[1] Avrim Blum and Merrick Furst. Fast planning through planning graph analysis. 
Artificial Intelligence, 90:281-300, 1997. 

[2] Randal E. Bryant. Graph-based algorithms for boolean function manipulation. 
IEEE Transactions on Computers, 8(C-35):677-691, 1986. 

[3] J. Burch, E. Clarke, K. McMillan, and D. Dill. Symbolic model checking: 10^'^ 
states and beyond. Information and Computation, 98(2): 142-170, 1992. 




Solving the Entailment Problem in the Fluent Calculus 761 



[4] J. R. Burch, E. M. Clarke, D. E. Long, K. L. McMillan, and D. L. Dill. Sym- 
bolic model checking for sequential circuit verification. IEEE Transactions on 
Computer-Aided Design of Integrated Circuits, 13(4):401-424, April 1994. 

[5] A. Cimatti, E. Giunchiglia, F. Giunchiglia, and P. Traverse, ’’planning via model 
checking: A decision procedure for ar. In S. Steel and R. Alami, editors, Pro- 
ceedings of the Fourth European Conference on Planning (ECP97), LNAI 1348 , 
pages 130-142, Toulouse, France, Sept. 1997. Springer- Verlag. 

[6] Alessandro Cimatti, Marco Roveri, and Paolo Traverse. Automatic OBDD-based 
generation of universal plans on non-deterministic domains. In Proeeedings of 
the Fifteenth National Conference on Artifieial Intelligence (AAAI98), Madison, 
Wisconsin, July 26-30 1998. 

[7] E. Clarke, O. Crunberg, and D. Long. Model checking. In Proeeedings of the 
International Summer Sehool on Deductive Program Design, Marktoberdorf, 1994. 

[8] Stefan Edelkamp and Malte Helmert. Exhibiting knowledge in planning problems 
to minimize state encoding length. In ECP’99, LNAI, pages 135-147, Durham, 
1999. Springer. 

[9] T. Eiter, N. Leone, C. Mateis, G. Pfeier, and F. Scarnello. The KR system DLV: 
Progress report, comparisons and benchmarks. In Proeeedings of the 6th Inter- 
national Conference on Principles of Knowledge Representation and Reasoning, 
pages 406-417. Morgan Kaufmann Publishers, 1998. 

[10] M. Ghallab, A. Howe, G. Knoblock, D. McDermott, A. Ram, M. Veloso, 
D. Weld, and D. Wilkins. The planning domain definition language, 
ftp : //ftp. cs . yale . edu/pub/medermott/ software/pddl . tar . gz, march 1998. 

[11] S. Holldobler and J. Schneeberger. A new deductive approach to planning. New 
Ceneration Computing, 8:225-244, 1990. 

[12] S. Holldobler and H.-P. Storr. Solving the entailment problem in the fluent cal- 
culus using binary decision diagrams. Technical Report WV-99-05, Al-Institute, 
Computer Science Department, Dresden University of Technology, 1999. 

[13] Henry Kautz and Bart Selman. Pushing the envelope: Planning, propositional 
logic, and stochastic search. In Proeeedings of the Thirteenth National Conference 
on Artifieial Intelligenee (AAAI-96), pages 1194-1201, Portland, Oregon, 1996. 
AAAI-Press. 

[14] J. McCarthy. Situations and actions and causal laws. Stanford Artificial Intelli- 
gence Project: Memo 2, 1963. 

[15] Drew McDermott. Planning problem repository. 

ftp : //ftp. cs . yale . edu/pub/medermott/domains/, 1999. 

[16] I. Niemela and P. Simons. Smodels — an implementation of the well-founded 
and stable model semantics. In Proeeedings of the fth International Conderence 
on Logic Programming and Non-monotonic Reasoning, pages 420-429, 1997. 

[17] B. Selman, H. Levesque, and D. Mitchell. A new method for solving hard satis- 
fiability problems. In Proeeedings of the AAAI National Conference on Artificial 
Intelligence, pages 440-446, 1992. 

[18] H.-P. Storr. Planen mit bindren Entscheidungsdiagrammen. PhD thesis, Dresden 
University of Technology, Department of Computer Science, 2000. (in German; 
to appear). 

[19] H.-P. Storr and M. Thielscher. A new equational foundation for the fluent calculus. 
In Proceedings CL 2000. 

[20] Michael Thielscher. Introduction to the Fluent Galculus. Eleetronic Transactions 
on Artificial Intelligence, 2(3-4): 179-192, 1998. 

[21] Michael Thielscher. Reasoning about actions: Steady versus stabilizing state con- 
straints. Artifieial Intelligence, 104:339-355, 1998. 




Decidability Results for the 
Propositional Fluent Calculus 



Helko Lehmann* and Michael Leuschel 

Department of Electronics and Computer Science 
University of Southampton 
Highfield, Southampton, S017 IBJ, UK 
{hel99r ,mal}@ecs .soton.ac.uk 



Abstract. We investigate a small fragment, TCpl, of the fluent calcu- 
lus. J-CpL can be derived from the fluent calculus by allowing a domain 
description to contain a finite number of actions and fluents, only. Con- 
sequently, it is just powerful enough for specifying certain resource sensi- 
tive actions. In this paper, we contribute to the research about the fluent 
calculus (1) by proving that even in this small fragment the entailment 
problem for a fairly restricted class of formulas is undecidable. (2) We 
show decidability of a class of formulas which has interesting applications 
in resource planning. 

We achieve our results by establishing a tight correspondence between 
models of fUCpu -theories and Petri nets. Then, many problems concern- 
ing fFCpp-theories can be reduced to problems of the well developed 
Petri net theory. As a consequence of the correspondence on the struc- 
tural level, we also expect strong relationships between more general flu- 
ent calculus fragments and more general net classes, e.g. coloured Petri 
nets or predicate transition systems. 

Keywords: Reasoning about Action and Change, Fluent Calculus, De- 
cidability, Petri Nets, Temporal Logics, Model Checking. 



Introduction 

Arguably, the most widely used computational logic based formalism to reason 
about action and change is the situation calculus (other approaches are, e.g., the 
event calculus, action description languages, the features and fluents approach). 
In the situation calculus a situation of the world is represented by the sequence of 
actions oi, 02 , . . . , Ofc that have been performed since the initial situation sq. Syn- 
tactically, a situation is represented by a term do{ak, do{ak-i, ■ ■ ■, do{a\, sq) . . .)). 
There is no explicit representation of what properties hold in any particular situa- 
tion: this information has to be derived using rules which define which properties 
are initiated and which ones are terminated by any particular action a^. 

The fluent calculus {TC) “extends” the situation calculus by adding explicit 
state representations: every situation is assigned a multi-set of so called fluents. 
Every action a not only produces a new situation do{a, . . .) but also modifies 

* The author acknowledges support from the EPSRC under grant no. 99308892 
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this multi-set of fluents. The latter is implemented using an extended equational 
theory (EUNA, for extended unique name assumptions [7]) with an associated 
extended unification (ACl). Syntactically, a multi-set of k fluents is represented 
as a term of the form f\o . . .o f^. This allows for a natural encoding of resources 
(a la linear logic) and it has the advantages that adding and removing fluents to 
a multi-set M can be very easily expressed using ACl unification: Add = M o f 
and Del o / = M. 

All this enables the fluent calculus to solve the (representational and infer- 
ential) frame problem in a simple and elegant way [6]. The fluent calculus can 
also more easily handle partial state descriptions and provides a solution to the 
explanation problem, both of which are harder to come by in (standard logic 
programming implementations of) the situation calculus. 

As in most areas of computer science, decidability issues are very important 
in the area of reasoning about action and change, but have only recently received 
increased attention (e.g., [11] [14]). Of course, in general the situation as well as 
the fluent calculus are not decidable. However, when restricting oneself in the 
situation calculus to a finite set of propositional fluents [14] situations can be 
seen as finite paths in a finite automaton. For these systems, the validity of 
wide classes of formulas (e.g., characterized as temporal logics such as CTL*) 
are known to be decidable ([13]). One might expect that the same restriction 
to a finite set of propositional fluents applied to the fluent calculus produces a 
decidable fragment IFCpL- In this paper we will show that this is not the case! 

To prove our result we will first develop a correspondence of this fragment 
with Petri nets [12], which we prove correct (wrt bisimulation). Based on this, 
we then show that the validity of formulas expressed in a very restricted subset 
(CTLef) of the branching time temporal logic CTL [1] is already undecidable. 
As a side effect, since Petri nets are strictly more general than finite automata, it 
follows that TCpL is strictly more expressive then the restricted situation calcu- 
lus given in [14]. This result also gives us a new insight about the expressiveness 
of the fluent calculus compared to the situation calculus. 

Furthermore, by reduction to the Petri net reachability problem we prove 
that questions of the form “Is there an initial situation with property Aq and is 
there a sequence of actions leading from this situation to some final state with 
property Ae?” are actually decidable in TCpp. This is interesting, since decision 
procedures for this type of questions enable for automatic planning of resources. 

Finally, the translation of TCpp to Petri nets also sets the foundation for 
translating more expressive fragments of the fluent calculus to extended Petri 
net formalisms, hopefully producing new insights about decidability issues but 
also pointing at efficient algorithms for certain classes of problems. 

In the following section we present the fluent calculus fragment TCpp. In 
Section 2 we show how certain J^CpL-formulas can be characterized by formulas 
of the temporal logic CTLef- In Section 3 we develop the correspondence be- 
tween models of TCpp theories and Petri nets. We show the undecidability of the 
entailment relation of tFCpp in Section 4 and the decidability of an interesting 
class of CTLef formulas in Section 5. 
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1 Specifying Systems in the Fluent Calculus 

Formally, the propositional fluent calculus TCpL can be deflned as follows (in 
contrast to the full fluent calculus, fluents and actions have no parameters): 



Definition 1. An TCpp signature S = {SORT, FUN, REL) is defined as: 
SORT: S, St, A, F; F ^ St; 



1° 


St; o 


St X 


St 


-> St; state : S ^ St; 


sO 


S ; do 


: A X 


S - 


>S; 




F ;. . 


fk 


^F; 


(k and k > 1) 


ai 


A;. . .; 


ai 


>A; 


(7 G IN and 1 > 1) 



REL: <: S X S; Equality (=s , =st , =AcUon) 



The language of an TCpp signature E is defined as the order-sorted^ first order 
language wrt E and variable declarations of the form (x : X) where a; is a name 
and X a sort of E. By Tx{Y) we denote the terms^ of sort X wrt E and variables 
Y. V {t) represents the set of variables occurring in a term t. 

Objects of sort F are called fluents and represent atomic states of the world. 
They can be combined using the binary function o to form more complex states of 
the sort St. Objects of type S are called situations-, as in the situation calculus 
they are represented by terms of the form do{ak,do{ak-i, ■ ■ ■ ,do{a\, sfi) . . )) 
but they are associated an explicit representation of the state via the function 
state. Note that, due to the restriction of fluent terms to finitely many atomic 
propositions fi, . . ., fk, it is not possible to specify an arbitrary natural number 
as a fluent. However, it is possible to specify a natural number as a term of sort 
St (e.g., / o (/ o /) might represent 3). 

A domain description V for an iFCpL-signature E contains a certain set of 
axioms, described in the following. 

T> always contains at least the standard equality axioms (reflexivity, symme- 
try, transitivity, substitutivity) for the sorts of E and, the following equational 
theory which defines a commutative monoid 

\/{x,y,Z : St), {x o y) oz=st x o {y o z) 
y{x,y: St).xoy=styox 
y{x : St).x o 1° = 5 t X 

This commutative monoid defines the common basis for all fluent calculi, i.e. the 
way state representations can be combined to form new state representations 
using the function o. To be able to infer inequality of terms, every domain 
description contains a set of axioms, called Extended Unique Name Assumptions 
These assumptions ensure (AC1-) unification completeness^, see [7]. 

For convenience, we introduce the following additional shortcut 

F[olds{g, s) = 3{z : St), g o z =st state{s) 

^ The ordering F ^ St states, that in all models, the sort St contains the sort F. 

^ We omit E, since it will be always clear from the context. 

® This is required since we use inequality in formulas describing temporal properties. 
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where g & St and s G S. Holds{g,s) can be understood as the statement “At 
least the resources described by g are available in situation s” . 

We associate with every action a in T> three states St~ , St'^ , St^ e Tst{^)- 
Intuitively, the fluents in St~ will be removed after executing a while the fluents 
in will be added. Additionally, to be able to execute the action a in a 
situation s, it must contain at least the fluents in St~ (as well as those in 
St~). To encode the latter requirement, we deflne Poss{a,s) as the formula 
Holds{St~ o St~, s). 

Furthermore, each domain description contains axioms defining a causal or- 
dering over situations (where si < S2 is used as a shortcut for si < S2VS1 =s S2): 

V(si, S2 : 5 ), (a : A). (si < do{a, S2) ^ (si < S2 A Poss{a, S2)) 

V(si, S2 : S). (Si < S2 ^ ^(S2 < Si)) 

In fluent calculi, the effect of executing an action is completely described by 
so called state update axioms'^. For tPCpL the state update axioms in a domain 
description T> contain exactly one formula of the following form per action a: 

V(s : S). {Poss{a, s) ^ state{do{a, s)) o St~ =st state{s) o Sf^) 

Note, the condition part of a state update axiom can not depend on a negative 
statement. Hence, tests for zero like ^Holds{f, s) with f G F, are not express- 
ible®. Also note that the right-hand side may not contain disjunctions, i.e., tFCpp 
is deterministic. 

In the following, we write /" for a term f o .. .0 f consisting of n copies of 

fluent /. Furthermore, let the mapping \g, f\ : St x F ^ TN represent the number 

of occurrences of a fluent / in the state g. 

Example 1 . {TCpp domain Description) Consider a tFCpp signature Ep con- 
taining the fluents f,g,h and the actions a,b,c. Let Poss{a,s) = Flolds{hA o 
/^,s), Poss{b,s) Holds{g,s), Poss{c,s) Holds{f'^,s) and let Vp be a do- 
main description to Sp that contains the following state update axioms: 

V(s : S). {Poss{a, s) ^ state{do{a, s)) o o f =st state{s) o g) 

V(s : S). {Poss{b, s) ^ state{do{b, s)) o g=st state(s) o /) 

V(s : S). {Poss{c, s) ^ state{do{c, s)) o p =gt state{s) o g o h) 

Throughout the paper, we refer to the state update axioms of a domain 
description T> by SUkp. The state update axiom describing a particular action 
a G A is denoted by SUA^. 

To give a semantics to a tFCpp domain description we consider (as usual 
in fluent calculi) Herbrand-A-models (i.e. Herbrand-models where the equality 
relation satisfles the equational theory E; see, e.g., [ 15 ]). Note that, because 
TCpp uses classical negation, we do not always have a least Herbrand model; we 
therefore consider them all. A formula (j) of the language of S is valid (satisfiable) 
in I? iff (() is true in all Herbrand-A-models (in at least one Herbrand- A-model) 

^ We do not consider extensions to solve the ramification and qualification problems. 
® Conseqnently, it is impossible to encode fnll connter machines in state npdate axioms. 
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of T>. In general, a formula (j) is entailed by a set S' of formulas iff (j) is true in all 
models of S'. In particular, (j) is entailed by I? iff (/) is true in all Herbrand-if- 
models of the axioms of T>. 

2 Temporal Properties 

Many properties of dynamic systems are most easily expressed as formulas in 
some temporal logic formalism (such as LTL, CTL, CTL* , or the (modal) fx- 
calculus). In the model checking approach the goal is to verify such temporal 
formulas for particular dynamic systems.® The semantics of these formulas is 
given wrt specific classes of dynamic systems - most commonly labelled tran- 
sition systems (graphs where transitions carry action labels), Kripke structures 
(graphs where nodes are labelled by propositions) or a combination of the two. In 
this paper we adopt the latter approach, resulting in the following definition of 
an L-valued transition system as a mathematical representation of the possible 
behaviours of a dynamic system. 

Definition 2. A tuple O = {Z,^,T,a) is called L-valued transition system if 
Z is a non-empty set of states, T is a non-empty set of transitions and is 
a family of relations such that for each t G T, > and -^C Z x Z. a is a 

mapping L x Z ^ {T, F} where L is a non-empty set called propositions. 

A path in 0 is defined as a sequence zqZiZ 2 ■■■ of states such that Zi Zi+i 
and ti € T for all z G IM. yl L-valued transition system is called rooted if there 
is zq G Z such that to every z G Z exists a path zqZ\ . . .z . . .. Then, zq is called 
root ofO. 

The transition system K{A4) that is associated with a particular model A4 of 
an IFCpL domain description T> can be defined as follows. Let be the set of 
relations where (s, dojn{a, s)) G^m iff s <M doM(<^, s) for s G Also, 

for g G StM and s G Sm fot aM{Holds{g), s) = T iff At |= Holds {g, s). Clearly, 
the structure K(A4) = Q^az) is an LAr~valued transition system, 

where Lx = {Holds{g) \ g G SIm}- 

Example 2. (cont’d) Consider the model Ali of T>e with A1 i \= state(sO) =st hA° 
p. We can depict (parts of) the associated L-valued transition system as follows: 




“ Another approach considers dynamic systems to be defined by temporal formulas. 

^ Equally, we can define {s, doM{a, s)) G^^m iff At |= Poss{a,s) without considering 
the definition of <. 
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Having given a transition system semantics to TC pl , we can study the valid- 
ity of temporal logic formulas, e.g., with the purpose of verification using model 
checking. To examine the decidability of checking temporal properties of TCpp, 
we will focus on properties which can be characterized as CTLEp-iovmxilas. 
CTLef is a small fragment® of the logic CTL [1] (in [2] a very similar logic 
to CTLef is called UB~). CTLef is particularly interesting since all CTLef 
formulas characterize first order TCpp formulas®. Furthermore, as we will show, 
many interesting properties of systems in the area of Reasoning about action 
and change can be easily expressed in CTLef- 

Definition 3 {CTLef)- Formulas of CTLef (itc built from T and atomic 
propositions of L recursively using the classical connectives ^ and A as well 
as the temporal connectives X and EF : if (f> and ip are formulas then so are 
X{a)4>, for all a of some set A, and EF<p. 

The semantics of CTLef is defined wrt an L- valued transition system K and 



a state 


z of K: 










K, 


hT 










K, 


h 1 


iff 


a{l, z) = T and 1 £ L 






K, 


h 


iff 


K,z'^(p 






K, 


\= (p Alp 


iff 


K,z \= (p and K,z \= 


Ip 




K, 


h X{a)(p 


iff 


there is some z' such 


that z X, z' 


and K,z' \= (p 


K,z 


h EF(P 


iff 


there is a path Zi , Z 2 , 


. . . with z = 


zi and there 



exists a > 1 on this path such that K,Zi \= (p 



(p is called valid iff for all L-valued transition systems K and all states z of K, 
K,z \= (p (denoted by \= (p). (p is said to be satisfiable iff for some L- valued 
transition system K and for some state z of K, K,z \= (p. 

As we can associate a transition system K{Xi) with every model of tFCpp, the 
semantics of CT L ef~ formulas for ECpp descriptions is clear. We can, however, 
also encode CTLef~ formulas directly as formulas within FCpp. This ensures 
that all problems stated in CTLef actually have a counterpart within fFCpp 
and can be assigned a meaning using the semantics of TCpp. The translation 
will also be vital to establish the undecidability result for TCpp later on. 

Definition 4 (Embedding CTLef into tFCpp). We define L>, mapping 
CTLef formulas and terms of sort situation to tFCpp formulas as follows. 
Atomic propositions of CTLef are translated as follows: 

<?(T, s) = T and <P{Holds{g), s) = Holds{g, s) for g £ Tst{iP). 

The classical logical connectives are translated in a canonical way: 

4)(^A, s) = -4>(A, s) and 4>(Ai A A 2 , s) = 4>(Ai, s) A 4>(Aa, s) 
and the temporal operators can be embedded as follows 
<!>{X{a)\, s) = Poss{a, s) A <?(A, do{a, s)) 

L’{EFX, s) = 3{s' : 5). (s' > s A 4>(A, s')) 

® In contrast to CTL, it does not support the operators EG, EU. 

® Many other temporal logics allow the expression of properties, which are not first- 
order definable. 




768 



Helko Lehmann and Michael Leuschel 



The following proposition establishes soundness of this translation (wrt the 
semantics of CTLef on K{M)). We do not give a proof here; details can be 
found in [8] . 

Proposition 1. The CTLef - formula A is valid for the set of L-valued tran- 
sition systems specified by a domain description to a TCpL-scheme Zjff V(s : 
s) is valid in the corresponding domain description V. A is satisfiable iff 
3(s : S).<P{X, s) is satisfiable in V. 

For convenience, we define a temporal operator AGcj) = -^EF^cj) and the usual 
derived logical connectors V, From the definitions follow the correspond- 
ing translations to TCpL- 

Planning Problem: Assume, an agent knows certain properties (Aq) of its 
current situation and it tries to reach a situation with certain goal properties 
(Ae) by executing certain actions. Then, answering the following question is 
crucial: “Is there an initial situation with property Aq and is there a sequence of 
actions leading from this situation to some situation with property Ae?” . This 
question can be easily expressed as the CTLei^-formula Aq A EEX^. If this 
formula is not satisfiable, the agent must give up pursuing his goal. In Section 5 
we will prove that this type of question can be decided if Aq , Ae are restricted 
to (arbitrary) atomic propositions. Note however, that CTLef is not powerful 
enough to express questions like “Do all action sequences executed in a situation 
with property Aq eventually lead to a situation with property Ae” . 

To compare transition systems we use the notion of strong bisimulation (see, 
e.g. [10]). Strong bisimulation is of particular importance in this paper, since the 
validity of any formula of the modal /i~calculus (and thus CTL and CTLef) 
is invariant under strong bisimulation, i.e. proving a property for one system is 
sufficient to establish it for all strongly bisimilar^^ systems. 

Definitions (Bisimulation). Let 0i = (Zi,{-^i| t G Ti},Ti,ai), 02 = 

(Z2,{-^2| t £ T2},T2,a2) be Li-valued and, respectively, L2~valued transition 
systems. Let <P be a relation <P C Zi x Z2- is called bisimulation if there exist 
mappings !Fi : Ti — > L2 and T2 : L2 ^ L\ such that {zi, Z2) G implies 

1. for all I G Li, ai{l,zi) = T iff a2{Ti{l), Z2) = T, 

2. for all I G L2, oi2{l, Z2) = T iff ai{T2{l) , Zi) = T, 

3. with Zi -^1 exists Z2 -^2 z'2 such that (z(, Z2) G 

4- with Z2 -^2 z'2, exists Zi -^1 z'^ such that (^(jZ^) G ^ 

Zi G Zi and Z2 G Z2 are called bisimilar, written Z\ ~ Z2, if there is a bisimulation 
such that (21, Z2) G 0\ and 02 are called bisimilar if there is a bisimulation 
such that for all Z\ G Zi exists Z2 G Z2 such that Z\ ~ Z2 and for all Z2 G Z2 
exists zi G Z\ such that z\ ~ 22- Note, that for rooted transition systems it is 
sufficient to show the existence of a bisimulation for the root states. 

Since all bisimulations considered here are strong, we omit the word “strong” . Bisim- 
ulations which take atomic propositions into account are often called zig-zags. Fur- 
thermore, we extend the common definition slightly, by allowing also mappings iFi, 
^2 between atomic propositions. 
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3 Fluent Calculi and Petri Nets 

Petri nets are widely used to model concurrent and possibly infinite state sys- 
tems. Here we give a short definition and show how Petri nets are related to 
models of domain descriptions in TC pl ■ 

Definition 6. A tuple V = (P, T, E, W, mo) is called Petri net if 

1. P and T are non-empty finite disjoint sets of vertices, elements of P are 
called places and elements ofT are called transitions. EC (P x T) U {T x P) 
is a set of edges. 

2. W : E ^ which is called weight function. 

3. A mapping m : P is called marking, mo is a marking and is called initial 
marking. The set IN^ of vectors is understood as the set of all markings. 

For each transition t G T we define vectors t~ ,t~^, St € IN^, such that t~(p) = 
W(p,t), t~^(p) = W(t,p) and St(p) = t~^(p) — t~(p) for all p G P. Let mi and 
m 2 be two markings, then mi < m 2 = y{p : P).mi{p) < m 2 {p). A transition 
t G T is called enabled iff t~ < m. If an enabled transition t is fired, for the new 
marking m' of the Petri net P holds m' = m + St and it is denoted by m mb 
The set of all markings which are reachable from m is denoted by 3?(m): 

3?(m) = |m' I m m' for some n G IM and U G T for all 0 < i < n} 

For all m,n G IN^ we define a(m, n) = T iff m < n. Then, it is easy to see that 
the tuple K{V) = (3?(mo), T, a), where {-^| t G T}, is a N^-labelled 
transition system. 

Now we are ready to define a mapping from models A4 of domain descriptions 
T> to Petri nets. Basically, fluents are mapped to places and actions are mapped 
to transitions. However, the weight function has to reflect both, conditions and 
(positive and negative) effects of the execution of actions. 

Definition 7 {PCpp Petri Nets). Let V be a domain description in TCpp 
and let M. be a model ofV. Then, by we define a mapping of M. and 

V to a Petri net (P, T, E, W, mo): 

1. P = Fm, T={a\ SUA^ G SUA-p A a G Am}, 

2. let F{g) denote the set of all fluents occurring in g G StM and let for each 
SUAp G SUAp, a G Am- Then we define with the help of Ep = F{St~), 
Ef[ = F{St}f), Eff = F{Stf) the edges of the Petri net: 

E = {{F~ U Elf) X a I SUA^ G SUAp} U {a x {Elf U E+) \ SUA^ G SUAp} 

3. for each {f,a) G E, W{{f,a)) = \St~ , f\ + \St=,f\, and for each (/, a) G E, 
W{{f,a)) = \Stt,f\ + \Stf,f\. 

For each g G StM a marking mM ( 5 ) : StM is defined as follows: 

mM{g) = {f ^n \ f G PMS\n=\g,f\} 

Accordingly, for each s G Sm a marking mM(s) : Sm is defined as 

fnM{s) = mM {state m{s)). In particular, the initial marking mo is given by 
mM{sOM)- 
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Example 3. (cont’d) The following Petri net corresponds to of T>e' 



c 




The following theorem establishes correctness of the above mapping, thereby en- 
abling the reduction of many problems concerning models of iFCpL -descriptions 
to problems of Petri net theory! 

Theorem 1. Let K{M) he an LM~valued transition system where Ai is a model 
of a domain description T> in TCpr- Let V = {P,T, E,W,mo) = V{V,Ai) be 
the corresponding Petri net. Then K{M) and K{V) are bisimilar. 

Proof. Let’s consider the mappings 'Pm '. Lm IN^ and 'P-p : IN^ ^ Lm between 
propositions of K{M) and K(P): 

pM{Holds{g)) mM(g), Ppfm) Holds{ff^^^^'’ o o . . . o 

where {/i, / 2 , . . . , fk} = P, Holds(g) € Lm and m £ IN^. Since we consider Herbrand- 
_E-models only, the situation sOai exists in every A4 and is predecessor (wrt <m) of 
all other s £ Sm, hence K(M) is a rooted transition system. Since KfPfD, A4)) is 
rooted as well (in mo(sOA^)), it suffices to show the existence of a bisimulation <P with 
(sOai, mo(sOx)) £ <P and the consistency of the mappings \Pp and Pm. 

First, we show that for every situation s £ Sm, aM{Holds{g), s) with g £ StM is 
true iff a{pM{Holds{g)) , mx(s)) is true. From the equatioual theory for the sort StM, 
which must be fulfilled in every model of T>, follows that A4 |= p[olds{g, s) iff for 
all g' £ StM, such that \g' , f\ = \g, f\ for all / £ Fm, M |= P[olds{g' , s). Further- 
more, from the defiuitiou of p[olds{g,s) follows that A4 |= P[olds{g,s) iff \g,f\ < 
\stateM{s), f\ for all / £ Fm. From the definitiou of the corresponding Petri net 
follows (mjvi(s))(/) = \stateM{s), f\ for all / £ Fm and for markings m' with m' = 
pM(Holds{g)) = mM{g) holds m'{f) = \g,f\ for all / £ Fm. Lienee, M |= Holds{g,s) 
iff pM{Holds{g)) < mM{s), i.e. (per definition of om and a) aM{Holds{g), s) is true 
iff afpM{Holds{g)) , mM{s)) is true. 

Similarly, for every m £ IR(mo) and every m' : P ^ IN, a{m', m) is true iff a(Pp(m'), s) 
is true where s £ Sm and m = mM{s). This follows from the definition of Pp and the 
fact that every s £ Sm with m — mM{s) fulfills \stateM{s),p\ ~ m(p) for all p £ P: 
Pp{m') — Holds{pf' ° plf ° ■ ■ ■ ° Pk = Holds{g), aM{Holds{g), s) is true 
for s £ Sm iff \g,p\ < \stateM{s),p\ for all p £ Fm. 

Now let (s,m) £ ^ C Sm x 5R(nio) such that mM{s) = m. We prove that, for every 
action a £ Am and s -^m s', there exists a marking m' such that mM(s') = m! 
and m From the state update axioms follows for s' = doM(a,s) that M |= 

state{do{a, s)) o StL =st state(s) o Stf (since At |= Holds{StL o Stf, s) if s -Am s'). 
From the above arguments follows A4 |= Holds{StL °Stf , s) iff\StL,p\ + \Stf,p\ < m{p) 
for all p £ P. From the definition of P we conclude that there is a transitiou a £ T such 
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that W{p, a) = \St~ ,p\ + \St^ ,p\. Hence, a is enabled in mM{s) iff M |= Holds{St~ o 
Sta,s). Furthermore, according to the state update axiom for a € A for all / £ Fm'- 
\stateM{doM{a, s)), f \ = \stateM{s), f \ — \St~ , f \ + \Sfi , f\. If the transition a is fired 
in P, m A m' , then for m' and all / £ Fm holds 

m'M{f)=mM{f)-\St-,f\-\St=,f\) + \Stt,f\ + \St=,f\ 

='mMif) - \St^,f \ + \Stt,f \ = \stateM(s'),f\ 

Analogously, for every transition t £T and m m' , there exists s' £ Sm and a £ Am 

such that rriM{s') = m' and s' = doM{a, s). This follows from the one-to-one mapping 
of T/i(0) to T and from the above bidirectional correspondences. Since, for (sOAi,m-o) 
holds mM{sQM) = m-o (see definition), it follows by induction that sOai ~ mo. □ 

This theorem will be applied in Section 5 to reduce satisfiability of Aq A EFXe 
to the (decidable) reachability problem in Petri nets. 

However, the question arises whether we can establish a similar correspon- 
dence in the opposite direction, i.e. we want to show that for every Petri net, 
there exists a corresponding model of a domain description in TCpp. To this 
end, we use the following mapping. Note that in this mapping we do not hard- 
wire the initial marking mo of a Petri net; this will enable us to examine richer 
classes of problems later on. 

Definition 8 (Petri Nets — > TCpp). Let V — (P, T, E, W, mo) he a Petri net. 
Then by V{V) a mapping from a Petri net V to a domain description V is de- 
fined as follows: 

1. The signature ofV is given by a TCpp signature where the constants of sort 

A and F are given by FUN: {{p F) | p G P}, {(t > A) | t G T} 

2. Let for each transition t 

Q,= _ max(0,W(i,pi)-W(pi,i)) max(0, W(i,pfc )- W(pfc ,i)) 

Olj — Pi O . . .O p^ 

C 4 .+ _ „lT(i,pi)-max(0,W(i,pi)-W(pi,i)) W(t,pk)-max(0,W(t,pk)-W(pk,t)) 

— Pi U . . . U Pj^ 

Q,- _ W(pi,i)-max(0,W(i,pi)-W(pi,i)) W(pk ,t)-vaax(0 ,W (t,pk)-W(pk ,t)) 

— Pi ° - ° Pk 

for {pi, . . . ,pk} = P ■ With Possft, s) = Holds{Stf o St^f, s) for every t G T, 
SUA-p consists of axioms 

V(s : S). (Poss(t, s) ^ state{do{t, s)) o Stf =st state(s) o Stf) 

Furthermore, for every domain description V, we assume the domain indepen- 
dent axioms described in Section 1. 

The following theorem establishes correctness of the above embedding of 
Petri nets into TCpp and it will be the main tool to prove the undecidability of 
the TCpp entailment problem in Section 4. (The reason why the theorem does 
not hold for all models of T) is that the fluent calculus encoding does not contain 
the initial marking of the Petri net. However, as evident from the proof, the 
particular model M. can be easily isolated.) 

Theorem 2. For every Petri net V = {P,T, E,W,mo), there exists a domain 
description V in tFCpp and a model AA ofV, such that the Lm -valued transition 
system K{M) and K{V) are bisimilar. 
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Proof. We consider the Herbrand-_E-models defined by the marking mo: 

A4 1= state(sO) o . . . o where P = {pi, . . . ,Pk}- Furthermore, the 

mappings and ^-p describe the mappings between labels of K{A4) and K{V). 
Now let (s, m) £ ^ C Sm x 5R(mo) such that s £ SM{m) where SM{m) denotes the 
set of all situations s such that mM{s) = m. We prove that for every transition t £ T 
and m m' , there exists a situation s' such that mM{s') = m' and s -^m s' for all 
s £ SM{m)- From the definition of V follows for the marking m' , if m ^ m' , 



m'{p) = m{p) + P^ip) — t~{p) = m{p) + W{t,p) — W{p, t) 
for all p £ P, since t~ (p) = W{p, t) < m(p) for all p £ P. 

From the definition of p[olds{g, s) follows that A4 |= p[olds{g, s) with g £ StM iff 
\g,p\ < mM{s){p) for all p £ P. From the definition of T> we conclude that there is a 
state update axiom SUA^ with t £ Ta{%)\ 

V(s : S). (P[olds{Stf o SPp , s) state{do{t, s)) o Stf =st state{s) o Stf) 



where, in every model of T>, 

Stf O StT ^ 



W{pi,i) W(pi,,i) 

=StPi • 



_ „VV(t,Pfc)-max(0,W(t,9fc)-W(9fc,t)) 

■ ° Pk 



max( 0 ,W’(t, 9 fc)-W’( 9 fc,t)) 

• ° Pk 



Hence, jVi ffolds(p^^^^’*^ o . . . iff t is enabled in m. 

If t is fired, according to the state update axiom for t, for all p £ F m- 
\stateM{doM {t, s)),p| 

=\stateM(s),p\ - \Stf,p\ + 

=\stateM{s),p\ — (W(p, t) — max(0, VF(t,p) — W{p, t))) 

+W{t,p) — max(0, VF(t,p) — W{p,t))) 

=\stateM{s),p\ + W{t,p) — W{p, t) 



Analogously, for every action a £ Am and s -^m s', there exists m' £ 5R(mo) and 
t £ T such that mx(s') = m' and m m' . This follows from the one-to-one mapping 
of T to T/i(0) and from the above bidirectional correspondences. 

For (sO>i,mo) holds mM{sOM) = m-o- By induction follows sOx ~ mo. □ 



As a consequence of this theorem, TCpp is strictly more expressive than the 
restricted situation calculus in [14]. For the class of transition systems defined 
by finite automata is strictly contained in the class defined by Petri nets. 



4 Undecidability of CTLef in ^C-pz 

It is well known (e.g., [13]) that the modal ^-calculus cannot distinguish between 
strongly bisimilar transition systems, i.e. all formulas that are valid for one 
transition system are also valid in all bisimilar systems. This allows us to prove 
the following theorem with the help of Petri net theory. 

Theorem 3. There is a domain description V in TCpp and a CTLef -formula, 
such that the question whether this CTLef -formula is satisfiable by V, is un- 
decidable. 

Proof. In [3] with a correction in [4] the undecidability of the model checking problem 
of the following formula has been shown for Petri nets P — (P,T, E, W, mo): 

7T = AG{X{tAB)T: X(tAB)EF Dead) 

where Iab € T, Dead = /\^^.^^X{t)7. 
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The model checking problem for a Petri net V = {P,T, E,W, mo) is defined as the 
problem to decide whether the associated transition system K{V) with the initial 
marking mo satisfies a formula <j>- Hence, to prove the claim, it is sufficient to show 
that there is a domain description V and a formula tt' such that a model Af of D 
satisfies tt' iff K(V) satisfies tt in mo- 
lt is easy to see that an initial marking m can be completely characterized as the set 
of all markings n with m < n A -i(m < n) where we define m as m(p) = m(p) + 1 
for all p £ P. I.e., if "P = (P,T, E,W,mo) and V' = (P,T, E,W,m'o) are two Petri 
nets and both associated transition systems satisfy m < n A -i(rn < n) in mo and m'o, 
respectively, it follows mo = m'o = m and V and V' are equivalent. 

Assume, that V{V) is the domain description which corresponds to the Petri net con- 
structed in [4]. Then a model A4 satisfies 

7t' —Holds(g) A ~^Holds{'g) A 

AG{X{tAB)T ^ X{tAB)EE /\^^,^^Holds{Stf o Stp)) 

where Holds(g) — \['-p{m) and Holds{'g) = E-p{m) for some g,'g £ Tst{^)j in situation 
sm iff there is a model A4' of P(V) such that sQm' satisfies tt' (note, that any two 
L-labelled transition systems for P(P) rooted in sm and sQma respectively, where 
\stateM'{sQM')^ f \ = \stateM{sM), f \ for all / £ Tp{lh) are isomorphic). The transition 
system K(M') is bisimilar to K(V), hence it satisfies tt' iff K{P) satisfies tt. □ 

Corollary 1. There is a domain description V in TCpp and a first order for- 
mula, such that the question whether this first order formula is entailed by V, is 
undecidable. 

Proof. This follows easily from the fact, that for the above Petri net 
tt" ={Holds{g) A ~^Holds{'g)) 

AG(X{tAB)T ^ X{tAB)EE /\^^,^^Holds{StT o St^)) 

is entailed by P iff tt' is satisfied by P (due to the isomorphism mentioned in the 
previous proof). □ 

Note, that the property described by the formula tt" in the above proof can 
be characterized as follows: “Whenever a certain action a is executable, after 
the execution of a, it is possible to reach a terminal state”. Such propositions 
could, e.g., be of interest if the resource management of an operating system has 
to be verified. Furthermore, we can imagine a train entering a fail-safe mode. 
We might want to know, whether the train, after entering this mode, cannot 
change certain parameters anymore, e.g. increasing of speed is impossible. The 
undecidability of the entailment problem restricts the possibility of automated 
verification of such properties. 

5 Decidable Properties in fFCpi 

Despite of these undecidable problems, important classes of CT L EF-iormulas 
can be decided. To simplify the presentation of the remaining results of this 
paper we define the set AhoMs containing all formulas of the form: Holds (g^) A 
-^Holds{g") where g^,g" G Tstifh). 

Theorem 4. Let V be an arbitrary domain description in TCpp. Then, the 
satisfiability of any formula of the form tt = Aq A EFXg where Aq, Ag G Apoids is 
decidable. 
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Proof. We construct T>' and a finite set of formulas II' , such that T>' satisfies some 
formula tt' £ U' iST> satisfies tt. Then, we show that the question whether T>' satisfies 
7 t' is decidable by reduction to the Petri net reachability problem which is known to 
be decidable ([9]). 

Consider g^, to be the terms g^ , g" of Ao and g^, gf to be the terms g^ , g" of Ae, 
respectively. 

We define = {f \ f £ A \g^,f\ = 0} and = {f \ f £ Tp^ A \gf, f\ = 0}. 

These sets contain those fluents which can appear arbitrary often in the initial state 
described by Ao and in the final state described by Ae- Now, we introduce a new 
signature S' containing the signature S oi F and additionally, two sets, Ao = {oq | 
/ € Fq} and Ae = {a[ \ f £ FJf}, of new constants of type A. We augment the domain 
description F by the following state update axioms and call the resulting domain 
description F': 

V(s : S).T state{do{al, s)) =st state(s) o / for each / £ Fq, and 
V(s : S). Holds{f,s) ^ fo state{do{al , s)) = St state(s) for each / € Fff. 

We call the first set of state update axioms (those for Fff) SUAq and the second set of 
state update axioms (those for Fff) SUAe. Now, let II' be the set of formulas 



Holds{g'o) A -^Holds{g'ff) A EF{Holds{g'e) A -•Holds(g'e)) 

for all g'o,g'e £ Tst{9) with \go , f\ > \g'o, f\ > \go,f\ for all / e Tp(0) where / ^ Fq" 
and \g'o,f\ = \go,f\ for all / € F^, and \ge , f\ > \g'e, f\ > for all / e Tp(0) 

where / ^ Ff and |g', f\ = \gP, f\ for all f £ Fff ■ 

Since every g contains each fluent at least once (see definition in proof to theorem 3), it 
follows that the set of all g' such that y{z : St), g' o z ^stV finite, hence II' is finite. 
Now, we show that whenever F satisfies tt there is a tt' £ II' such that F' satisfies tt'. 
Assume, F satisfies tt, i.e. there is a model A4 and a sequence of situations sqSi . . . Sn 
in K(M) such that Ao is true in so and A/ is true in Sn. Since we did not remove any 
state update axioms it suffices to show, that there is a tt' £ II' , with the corresponding 
Ao, Ae denoted as Aq and AJ , and a model M' of F' such that 

1. there is a situation Sq with s_m ^ s_i Sq such that Aq 

holds in s'_^ and \stateM{so), f\ = \stateM>{s'o), f\ for all / £ Tp{%), and 

„ ,v • -i i- / -iU / / “"+1 “n+fc-2 , “n+fc-1 , , 

2. there is a situation s„_,_j, with s„ s„_|_i ^ . . . ^ ^ Sn+fc such 

that Ae holds in and \stateM{sn), f\ = \stateM>{s'„), f\ for all / £ Tp{%). 



Assume, there is a situation so fulfilling Ao and for a situation s'_^ £ Sm' for some 
model M' of F' the number nj of each fluent / occurring in sfofe(s(_^) is given by 
\9oJ\ < nf < | 5 o,/| if / occurs in g^ , and |gg,/| < rif < |gg,/| + 1 otherwise 
(clearly, such a model exists if a model A4 exists). Then a situation Sq £ Sm' such 
that \stateM{so), f\ = \stateM'{s'o), f\ for all fluents / can be reached by a finite 
number of transitions defined by axioms of SUAo (describing the actions a_i, . . . , a-m). 
Similarly assume, there is a situation s„ fulfilling Ae and for a situation s(,_|_^, £ Sm' 
for some model A4' of F' the number n/ of each fluent / in state{s'.^pff) is given by 
\glj\ < nf < |ffe,/| if / occurs in g” , and \gi,f\ < Uf < \g^,f\ + 1 otherwise 
(again, the A4' exists if there is a model A4). Then a situation s'„ £ S m' such that 
\stateM{sn), f\ = \stateM'{s'n), f\ for all fluents / leads by a finite number of transitions 
defined by axioms of SUAe (describing actions a„, . . . ,an+fc-i) to the situation 
According to construction of 77', there is a tt' £ 77' such that Aq and Ag determine 
the number of fluents correspondingly. 

As a second step, we prove that whenever there is a tt' £ 77' such that F' satis- 
fies tt', F satisfies tt. Suppose, that there is a model A4' and a situation = 
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do{an+k-i, do{a„+k-i, ■ ■ ■ , do{a-m, s'_m) ■ ■ •)) -M' such that Aq is true in s'_^, AJ 

is true in and to determine statCM' (sh+k) i ^ denotes the number of transitions 
which are described by axioms SUAq, k denotes the number of transitions which are de- 
scribed by axiom of SUAe and n denotes the number of transitions which are described 
by all remaining state update axioms. Then, the following propositions hold: 

^'—m — m+1 ^ — 2 ^'—1 

1. There is a situation Sq € Sm' such that s'!_m S-m ^ ^ ^ 

where a'_i , . . . a'-m represent exactly those actions in with descriptions in SUAq 
and M' |= state{s'!_m) =St state{s'_^). This is due to the fact, that an application 
of an axiom of SUAq strictly increases the number of some fluent, only. Hence, 
applications of axioms which were possible in situations containing smaller amounts 
of this fluent, are still possible after increasing the number. Furthermore, clearly, 
Aq is true in all such Sg. 

2. There is a situation s” £ Sm' such that s” -i ^ ^ 

s'n+k where a'„, . . . represent exactly those actions in with descriptions 

in SUAe and s'^ with Sq s” ^ . . . Sn where a'g, . . . , a^_i represent 

exactly those actions in with descriptions in SUA in the same order as they ap- 
pear in s^_|_fc. This is due to the fact, that an application of an axiom of SUAe strictly 
decreases the number of some fluent, only. Hence, applications of axioms which were 
possible in situations containing greater amounts of this fluent, are still possible 
before decreasing the number. Note, that A4' \= sfofe(s”_|_j,) =st and 

clearly, Ae is true in all such s". 



.. O.Q .. 2 // 1 II II 

Since, Sq ^ -Si ^ ^ ■s„_i ^ contains only actions of D and any pair and 

Sq fulfills Ao and Ae, respectively, there is a model Af of and so £ Sm and s„ £ Sm 
such that \stateM(so), fl = IstateM'(so), f\ and \stateM(sn), f\ = \stateM>{Sn), f\ for 

aL ^n — 2 ^n — 1 

all fluents / and so ^ si ^ . . . ^ Sn-i ^ Sn- 

Finally, for every model A4' of T>' which satisfies some tt' £ II' there is a model 
M" where tt' is satisfied in sQm"- Hence, there exists a Petri net where V{T>' , A4") = 
{P,T, E,W,mg) such that 'pM"{Holds{g'g)) < mg < 'pM"{Holds{g'g)) (i.e. 
mg = mM"{g'o))- The formula tt' is true in M" iff there is a sequence of actions 

/ a'g 

ag,...,an-i with n £ IN such that AJ holds in Sn £ Sm" with sQm” ^ si ^ 
2 1 

. . . ^ Sn-i ^ Sn- Due to bisimilarity, such an action sequence exists iff there 

is a corresponding transition sequence in V such that mg ^ mi ^ . . . rrie and 
I'm" {H olds(g'e)) < me < I'm" {H olds(g'e)) (i.e. me = mM"{g'e))- The latter problem is 
called the reachability problem for Petri nets and is known to be decidable, [9]. □ 



Note, that the algorithm to decide Petri net reachability problems also allows 
the computation of an appropriate transition sequence. 



Conclusions 

In this paper we have shown a tight correspondence between models of a re- 
stricted fluent calculus, TCpl, and Petri nets. TCpl is particular interesting 
since it can be seen as a minimal “core” of the fluent calculus. With the help of 
the relation to Petri net theory we were able to prove the undecidability of the 
entailment relation of a fairly restricted class of formulas of TCpp characterized 
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by the temporal logic CTLef- This is in contrast to similarly restricted situ- 
ation calculi where entailment is decidable for a much larger class of temporal 
formulas [14]. However, as we have shown, some interesting non-trivial proper- 
ties of systems specified in TCpL can be automatically verified as well. Both 
results illustrate that the approach of applying Petri net theory to investigate 
properties of fluent calculi is very fruitful. Furthermore, the established relation- 
ship enables for applications of many efficient Petri net algorithms which exist 
for particular Petri nets and system properties, e.g. deciding coverability using 
the minimal coverability graph [5] . 

In the future, we plan to investigate the relation between other fragments 
of the fluent calculus and other net classes. E.g., due to the correspondence at 
the “core” -level, we expect relationships between less restrictive fluent calculi 
then TCpL and Higher-Order Petri nets, e.g. coloured Petri nets and Predi- 
cate/Transition nets. 
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Abstract Features & Fluents is a logical framework proposed by Erik 
Sandewall for reasoning about action and change by means of a logical 
language called discrete fluent logic (DEL). In this paper we extend the 
Sandewall’s framework for dealing with continuous time and we introduce 
a knowledge representation language based on a Horn-like fragment of 
DEL which we called fluent logic programming. A meta-logical semantics 
is described as the proof-theoretical counterpart of FLP in alternative 
to the Sandewall original encapsulated semantics. This semantics makes 
use of composition operators over general logic programs and can be 
also considered as an attempt of providing a basis for an effective imple- 
mentation of a proof-system for a meaningful fragment of the Features 
& Fluents temporal logic. 



1 Introduction 

We focus on the logical framework Features & Fluents (F&F) for describing 
and reasoning about action and change. Features & Fluent is essentially a logical 
framework for doing qualitative temporal reasoning about qualitative scenario 
descriptions: the chronicles. It also represents a systematic framework in which 
chronicles have been classified into a taxonomy in which epistemological and 
ontological assumptions are used to asses adequacy of proposed computational 
reasoning techniques. 



I. 1 Motivations 

Our goal is to show how it is possible to use logic programming (LP) to provide 
a meta-logical semantics to a meaningful fragment of its underlying language 
temporal feature logic (TFL) that we called Fluent Logic Programming (FLP). 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 777-^^ 2000. 
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The meta-logical semantics is defined by composing a suitable meta- 
representation of each FLP-statements with an inference engine which en- 
codes its intended semantics. Another important issue is the treatment of non- 
determinism by means of parametric composition of partial FLP-theories (e.g. 
their meta-representation) which have been previously and separately generated. 
This approach is alternative to abduction which has been widely used in Event 
Calculus and recently in Feature & Fluents Q. From a logical point of 

view the two methods are equivalent since they can be shown being sound and 
complete with respect to the underlying semantics which provides an operational 
way for building intended models. The two approaches differ from a computa- 
tional perspective since the computational overhead for computing and selecting 
models by abduction is factorized and performed only once. A proof procedure 
for abductive logic programming like the one proposed by Esghi and Kowalski 
would instead require all the time the generation of the possible mod- 



els induced by the non-determinism and their successive selection by integrity 
constraints. We argued that in certain conditions it is possible to perform this 
step in advance generating a collection of partial theories corresponding to the 
non-deterministic part of the chronicle which can be composed to deterministic 
part when proving a certain goal. It is almost always the case that integrity con- 
straints will greatly reduce the set of possible models. Furthermore, using this 
technique, inconsistent chronicles can be statically recognized. 



2 Backgrounds 

In order to keep this paper self contained, in this preliminary section we inform- 
ally provide some little backgrounds about techniques we will use in the rest of 
the paper. 



2.1 Feature and Fluents 

This concise and informal introduction aims to give just an intuition about the 
underlying ideas of Features & Fluents. In the rest of the paper we will make use 
of the following concepts without directly referring to their original meaning even 
if a strong relation may be apparent. F&F makes use of the following syntactic 
categories for representing scenario description (e.g. chronicles): 

Features. A feature / is a hrst order term which denotes a property of a class 
of objects that constitute a scenario (e.g. color(traffic_light_ffl)), that 
is a function from the object domain O to the set of feature values V. The 
features domain is denoted by T and for each / S T , V(/) denotes the 
codomain of /. V(/) is thus the set of all possible values for the feature / 
(e.g. V{color{X)) = {red, yellow, green}) . 

Fluents. A fluent [t]f is a hrst order term which represents a function from 
time-points to corresponding feature values, and it can be thought of as the 
trace over time of a particular feature (e.g. [3]color(traf fic_light_ffl)) . 
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Actions. An action occurrence [s, t]a happens over an interval of time [s, t] 
through the intervention of an agent and the action designators domain is 
denoted by £ (e.g. ^^'i^switchitraf 

At the semantic level, the models of chronicles are represented by histones, 
which are (possibly partial) functions of type R : T x J- V where T is the 
time domain, T is the features domain and V is the feature- values domain. The 
set of histories is denoted by Ti.. If a specihc feature / is chosen, then the resulting 
function of time R{f) : T ^ V is a fluent. Similarly, if a specihc time-point t is 
chosen, then the function obtained R{t) : ^ V is a state. The set of partial 

states (e.g. partial functions of type iF — > V) is denoted by TZ. 



Underlying Semantics. In order to build the intended models of a chronicle 
(i.e. the possible histories) Sandewall introduces the notion of underlying se- 
mantics as a game between two players: an Ego (e.g. the agent) and a World (e.g. 
the environment). The Ego- World interaction incrementally updates a structure 
called finite development which keeps track of all action occurrences and feature 
changes over an interval of time [0,s]. Let be the domain of all possible h- 
nite developments. Then we can formally dehne the Ego K and the World W 
as mappings (or transformations) from £[ to £[ with the special properties that 
K preserves the interval [0, s] over which the development is dehned, and W 
extends [0, s] to [0, s'] where s < s'. Since the finite history R (e.g. a history 
restricted to the closed interval [0,s]) is the main information contained in a 
Rnite development J, we do not consider here the whole structure J as in the 
original Sandewall’s worl^ The way a finite history R is gradually extended 
by an Ego- World game is specified by a system of rules coded by a so called 
underlying semantics. We propose here an adapted version of the Sandewall’s 
encapsulated semantics as our underlying semantics, that is a pair (Infl, Rstat) 
which specifies how the World has to extend the history when an action is 
carried out by the Ego. The function Infl : £ x TZ ^ 2^ specifies a set of fea- 
tures which are influenced by a particular action executed in a particular state. 
Rstat : £ X TZ ^ 2^ specifies a set of states resulting from the successful ex- 
ecution of an action (e.g. action pre-conditions are fulfilled in the given state). 
Given a state R{s) where s S T and an action instance [s,t]a, where a G £, in- 
voked by the Ego then a resulting state rj is non-deterministically chosen from 
Rstat(U, R{s)) = {ri, . . . , r^}. The new history R' is obtained from the previous 
one, R, in the following way: 



^ Formally a development J is defined as a 5-tuple {B, M, R, A, C) where B is the set 
of breakpoints (e.g. time-points where persistence is broken), M is an interpretation 
of constant symbols, R is a finite history, A is the past action set (e.g. actions 
performed until the last breakpoint) and C is the set of not yet terminated actions. 
This structure accounts for a more general notion of scenario. For all details refer to 
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- Vr £ (0, s] : R'{t) = R{t) 

- f i Infl(a, R{s)) ^ Vr G (s, t] : R'{f, r) = R{f, t) 

- / G Infl(a, R{s)) ^ {R'if, t) = r,{f) A Vr G (s, t) : R'{f, r) =± 

Note that the resulting history R' is undehned (e.g. denoted by the symbol _L) 
for influenced features in Infl(a, i?(s)) during the interval (s, t). Any Ego- World 
game is started in a state denoted by R{0) which contains the initial, possibly 
partial, knowledge about values of involved features. The above encapsulated 
semantics dehnes the class /C-Re.^|of scenarios descriptions in the Sandewall’s 
taxonomy. 



2.2 Logic Programming 

The language of logic programs with negation (i.e. general logic programs) will be 
used here as meta-language for representing FLP-chronicles. FLP is considered 
the object language which can be mapped into a meta-representation by means 
of syntactic transformations. We will show how to exploit an existing standard 
proof procedure for general logic programs to build a proof system for FLP. 
We assume the reader to be familiar with classical theory of logic programming 
languages (e.g. logical, Rx-point and SLD procedural semantics). More details 
can be found in ^^3. 



General Logic Programs. The underlying language of general (or normal) 
logic programs is a first order language of terms. Constants and functions are 
denoted by small letters while variables are capital letters. Terms are constructed 
in the usual way as in the corresponding first order language. Atoms have the 
form p{ti, . . .tn), where each ti is a term and p is a predicate symbol of arity 
n. A rule (or general clause) is a statement of the form: Lq <— 
where each Li is a literal, that is either an atom Ai or its negation not Ai for 
each i = 1, . . . , m and m > 0, while Lq = Aq (e.g. the head of a rule cannot be 
negated) . In the case of m = 0 we have unary clauses or facts. A literal of the form 
not A is called negative. A set of rules is called general logic program. General 
logic programs without any negative literal are called definite (or positive) logic 
programs and their rules are called definite Horn clauses. Rules and terms with 
no variables are called ground. A formula Q of the form: Li, . . . , with literals 
Li is called guery. A guery Li, . . . , denotes the formula 3X : Li A ... A L„ 
where X = Xi , ... , Xk is the set of free variables occurring in the query. The set 
of all constant, function and predicate symbols used in a program P is referred 
as the language of P (e.g. C{P)). 

^ The class V-ReA is the extension of the A-IeA class treated in F&F for dealing with 
continuous time. The ontological designator Re A denotes inertial scenarios with se- 
quentially executed actions whose alternatives are completely and uniquely specified 
by theirs preconditions and results. The sub-specialty e stands for “encapsulated 
actions” A larger class V-RACi (e.g. with indipendent concurent actions) has 
been formally defined by Brandano in Q. 
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Negation in Logic Programming. In the classical formulation of semantics 
for negation in logic programming we make use of the Closed World Assumption, 
where we can assume as false everything that is not a logical consequence of 
what is explicitly said to be true. This kind of assumption induces a form of non- 
monotonic reasoning since if the truth of A depends on the absence of information 
about the truth of B, just adding the knowledge that B is true, we cannot infer 
that A is still true. We will make use of the following concept: 

— The Clark’s negation as finite failure where notQ is entailed by a program 
P if every SLD derivation for the query Q hnitely fails. 

— The Clark’s completion of a general logic program comp{P). 

We consider here an extension of the SLD decision procedure for dealing with 
negation as a hnite failure: the SLDNF procedure. This procedure has been 
shown to be sound and complete with respect to a 3-valued logical semantics 
modeled on the Clark completion and suitable for a meaningful subclass of gen- 
eral logic programs (e.g. the allowed program:^. All the backgrounds required 
about negation in logic programming can be found in Q. 



Composing General Logic Programs. This section briefly summarizes the 
main results proposed in Q about a compositional semantics for general logic 
program expressions. Expressions make use of composition operators and they 
induce an algebra of general logic programs. We focus here only on the union 
operator. Operators are dehned syntactically by the following transformation r 
which maps general logic programs expressions into plain general logic programs: 

t{P) = P if P is a general logic program 
t{EU F) = {A^L\ (A^L) G t{E) \/{A^L)e t{F)} 

The union of two logic programs is just the union of their clauses. 

The Fitting 3- valued semantics ^3 for general logic programs can be extended 
to general program expressions in the following manner: If 
then let be 



<!>+(/) = J+ 

<H-{I) = J-. 

Moreover , if J is an Herbrand interpretation, then the extension of J with 
respect to HBp (e.g. the Herbrand base of P) is given by: 

Ext{J) = {p{t) I p{t) G HBp A 3u : p{u) € J} 

^ A query ^ L =<— L\,.. . ,Ln is allowed if each variable occurs in positive literals. 
A clause A ^ L is allowed if ^ {not A, L) is allowed. A program is allowed if all its 
clauses are allowed. 
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Let Ei,E 2 be two general logic program expressions and let / be a 3- valued 
interpretation. Then for the case of the union operator we dehne: 



The above dehnition dehnes a compositional semantics for general logic program 
expressions. Furthermore in ^ the following results have been shown: 

— Let be a general logic program expression, then for any 3- valued Herbrand 
interpretation /: ^e(I) — 

— Let E he a program expression over allowed general logic programs, then 
t{E) is an allowed general logic program. 

Combining these results with the soundness and completeness theorems of 
SLDNF proof procedure with respect to the 3- valued Fitting semantics and 
Clark completion (see Q), we have that if Fi is a program expression over al- 
lowed general logic programs and L is a allowed query, then: 

— 3 m < Lu : \=3 L 3 m < to : ^ 

comp{T{E)) \=3 L _ 

— r? is a computed answer substitution such that t{E) \~sldnf Ld 
comp{T{E)) ^3 yL{) 

— 3 n <w : \=3 L dr ? : t{E) \~sldnf Ld. 

2.3 Event Calculus 

The event calculus (EC) is a logic programming based formalism capable 

of dealing with events occurring within time periods and with properties of 
objects which can persist or change over time. EC is based on the following 
ontologies or domains: the temporal domain T is an algebraic structure with a 
linear order relation < and equality, the properties or features domain T and the 
action tokens or events domain E . A scenario description is presented by dehning 
the following predicates: happens : £ x T specihes the occurrence of an event 
at a certain time-point, initiates : £ x E and terminates \ £ x F specify the 
effects of the successful execution of a certain action, holdsat \ F x T specihes 
the truth value of a property at a given time-point. The core inference engine is 
based on the dehnition of the following rules and relies on the interpretation of 
negation as hnite failure Q: 






holdsat{F, T) •« — happens{E,Ti), 



clipped{Ti , F, T2) •* — happens{E ,T) , 



initiates{E , F ) , 

Ti < T, 

not clipped{Ti , T) . 



terminates{E , F ) , 

Ti < T,T < T2. 



In the above dehnition some epistemological and ontological assumptions are 
made. In our opinion the most remarkable are the following: (i) only instantan- 
eous actions, (ii) absence of explicit non-determinism, (iii) no partial knowledge 
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and no temporal post-diction. However there are some successful attempts in 
order to overcome these problems like in An extended version of EC 

will be used as the basis of the meta-logical semantics for FLP that allows the 
treatment of non-instantaneous actions. 



3 Fluent Logic Programming 

Fluent logic programming (FLP) is a slightly modihed fragment of Sandewall’s 
TFL. Since we want this language to be effectively implemented, a natural choice 
is to turn the original full Rrst order predicate calculus language into a Fforn 
clause-like one. 

Definition 1. An FLP-chronicle T is a collection of statements of the following 
categories: 

— Law action laws are statement of the two possible forms: 

• Deterministic action 

[5, T]a {fi=vi,...,fn = Vn) ^ f := V 



• Non-deterministic action 

[S,T]a ^ {fi =Vi,...,fn = Vn) ^ f ■■= [Wi, ...,Wk] 

Scd action occurrences, are statements of the form: [s,t]a 
— Obs observations are statements of the form: [t]f = v 

where a G £, /, /i, ...,/„ G n, . . . , u„, wi, . . . , Wfc G V , s,t &T arid S, T 
are variables ranging on T. 

We have used the meta-symbols a for denoting an action instance, /, /i, /2, . . . 
for denoting feature names, v,vi, . . . , Vm and wi, . . .Wk for denoting feature val- 
ues and s, t for temporal constants in the time structure T. Actions, features 
and feature values are first order terms while the time structure T is essentially 
We use the symbol Fr for denoting the set of the feature names oc- 
curring in the chronicle T. As usual capital case is used for logic programming 
variables. We can partition each FLP-chronicle T into three subsets of state- 
ments (e.g. T = Law U Scd U Obs) according with their syntactical categories. 
The intuitive reading is that given an instance of an action [s,t]a in Scd, the 
action a is performed during the time interval [s,t]. The actions laws in Law 
represent the pre-conditions and the effects of action occurrence. Pre-conditions 
are expressed as a conjunction of equalities to be checked at the starting time- 
point of the action duration interval. Effects are expressed as ^ignments (e.g. 
using the symbol “:=”) of one or more feature values to a featuri^ If there exists 
an action law in Law whose head (on the left of the symbol “^”) unifies with an 

^ We will consider the := operator as a syntactic constructor. 
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action occurrence, we can simply replace it with the body of the action law (on 
the right of the symbol substituting the variables with the terms occurring 

in the action occurrence. This step can be expressed by the following rule: 

[8,t]act{t\, . . An) € Scd, [S,T]act{X\, . . . ,X„) ^ (Pre => Post) € Law 
{Pre => Post)9 € Law[Scd] 

where 9 = [s/S”, t/T, ti/Xi, . . is a set of variable substitutions. 

Applying this “unfolding” step to each action in Scd we obtain an expanded 
version of the original chronicle where Law and Scd are merged in a new set 
of statements called Law [Scd]. Each action instance [s,t]a is then rewritten 
according to the matching action law in the form: 

or in the non-deterministic case: 

[S,t]{fl =Vi,...,fn = Vn)^f--= [Wl, ■ • ■ , Wfc] . 

According to the encapsulated semantics, the value of the affected feature is 
undehned during the period of time in which an action is executed. The set of 
observation statements Obs is used to assert constraints to the scenario descrip- 
tion. It is assumed that the dynamical part of the chronicle (i.e. Law and Scd) 
is consistent with the observations (e.g. epistemological designator K, in the class 
/C-ReA). Furthermore a feature cannot be observed having more than one fea- 
ture value at the same time. Epistemological assumptions provide a general way 
of dehning the chronicles well-formedness. Using the following dehnition it is al- 
ways possible to provide an encapsulated semantics for each FLP-chronicles thus 
characterizing the operational behavior of the corresponding Ego- World game. 

Definition 2 (FLP Encapsnlated Semantics). 

Let T = Law U Scd U Obs be a FLP-chromcle. The encapsulated semantics for 
T IS characterized by the pair (Infi,Rstat) such that for each action occurrence 
[s,t]a G Scd and its corresponding law instance: [s, t](/i = = n„) 

/ := [wi,...,Wfc] € Law[Scd], if R is a history such that Vi € n} : 

R{s, fi) = Vi then f S Infi(a, R{s)) and Vj £ {1, . . . , fc} : 3Wj £ Rstat(a, R{s)) 
such that Tj{f) = Wj. 

This definition extends a similar definition of the encapsulated semantics for the 
class /C-IeA proposed in ^3- Observe that any initial state R{0) must satisfy 
the constraint that for each / £ J-j- such that [0]/ := v £ Obs there exists a 
unique value v such that i?(0, /) = v. 

3.1 Non-deterministic Chronicles 

The set of possible histories for a chronicle T represents the set of its intended 
models and it is denoted by Uyc-ReA)^) if the chronicle T belongs to the /C- 
ReA class in the Sandewall’s taxonomy. A deterministic chronicle has only one 



A Meta-logical Semantics 



785 



intended model (e.g. its complete history) while non-deterrmmsUc chronicles, 
may have multiple intended models (e.g. deterministic histories consistent with 
observations). Rather than using the encapsulated semantics to generate the set 
of intended models, we can suitably transform our FLP-chronicle in order to 
use a simpler deterministic resulting state function (e.g. Rstat : £ xTZ TV). 
The intended model set 'S')c-ReA(^) is thus generated by a set of determin- 
istic histories. Each deterministic history is obtained by composing the original 
FLP-chronicle with a partial deterministic FLP-theory (which contains only ac- 
tion law’s instances) taken from a set called hypothetical theories set Hyp(T). 
Hyp(T) contains deterministic FLP-theories build as a combination of features 
assignments taken from each occurring non-deterministic actions. In this fashion, 
incomplete knowledge about the initial state can be modeled as a special case 
of non-determinism: a dummy instantaneous non-deterministic action with no 
pre-conditions is executed at time-point 0, assigning all possible values to each 
feature for which there is no initial knowledge (e.g. no initial observations). More 
formally the hypothetical theories set is characterized by the following dehnition: 

Definition 3 (Hypothetical Theories Set). 

Given a FLP-chronicle T — Law U Scd U Obs let be 

InitScd = {[0, 0]initially{f) \ f £ Tr A [0]/ = v ^ Obs} 

InitLaw = {\s,t\initially{f) ^ f [wi, . . . ,Wn] \ 

f € Fr 

/\[0]f = V ^ Obs 
A{wi, . . ,,Wn} = V(/)} 

and let the expansion of the statements in InitScd w.r.t. InitLaw be: 

InitLaw[InitScd] = {[0, 0]/ := [wi, . . . Wn] \ f G Fr A 

A[0]/ = V Obs 

A{wi, . . .,Wn} = V(/)}. 

The hypothetical theories set is defined by: 

Hyp{T) = {{[si,ti]Prei ^ /i := wi,. . . , [sn,tn]Pre„ ^ /„ := Wn} \ 

Vi = 1, . . . ,n : 

[si, ti]Prei => fi ~ [vi, . . . , Vki] G LawfScd] U InitLawfInitScd] 

ki 

a\J Wi= Vj} 
j=i 

where Prei denotes an action pre-condition of the form f\ = v\, . . . , ff. = v\.. 

FlypfiT) must be further restricted to those hypotheses which are consistent with 
the observations made after the initial time-point and it is obtained by keeping 
only those theories which generate histories containing all the triples (/, v, t) 
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corresponding to each non-initial observation [t]f = v in Ob^ (i.e. such that 
t > 0): 

Definition 4. Let by T be the FLP-chromcle obtained by T by removing all non- 
deterministic action laws from Law and all non-deterministic action occurrences 
from Scd, then 

Hyp{T) |obs= {hyp £ V/, n, t > 0 : _ 

i[t]f = V £ Obs => 3i? G £'K-ReA(T \ Obs U hyp) : R{f,t) = v} 

The intended model set for a FLP-chromcle T is defined as: 

Fk-La{T) = Ek-rsa(T) U y Sk-rsa(T\ Obs U hyp) 

he-tf;/p(r)|obs 

As it can be easily observed, an implementation for the above approach needs 
a suitable way of composing logical theories in order to generate systematic- 
ally exactly all the intended models of a non-deterministic FLP-chronicle. It is 
worthwhile to remark that this solution may seem like an immensely complex 
alternative to the way in which open theories are usually dealt with in logic 
programming: on the open predicates just give an integrity constraint providing 
all possible hypotheses in disjunction. Even simpler: just define something to 
be open (e.g. abducible predicates) and let abductive procedures propose some 
consistent closures of the theory. A solution of this kind as been adopted in Q. 
On the other hand we argued that equivalent answers can be computed more ef- 
ficiently using a pre-compiled set of consistent hypothesis rather than computing 
them every time they are needed in the query processing. However an abductive 
semantics for FLP is currently under investigation (see 



4 Meta-logical Semantics for FLP 

In our investigation summarized in ' | we also provide a transformational meta- 
logical implementation of FLP, where FLP-theories are transformed into normal 
logic programs. The meta-representation of T is denoted by 7 t( 7’). Furthermore 
we add a core inference engine A which can be thought as an extension of the 
event calculus inference engine. Instantaneous events have been replaced by ex- 
tended duration actions and properties have been generalized by features and 
considered as being their particular case (i.e. boolean valued features). The meta- 
level representation of the chronicle T, completed by A, is composed with each 
element of the meta-representation of hypothetical theory set Tr{Hyp(T)\ohs)- 
The use of the compositional operator U is crucial here since it allows to compose 
one hypothetical theory at a time with the meta-representation of the chronicle. 

® More details in <' D| 
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4.1 Meta-logical Representation of FLP-Chronicles 

We provide here the meta representation of a FLP-chronicle together with a 
mapping for each object-level FLP-statement: 

Observations 

7 t ([ 0 ]/ = v) = initially{f, v). 

Deterministic Action Laws 

7t([S, T]action ^ (/i = m, n„) ^ / := v)) = 

change(f,v,T) <— occur s{S,T, action), 

success)/, S, T, action), 
success)/, S, T, action) <— holds)/\, vi, S), 



holds)/„, v„,S). 

Non-deterministic Action Laws 

tt)[S,T]) action ^ (/i = m, = Vn) ^ / := [wi, . . . , Wfc])) = 

success)/, S, T, action) <— holds)/\, vi, S), 



holds)/„, Vn, S). 



Action Instance 

'K)[s,t]action) = occur s)s,t, action). 

Core Inference Rnles 



A = change)F, V, 0) <— initially)F, V). 

holds)F, V, Tau) <— change)F, V, Tau). 
holds)F, V, Tau) <— 

not occluded)F,Tau) , 
change)F, V,Ti), 

T\ < Tau, 

not clipped)F, T\,Tau). 
occluded)F,Tau) <— 

occur s)S,T, A), 
success)F, S, T, A), 

S < Tau, Tau < T. 
clipped)F, S, Tau) ^ 

occur s)S\,T\, A), 
success)F, Si,Ti, A) 

S < Si,Ti < Tau. 




788 



Vincenzo Pallotta 



The predicate occludec^ is true for the feature / at a time-point r if there is 
an action [s, t]a influencing / which occurs in an interval [s, t] that contains r. 
The success of its execution depends on its pre-conditions. A feature / is clipped 
in sub-interval [t, r] if there exists a successfully executed action influencing / 
during a sub-interval [s',t') C [t, r]. We can check whether an action influences 
a feature / by verifying that there exists an action instance changing its value 
at a given time-point. This leads to the dehnition of the predicate change. The 
four possible situations in which we can ask for deducing a value for a feature / 
at a certain time-point r are graphically represented in the following diagram: 



nrtinni J^v 




nrtinn?. 





action I 





action2 

-^^3 



dtange 



aclionl 





oction2 





<Kti(ml 





actton2 



I dipped 



In the hrst line (from above) at the time-point r the conditions: 

~^occluded{f, r) A change{f, v, t') A ^clipped{f , t' , t) At' < t 

holds. In the remaining lines hold respectively change{f, v, t), occluded{f, t) and 
clipped{f, t' , t). 

Hypothetical Theories 

n{Hyp{r)) = { 

{change{f\,v\,t\) <— success{f\, s\,t\,act\) , 



change{fn,Vn,tn) ^ SMCcess(/„, s„, U, acU)} 

I {[si,ti]Prei => /i := wi, . . . , [sn,tn]Pren /„ := £ Hyp{T)} 



Constrained Hypothetical Theories 

n{Hyp{T)\obs) = 

{hyp e -w{Hyp{r)) \ 

V[t]/ = V £ Obs : 

3n < a; : <l>'^(.^(Y)oAohyp) 1=3 holds{f,v,t)}. 



® The term occluded has been introduced by Sandewall in the Features & Fluent ter- 
minology meaning that the value of a fluent is unknown at a given time-point (i.e. 
is changing during the execution of an action). 
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4.2 Soundness and Completeness 

In ^3 we show that using the above meta-representation for FLP-chronicles 
we obtain proof-theoretically exactly all the intended models (histories) com- 
puted by means of the Sandewall’s encapsulated semantics. In order to prove 
it, we propose an alternative hx-point semantics which is based on a so called 
inertia immediate consequence operator. This operator is dehned over a cpo of 
well-formed histories and produces as its hx-point exactly the same intended 
models captured operationally by the Sandewall’s encapsulated semantics. The 
following theorem provides a sound theoretical foundation for our meta-logical 
implementation of a proof-procedure for FLP. 

Theorem 1. Let T = Law U Scd U Obs be a FLP- chronicle, tt(T) be its meta- 
level representation, then 

3R G ■ R{f,t) =v <UJ : <Pr( 7 r(r)uA) 1=3 holds{f,v,t) V 

3hyp e Tr{Hyp{T)\obs) : 

3n < a; : <?r(^(r)u/iuhap) 1=3 holds{f,v,t). 

U A) \~SLDNF holds{f, V, t) V 

3hyp G ■K{Hyp{T)\obc) : 

r(7r(T) U 4 U hyp) \~sldnf holds{f, v, t ). 

Proof, in It easy to check that our programs are allowed. Furthermore the 
proof uses an intermediate results which is based on a hx-point semantics for 
FLP. This hx-point semantics has been shown to be equivalent to the encap- 
sulated semantics and it is the model theoretic counterpart of the above meta- 
logical semantics. More details about the hx-point semantics can be found in 



5 Conclusions 

In this paper we presented a meta-logical semantics for FLP-chronicles belonging 
to the class /C — ReA of scenario descriptions in the Sandewall’s F&F taxonomy. 
On the one hand the meta-logical semantics provides the basis for an effective 
implementation of a proof-system for FLP. On the other hand, it leads to an in- 
tegration of non-monotonic temporal reasoning and logic programming towards 
an effective knowledge representation language. 

To be more precise, we were dealing only with ground scenarios (i.e. the 
ICg — ReA class), where we do not allow the use of any global variable and 
partially specihed action instances where variables appear in the duration in- 
terval. Flowever we proposed an abductwe semantics that solves scenarios with 
non-ground temporal components. Even if we did not provide completeness res- 
ults, it seems reasonably adequate for treating this kind of problem. We have 
also implemented an abductive procedure starting from the well-known work of 
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Esghi-Kowalski and extended it with a restricted and “ad-hoc” tailored form 
of constructive negation By combining it with constraint solving capabilit- 
ies the system will abduce temporal constraints for the duration of a partially 
specihed action instance. Preliminary results are available in Further exten- 
sions will make use of more powerful implementation strategies, like for instance 
abductive constraint logic programming 



The meta-logical semantics can be also extended to cover the full class K. — 
and for dealing with continuous changes (i.e. trajectories) in a way similar to 
that proposed by The hypothetical theories method applies also to this case. 
A hrst prototype of this system has been successfully implemented in SICStus 
PROLOG and described in and makes use of a meta-interpreter for general 
logic program expressions. 



Among possible future and related works we envision that reasoning about action 
and change, and FLP in particular, can be fruitfully applied to computational 
natural language semantics as an alternative approach to epistemic actions Q 
in the context of the View-Finder system for managing reasoning about agents 
mutual beliefs Q. Moreover we are also investigating on temporal modeling of 
multimedia applications reasoning about properties of logical reactive 

systems Q. We consider the results obtained so far quite encouraging and, we 
think this method will provide a sound basis of future developments for suitably 
dealing with these possible applications. 
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Abstract. We present a new approach to reasoning with specificity 
which subsumes inheritance reasoning The new approach differs from 
other approaches in the literature in the way priority between defaults is 
handled. Here, it is context sensitive rather than context independent as 
in other approaches. We show that any context independent handling of 
priorities between defaults as advocated in the literature until now is not 
sufficient to capture general defeasible inheritance reasoning. We propose 
a simple and novel argumentation semantics for reasoning with specificity 
taking the context-dependency of the priorities between defaults into ac- 
count. Since the proposed argumentation semantics is a form of stable 
semantics of nonmonotonic reasoning, it inherits a common problem of 
the latter where it is not always defined for every default theory. We 
identify the class of stratified default theories which is large enough to 
accommodate acyclic and consistent inheritance networks and for which 
the argumentation semantics is always defined. We also prove that the 
argumentation semantics satisfies the basic properties of a nonmonotonic 
consequence relation such as deduction, reduction, conditioning, and cu- 
mulativity for stratified default theories. 



1 Introduction 



Reasoning with specificity constitutes an inseparable part of default reasoning as 
specificity is an important source for conflict resolution in human’s commonsense 
reasoning. In fact, the famous example of whether penguins fly because they 
are birds in default reasoning is an example of reasoning with specificity. 
Reasoning with specificity also constitutes a difficult problem which has been 
studied extensively in the literature . 

Formally a default theory T could be defined as a pair {E, K) where if is a 
set of evidence or facts representing what we call the concrete context of T, and 

* This work was carried out while the author was a student at the University of Texas 
at El Paso. 

^ In this paper, we consider the graph based, off-path approach to inheritance rea- 
soning I 
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K = {D, B) constitutes the domain knowledge consisting of a set of default rules 
D and a first order theory B representing the background knowledge. In the lit- 
erature the principle of reasoning with specificity is “enforced” 

by first determining a set of priority orders between defaults in D using the in- 
formation given by the domain knowledge K. Based on these priorities between 
defaults and following some sensible and intuitive criteria, the semantics of T is 
then defined either model-theoretically by selecting a subset of the set of all mod- 
els of if U i? as the set of preferred models of T or proof-theoretically by selecting 
certain extensions as preferred extensions. The problem of these approaches is 
that their obtained semantics is rather weak: they do not capture general defea- 
sible inheritance reasoning. There are many intuitive examples of reasoning with 
specificity (see below) that can not be handled in these approaches. The reason 
is that the priorities between defaults are defined independent of the context. 

Priority orders are strict partial orders | between defaults in D. Let POk 
be the set of all these priority orders. For each priority order a S POk, where 
(d, d') € a means that d is of lower priority than d', a priority order <„ between 
the sets of defaults in D is defined where S <a S' means that S is preferred 
to S' . There are many ways to define <a But whatever the 

definition of <a is, <a has to satisfy the following property. 

Let d,d' be two defaults in D such that (d, d') G a. Then {d'} <a {d}. 

<a can be extended into an partial order between models of if Ui? as follows: 



M M' iff Dm <a Dm' 



where Dm is the set of all defaults in D which are satisfiable in M whereas a 
default p q is said to be satisfiable in M iff the material implication p => g is 
satisfiable in M . 

A model M of if U if is defined as a preferred model of T if there exists a 
partial order a in POk such that M is minimal with respect to <□,. We then 
say that a formula P is defeasibly derived from T ii P holds in each preferred 
model of T. 

In a previous paper we formally proved that any preferential semantics 
based on <„ can not account in full for defeasible inheritance reasoning. We 
include below this proof for the self-containment of the paper. 

Example 1. Let us consider the inheritance network representing the normative 
sentences: (i) “normally, students are not married”, (ii) “normally, adults are 
married”, and (iii) “normally, students are young adults”, and the subclass re- 
lation “young adults are adults.” 

The inheritance network represented this information is drawn in following 
pictur^ where the links s yL m, a ^ m, and s — > y represent the sentences 

^ Strict partial orders are transitive, irreflexive and antisymmetric relations 
® Throughout the paper, solid lines and dotted lines represent strict rules and default 
rules, respectively. 
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(i), (ii), and (iii) respectively, and the strict link y ^ a represents the subclass 
relation. 

This defeasible inheritance network represents the domain knowledge {B, D) 
with B = {y ^ a}, and D = {di : a ^ m, d,2 '■ s ^ -^m, ds : s ^ y}. 

Consider now the marital status of a young adult who is also a student. This 
problem is represented by the default theory T = {E, B, D) with E = {s,y,a\. 
The desirable semantics here is represented by the model M = {s,y, a, ->m}. To 
deliver this semantics, all priority-based approaches in the literature 
assigns default 1 a lower priority than default 2. 

Let us consider now the marital status of another student who is an adult 
but not a young one. Let T' = {E' , B, D) with E' = {s, ^y, a}. Now, since y does 
not hold, default 2 can not be considered more specific than default 1. Hence, 
it is intuitive to expect that neither m nor should be concluded in this 
case. This is also the result sanctioned by all semantics of defeasible inheritance 
networks In any priority-based system employing the same 

priorities between defaults with respect to E' as with respect to E, we have 
M = s, ~^y, a} <q, M' = {m, s, ~^y, a} since Dm = {2} <a D'j^ = {1} (due 
to (1,2) € a). That means priority-based approaches in the literature conclude 
given {E' , K) which is not the intuitive result we expect. 

To produce a correct semantics, 1 should have lower priority than 2 only 
in the context {s, y, a} where the considered student is young (i.e. default 3 
can be applied). In other words, the priority order under the context {s,^y,a} 
is different than the priority order under the context {s,y,a}. In general, the 
example shows that specificity cannot be treated independently from the context 
in which it is defined. □ 

Argumentation has been recognized lately as an important and natural ap- 
proach to nonmonotonic reasoning It has been shown in 

y that many major nonmonotonic logics represent in fact differ- 

ent forms of a simple system of argumentation reasoning. Based on the results in 
Q, a simple logic-based argumentation system has been developed in Q which 
captures well-known nonmonotonic logics like autoepistemic logics, Reiter’s de- 
fault logics and logic programming as special cases. In argumentation has 
been employed to give a proof procedure for conditional logics. In Q, an ar- 
gumentation system for reasoning with specificity has been developed. Like the 
proposals based on context-independent priorities, this system is rather weak. It 
can not deal with many intuitive examples and also fails to capture inheritance 
reasoning. It does not satisfy many basic properties of defeasible reasoning like 
the cumulativity. But despite these shortcomings, work like ^3 suggests that 
argumentation offers a natural and intuitive framework for dealing with speci- 
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ficity. As we will show in this paper, argumentation indeed provides a simple 
and intuitive framework for reasoning with specificity. 

In this paper, we extend the approach to reasoning with specificity in Q 
to allow more general propositional default theories, i.e., we consider default 
theories with non-empty background knowledge. In the process, we simplify the 
notion of more specific relation. We propose a simple and novel argumentation 
semantics for reasoning with specificity taking the context-dependency of the 
priorities between defaults into account (Section 2). We then identify a large 
class of stratified default theories for which the argumentation semantics is al- 
ways defined (Section 3). We prove that the argumentation semantics satisfies 
the basic properties of a nonmonotonic consequence relation such as deduction, 
reduction, conditioning, and cumulativity for stratified default theories (Section 
3). We conclude with a discussion about reasoning with specificity in Section 4. 

2 A General Framework 

We assume a first order language C that is finite but large enough to contain all 
constants, function and predicate symbols of interest. The set of ground literals 
of C is denoted by lit{C). Literals of C will be called hereafter simply as literals 
(or £-literals) for short. Following the literature, a default theory is defined as 
follows: 

Definition 1. A default theory T is a triple {E, B, D) where 

(i) E is a set of ground literals representing the evidences of the theory; 

(ii) B is a set of ground clauses; 

(Hi) D is a set of defaults of the form /i A . . . A > /q where k ’s are ground 
literals; and 

(iv) E U B is a consistent first order theory. 

Notice that in the above definition, we use — > to denote a default implication. The 
material implication is represented by the => symbol. Intuitively, a ^ b means 
that “typically, if a holds then b holds” while a ^ b means that “whenever a 
holds then b holds.” It is worth noting that default theories considered in 
do not contain ground clauses, i.e., B — tj). 

For a default d = h A . . . A In ^ Iq, we denote h A ... A In and Iq by bd{d) 
and hd{d) respectively. 

In the following, we often use clauses and defaults with variables as a short- 
hand for the sets of their ground instantiations. 

Example 2. Consider the famous penguin and bird example: 



A 



f 

»» 
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We have that B = {p => h] (penguins are birds) and D consisting of two 
defaults p ^ (normally, penguins do not fly) and b ^ f (normally, birds 

fly^ 

The question is to determine whether penguins fly. This problem is repre- 
sented by the default theory T = {E, B, D) where E = {p}. □ 

We next define the notion of defeasible derivation. 

Definition 2. Let T = (E, B, D) be a default theory and I be a ground literal. 

• A sequence of defaults di, . . . , (n > 0) is said to be a defeasible derivation 
of I if following conditions are satisfied: 

1. n = 0 and E U B \- I where the relation h represents the first-order conse- 
quence relation, or 

2. (a) E U B \- bd{di) ; and 

(b) for l<i<n:E\JB\J {hd{di ), . . . , hd{di)} h bd{di+i); and 

(c) EU BU {hd{di), . . ., hd{dn)} h 1. 

• We say I is a possible consequence of E with respect to B and a set of 

defaults K C D, denoted by E U B \~k I, if there exists a defeasible derivation 
di, . . . ,dn of I such that for all 1 < i < n, di G K . □ 

For a set of literals L we write EU B Uk L iS Wl G L : E U B Uk 1. 

We write EU B Uk -ijiff there is an atom a such that both EU B Uk a and 
EU B Ux hold. 

For the default theory from example^ it is easy to check that EUB 
and EUB a^m} w. Hence EU B\~u T. 

A set of defaults K is said to be consistent in T ii E U B \/x E. K is 
inconsistent if it is not consistent | 

The “More Specific” Relation 

We now define the notion of “more specific” between defaults generalizing the 
specificity principle of Touretzky in inheritance reasoning. Consider for example 
the network from the example O it is clear that being a student is normally 
a specific case of being a young adult. Since being a young adult is always a 
specific case of being an adult, it follows that being a student is a specific case 
of being an adult if the respective individual is a young adult. This stipulates 
us to say that the default s — > -^m (students are normally not married) is more 
specific than the default a m (adults are normally married) provided that the 
default s ^ y (students are normally young adults) can be applied. Similarly, in 
example^ since being a penguin is always a specific case of being a bird, we can 
conclude that the default p — > (penguins don’t fly) is always more specific 

than b ^ f (birds fly) . 

^ On the other hand, we have to change p => fe to p — > fe if we were to use the notion 
of default theories in ■ ' | . 

® Throughout the paper, we use T and T to denote True and False respectively. 

® If there is no possibility for misunderstanding, we often simply say consistent instead 
of consistent in T 
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Definition 3. Let di, d2 be two defaults in D. We say that d\ is more specific 
than d2 with respect to a set of defaults K C D, denoted by d\ <k <^2, if 

1. B U {hd{di), hd{d2)} is inconsistent; 

2. bd{di) U B \~K bd{d2); and 

3. bd{di) UB[/k B. 

In the above definition Q guarantees that a priority is defined between two 
defaults only if they are conflicted, Q ensures that being bd{d\) is a special case 
of being bd{d2) provided that the defaults in K can be applied, and Q guarantees 
that K \s & sensible set of defaults. We could say that this is a generalization of 
Touretzky ’s specificity principle to general propositional default theories. In , 
the more specific relation is defined based on the notion of minimal conflict set, 
which in turn is defined based on the notion of defeasible derivation. As it can 
be seen, the above definition is much simpler than that was proposed in Q. 
Besides, it allows us to deal with default theories with nonempty background 
knowledge. 

If AT = 0 we say that di is strictly more specific than d2 and write di < d2 
instead of di ^0 ^2- 

Example 3. In example^ ^2 d\ holds, i.e. ^2 is more specific than d\ if da 

is applied. In the context E = {s, y, a}, da can be applied, and hence d2 is more 
specific than d\ in the context E. But in the context E' = {s, -ly, a}, da can not 
be applied, and hence, d2 is not more specific than di in E' . 

In example^ it is obvious that d2 < di, i.e. d2 is always more specific than 

di. □ 

We note that in general the more specific relation is not a strict partial order. 
For example, in the theory (0, 0, {di : p ^ b,d2 : p — > ~^b}), we have that di < d2 
and d2 < di. Furthermore, it is not always transitive. In the default theory 
(0, {p y, y => r}, {di : p ^ 6, da : 9 ^ ^6, da : r — > 6}), we have that di < da 
and da < da but di ^ ds. 

Stable Semantics of Default Reasoning with Specificity 

The semantics of a default theory is defined by determining which defaults can be 
applied to draw new conclusions from the evidences. For example, the semantics 
of the network in example O is defined by determining that the defaults which 
could be applied are 2 and 3. 

In the following, we will see that an argumentation-theoretic notion of attack 
between a set of defaults K and a default d lies at the heart of the semantics of 
reasoning with specificity. 

Suppose that df C £) is a set of defaults we can apply. Further let d be a 
default such that E Li B \~k ~^hd{d). It is obvious that d should not be applied 
together with K. In this case, we say that K attacks d by conflict. 

For illustration of attack by conflict, consider the default theory T in example 
B Let K = {d3,d2}. Since EU B Lk K attacks di by conflict. Similarly, 
K' = {da, di} attacks d2 by conflict because EiJ B Lk' m. 
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The other case where d should not be applied together with K is where it is 
less specific than some default with respect to K. Formally, this means that if 
there exists d' G D such that d' d and E U B \-k bd(d') then d should not 
be applied together with the defaults in df. In this case we say that K attacks d 
by specificity. 

For illustration of attack by specificity, consider again the default theory T 
in exampleH Let K = {da}. Because d 2 ^{da} d\ and EG> B ^{^ 3 } bd{d 2 ), K 
attacks di by specificity. 

The following definition summarize what we have just discussed: 

Definition 4. Let T = (E. B, D) be a default theory. A set of defaults K is said 
to attack a default d in T^^if following conditions are satisfied: 

1. (Attaek by Conflict) ED B \~k ~^hd{d); or 

2. (Attack by Specificity) There exists d' G D such that d' d and ED B \~k 
bd{d'). 

Note that there is a distinct difference between attack by conflict and incon- 
sistency. It is possible that though K is consistent and K D {d\ is inconsistent 
but K does not attack d by conflict. It is also possible that K attacks some de- 
fault d by conflict though KD {d] is consistent. The “Nixon diamond” example 
illustrates these points. 



c 




A A 

\y 

a 



Let E = jo}, i? = 0, and D = |di : c — > d, d 2 : b ^ ^d, da : a ^ c, d^ \ 
a b}. Though K = jdi,d 2 ,d 4 } is consistent and K U {da} is inconsistent, 
K does not attack da by conflict. Further, though K' = {d 2 ,d 4 } attacks di by 
conflict, K = K' D {di] is consistent. 

It is obvious that if K attacks d then every superset of K attacks d. K is said 
to attack some set H D D ii K attacks some default in El. K is said to attack 
itself it K attacks K. 

Now we can give a precise definition of what constitutes the semantics of a 
default theory with specificity. 

Definition 5. Let T = (E,B,D) be a default theory. A set of defaults S is called 
an extension of T if S does not attack itself and attacks every default not belong- 
ing to it. 



if there is no possibility for misunderstanding then T often is not mentioned 
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Definition 6. Let T = (E,B,D) he a default theory. Let I be a ground literal. 
We say T entails I, denoted by T |~ I, if for every extension S of T,EUB\~sl. 

Because the defeasible consequence relation hx subsumes the first order conse- 
quence relation (definition it is obvious that an inconsistent set of defaults 
attacks every default. Therefore it is clear that an extension is always consistent. 



Example 4- Consider the theory in example^ We have that d2 < di, i.e., d2 is 
strictly more specific than di. This can be used to prove that {^2} is the unique 
extension of T. Therefore T |~ ~^f. □ 

Example 5. 1 . Consider the theory T in example^ Let H = {ds, ^2}- Because 

{s, y,a}U B \~h ^rn, H attacks d\ by conflict. Furthermore, since {s, y, a} U 
B \/h m and {s, y, a}UB \fn ~^U, H does not attack itself by conflict. Because 
there is no default which is more specific than d2 or with respect to H, 
H does not attack itself by specificity. Hence H does not attack itself and 
attacks every default not belonging to it. Therefore H is an extension of T. 
Let K = {di, ds}. Because ^2 d\ and {s, y,a}U B \~k bd{d2), K attacks 
d\ by specificity. Hence K is not an extension of T. It should be obvious now 
that H is the only extension of T. Hence, T |~ ^m. 

2 . Consider the theory T' in example H Let H = {^2} and K = {di}. Since 
{s, ^y, a} \~H ^TTi and {s, ^y, a} \~k iti, and {s, ^y, a} 1-0 ^y, H attacks 
di, da by conflict while K attacks d2, da by conflict. Due to the fact that da 
can not be applied, there are no defaults d, d' such that d -<h d' or d -<k d' . 
Hence both H and K do not attack themselves. Thus, both H and K are 
extensions of T' , and so, T' -^m and T' m. 

□ 

The definition J of an extension of a default theory corresponds to the stable 
semantics of argumentation which has been first introduced in | and later fur- 
ther studied in Q. There are also a number of other semantics for argumentation 
which could be applied to reasoning with specificity. But in this paper we will 
limit ourselves to the stable semantics. 



Existence of Extensions 

A well-known problem of stable semantics in nonmonotonic reasoning is that 
it is not always defined. As our semantics is a form of stable semantics of ar- 
gumentation, it is expected that the same problem will be encountered in our 
framework. The following example originated from Q confirms our expectation. 

Example 6 (^^). Consider T = {E, 0 , D) with E = {a, b, c} and D consists of 
the following defaults 

di : a A q ^ ~^p, d2 : a — > p 
ds : b A r ^ d^ : b ^ q 
ds : c A p ^ ^r, de : c ^ r 
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It is easy to see that for each K C D, there is no c? G D such that d d\ 
or d -<K ds or d -<k d^. 

We will prove that T does not have an extension. 

Assume the contrary that T has an extension S. We want to prove that 
d\ ^ S. Assume the contrary that d\ G S. Since E \~{d2} P S does not attack 
itself, we conclude that c?2 ^ S. This implies that S attacks c?2- There are two 
cases: 

1 . S attacks d2 by conflict. This means that E \~s ~^p, which implies that 
E \~s q- 

2 . S attacks d2 by specificity. Since the only default in D, that is more specific 
than d2, is c?i, S attacks c?2 by specificity implies that E \~s bd{d\). Thus 
E \~s q- 

It follows from the above two cases that E hg q. Therefore S contains c?4. 
Now, consider the two defaults ds and d^. Since d2 ^ S, E l/g bd{d^). Therefore 
S does not attack de by specificity. Further E l/g bd{d^) implies that E {/$ ~^r. 
So, S does not attack de by conflict either. Again, because S is an extension, 
we have that de G S. However, E b{d6} bd{d^), which implies that S attacks 
di by specificity, i.e., S attacks itself. This contradicts the assumption that S is 
an extension of T. Thus the assumption that di G S leads to a contradiction. 
Therefore d\ ^ S. 

Similarly, we can prove that d^ ^ S and ds ^ S. Since S' is a stable extension 
of r, S attacks d\. This implies that S must attack d\ by conflict because there is 
no default in D which is more specific than d\. Thus d2 G S. Similar arguments 
lead to d4 G S and de G S, i.e., S = {d2,d4,de}. However, S attacks d2 by 
specificity because d\ < d2 and EU B \~s bd{d\). This means that S attacks 
itself which contradicts the assumption that S is a stable extension of T. Thus 
the assumption that there exists an extension leads to a contradiction. Therefore, 
we can conclude that there exists no extension of T. □ 

In the next section we will introduce the class of stratified default theories for 
which extensions always exist. 



3 Stratified Default Theories 

The definition of stratified default theories is based on the notion of a rank 
function which is a mapping from the set of ground literals lit{L) U {T, T} to 
the set of nonnegative integers. 

Definition 7 . A default theory T = {E, B, D) over C is stratified if there exists 
a rank function of T, denoted by rank, satisfying the following conditions: 

(i) rank{T) = rank{l) = 0 ; 

(ii) for each ground atom I, rank{l) = rank{~^l); 

(Hi) for all literals I and I' occurring in a clause in B, rank{l) = rank{l'); 
(iv) for each default l\, . . . ,lm ^ I in D, rank{k) < rank{l), i = 1 , . . . , m; 
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It is not difficult to see that all the default theories in examples Q and Q are 
stratified. We prove that 

Theorem 1. Every stratified default theory has at least one extension. □ 

Notice that stratification does not imply uniqueness of extensions. For exam- 
ple, the default theory ({a}, 0, {d\ : c ^ d, d 2 ■ b ^ ^d, \ a ^ c, a ^ 5}) 

is stratified and has two extensions {c? 2 , <i 4 , di} and {^ 2 , ^ 4 , ^ 2 }- 



3.1 General Properties of 

There is a large body of works in the literature what properties 

characterize a defeasible consequence relation like |~. In general, it is agreed 
that such a relation should extend the monotonic logical consequence relation. 
Further, since the intuition of a default rule d is that bd{d) normally implies 
hd{d), we expect that in the context E = {bd{d)}, T |~ hd{d) holds. Another 
important property of defeasible consequence relations is related to the adding 
of proved conclusions to a theory. Intuitively, this means that if T |~ a then we 
expect T and T-|-a|to have the same set of conclusions. Formally, the discussed 
key properties are given below: 

— Deduction: T I if E U B h 1; 

— Conditioning: If if = {bd{d)} for d G D, then T |~ hd{d); 

— Reduction: If T |~ a and T -|- a |~ 5 then T |~ 5; 

— Cumulativity: If T |~ a and T |~ 5 then T -|- a |~ 5; 

In the next two theorems, we show that |~ satisfies deduction and reduction: 

Theorem 2 (Deduction). Let T=(E,B,D) be an arbitrary default theory. 
Then, for every I G lit{C), EGi B G I implies T |~ L □ 



Theorem 3 (Reduction). Given T=(E,B,D) be an arbitrary default theory 
and a,b G lit{C) such that T |~ a and T -|- a |~ 5. Then, T |~ 5. □ 

In general |~ does not satisfy cumulativity as the following example shows. 

Example 1. Consider the default theory T = {E, B, D) 




/ 



8 



T + a denotes the default theory {E U {a}, B, D). 
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where E = {/}, B = ^, D = {di:f — > a, d2'.a — > c, d^-.c — *■ ~^a} Because 
the only instance of the more-specific-relation is d\ ^{di,d.2} ^3, T has a unique 
extension {d\, c?2}- Hence, T |~ a and T |~ c. 

Now consider T + c. T + c has two extensions: {c?i, ^2} and {c?2, ds}. Thus, 
T + cY^ a. This implies that |~ is not cumulative. 

The next theorem proves that stratification is sufficient for cumulativity. 

Theorem 4 (Cumulativity). Let T — (E,B,D) be a stratified default theory 
and a, b be literals such that T |~ a, and T |~ b. Then T -|- a |~ 5 . □ 

Because stratification does not rule out the coexistence of defaults like a — *■ 
-ic, a ^ c, conditioning does not hold for stratified theories as the next example 
shows. 

Example 8. Let T = ({a}, 0 , {d\ : a — > ~^c, d2 '■ a ^ c}). It is obvious that T 
is stratified. Because di < c?2 and d2 < di, both di, d2 are attacked by specificity 
by the empty set of defaults. Thus the only extension of T is the empty set. 
Hence, T [/t ^c, and T c. That means that conditioning is not satisfied. 

The coexistence of defaults like a —>■ ->c, a ^ c means that a is normally c 
and normally not c at the same time which is obviously not sensible. Hence it 
should not be a surprise that conditioning is not satisfied in such cases. The 
conditioning property would hold for a default d if in the context of 6 d(d), d is 
the most specific default. The following definition formalizes this intuition. For 
simplicity, we often write d < d' \i d d' for some K. Let be the transitive 
closure of 

Definition 8. A default theory T = (E,B,D) is said to be conditioning-sensible 
if for every default d the following conditions are satisfied: 

(i) d -/e d; 

(ii) For every set K C D such that bd{d) U B L_R-u{d} -L o^d 6 d(d) U B Yk T, 
there exist d' G K such that d -<k d' 

Theorem 5. Let T = (E, B, D) be a conditioning- sensible default theory, d be 
a default in D, and E — bd{d). Then T |~ hd{d). □ 

It is interesting to note that conditioning-sensibility and stratification are two in- 
dependent concepts. Default theories like the one in exampleB^^re conditioning- 
sensible but not stratified while default theories like that in exampleHare strati- 
fied but not conditioning-sensible. Further while example^^hows that stratifica- 
tion does not imply conditioning, exampleHshows that conditioning-sensibility 
does not imply cumulativity. 

In the full version of this paper, we prove that our approach captures off-path 
inheritance reasoning by transforming each acyclic and consistent inheritance 
network T into a default theory Tr and show that the conclusions sanctioned 
by the (off-path) credulous semantics of T are also the conclusions of |~ with 
respect to Tr- Furthermore, we prove that Tp is a stratified default theory. 
Thus, inheritance entailment based on credulous semantics also satisfies the core 
properties of a defeasible entailment relation. 
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4 Discussion and Conclusion 

Reiter and Criscuolo ^3 are among the first to discuss the importance of speci- 
ficity (or default interaction, in their terminology) in default reasoning. They dis- 
cussed various situations, in which the interaction between defaults of a normal 
default theory can be compiled into the original theory to create a new default 
theory whose semantics yields the intuitive results. It has been recognized rela- 
tively early that priorities between defaults can help in dealing with specificity. 
In prioritized circumscription, first defined by McCarthy a priority order 
between predicates is added into each circumscription theory. Lifschitz later 
proved that prioritized circumscription is a special case of parallel circumscrip- 
tion. A similar approach has been taken by Konolige in using autoepistemic 
logic to reason with specificity. He defined hierarchical autoepistemic theories in 
which a preference order between sub-theories and a syntactical condition on the 
sub-theories ensure that higher priority conclusions will be concluded. Brewka 
H - in defining prioritized default logic - also adds a preference order between 
defaults into a Reiter’s default theory and modifies the semantics of default logic 
in such a way that guarantees that default of higher priority is preferred. Baader 
and Hollunder ^ develop prioritized default logic to handle specificity in termi- 
nological systems. All of the approaches in assume that priorities 

between defaults are given by the users. 

Computing specificity is another important issue in approaches to reasoning 
with specificity. Work from Poole ^3 is an early attempt to extract the prefer- 
ence between defaults from the theory. Poole defines a notion of “more specific” 
between pairs consisting of a conclusion and an argument supporting this conclu- 
sion. Moinard ^3 pointed out that Poole’s definition yields unnecessary priority, 
for example, it can arise even in consistent default theories. Simari and Loui ^3 
noted that Poole’s definition does not take into consideration the interaction 
between arguments. To overcome this problem they combined Poole’s approach 
and Pollock’s theory to define an approach that unifies various approaches 
to argument-based defeasible reasoning. We have discussed the shortcoming of 
Simari and Loui’s system in the introduction. 

Touretzky’s specificity principle ^3 ™ inheritance reasoning is a major step 
in reasoning with specificity. Although this principle is generally accepted, differ- 
ent intuitions on “what does more specific mean?’’ leads to numerous approaches 
to reasoning with specificity. More interestingly, some seem to contradict the 
others. Detailed discussions about this problem in inheritance reasoning can be 
found in Touretzky et al. Moinard 39 showed that Touretzky’s approach 

does not work well for general default theories. He proposed several principles for 
determining a preference relation based on specificity in default logic but does 
not discuss how this preference would change the semantics of a default the- 
ory. Furthermore, like Poole he does not take into consideration the interaction 
between arguments either. 

Conditional entailment of Geffner and Pearl 99 bridges the extensional and 
conditional approaches to default reasoning and is the first approach to rea- 
soning with specificity which satisfies the basic properties of a nonmonotonic 
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consequence relation. Because the priority order between assumptions in is 
context-independent, conditional entailment, however, is too weak (as also noted 
by Geffner and Pearl) to capture inheritance reasoning. Pearl also discussed how 
a preference relation between defaults can be established. In System Z Pearl 
uses consistency check to determine the order of a default. The lower the order of 
a default is, the higher is its priority. As in Poole’s approach, sometimes System 
Z introduces unwanted priorities. 

The idea of compiling specificities into a general nonmonotonic framework is 
also used in and in this work. Delgrande and Schaub Q compiled the pref- 
erence order between defaults (defined using a order similar to a Z-order of ^3) 
into the original theory and create a Reiter’s default theory whose semantics 
defines the semantics of the original theory. The compilation of the preference 
order, however, does not take the context into consideration. As a consequence 
their approach cannot capture inheritance reasoning. In our approach, the com- 
pilation of the more specific relation into the original theory is done in such a 
way that the context will affect the decision process determining which default 
can be applied. 

Our approach to specificity in this paper is a continuation of our own work 
in It could be viewed as a kind of a hybrid between the above approaches. 
For an intuitive semantical foundation of reasoning with specificity, we develop 
a general framework, but for implementation, we translate our framework into 
Reiter’s default logics. Wang, You and Yang has applied our idea to give a 
semantics for possibly cyclic inheritance networks. 

Even though our work is not directly related to the recent works on prioritized 
default theories or adding priority into extended logic programming Q, 

we believe that there is a mutual benefit between the research done in these works 
and ours. For example, the more specific relation defined here can be used to 
specify the priorities between defaults in ^ or the preference relation in 
Thus, these two approaches can be extended to realize two different modes of 
reasoning: one with explicit priority ordering and the other with implicit priority 
ordering. On the other hand, programs such as that in can be extended to 
compute the more specific relation and hence allows a fully automatic translation 
from a default theory T = {E, B, D) into its corresponding Reiter’s default 
theory, Rt- The result of also shows that this can be done in polynomial 
time for defeasible inheritance networks. 

Our work also shows that inheritance networks can be modularly translated 
into equivalent general nonmonotonic formalism such as Reiter’s default theory. 
We want to note that there are other works on formulating inheritance networks 
using general nonmonotonic formalisms such as or the works listed 

in Q. To the best of our knowledge, our work is the first general propositional 
approach to default reasoning with specificity which is capable of capturing 
inheritance reasoning in full. 
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Abstract. We propose a new logic-based planning language, called K,. Transi- 
tions between states of knowledge can be described in K,, and the language is well 
suited for planning under incomplete knowledge. Nonetheless, K. also supports 
the representation of transitions between states of the world (i.e., states of com- 
plete knowledge) as a special case, proving to be very flexible. A planning system 
supporting K. is implemented on top of the disjunctive logic programming system 
DLV. This novel system allows for solving hard planning problems, including se- 
cure planning under incomplete initial states, which cannot be solved at all by 
other logic-based planning systems such as traditional satisfiability planners. 



1 Introduction 

The need for modeling the behavior of robots in a formal way led to the definition of 
logic-based languages for reasoning about actions and action planning, such as [24, 8], 
[15, 10,34, 11, 19, 12, 14]. These languages allow us to specify planning problems of 
the form “find a sequence of actions that leads from a given initial state to a given goal 
state.” 

A state is characterized by the truth values of a number of fluents, describing rele- 
vant properties of the domain of discourse. An action is applicable only if some precon- 
dition (formula over the fluents) is true in the current state, and its execution changes the 
current state by modifying the truth values of some fluents. Most of these languages are 
based on extensions of classical logics and describe transitions among possible states of 
the world (where every fluent must necessarily be either true or false). However, robots 
usually don’t have a complete view of the world. Even if their knowledge is incomplete 
(a number of fluents may be unknown, e.g., whether a door in front of the robot is open), 
they must take decisions, execute actions, and reason on the basis of their (incomplete) 
information at hand. For example, if it is not known whether a door is open, the robot 
might do a sensing action, or decide to push back. 

In this paper, we propose a new language, JC, for planning under incomplete knowl- 
edge. We name it 1C to emphasize that it describes transitions among states of knowledge 
rather than among states of the world. Nonetheless, the language is very flexible, and 
is capable of modeling transitions among states of the world (i.e., states of complete 
knowledge) and reason about them as a particular case (see below). Compared to simi- 
lar planning languages, 1C is closer in spirit to answer set semantics [7] than to classical 
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logics. It allows the use of default negation, exploiting the power of answer sets to deal 
with incomplete knowledge. We have implemented 1C on top of the dlv system [4, 5], 
and provide a powerful planning system (available on the web), which is ready-to-use 
for experiments. 



initial: 



goal: 




Fig. 1. A blocks world example. 



Overview of K 

The main features of the language /C (formally defined in Section 2) and our planning 
system are briefly summarized as follows. We occasionally refer to well-known plan- 
ning problems in the blocks world, which require to turn one configuration of blocks 
into another (see Figure 1). 

Type Declarations. They specify the ranges of the arguments of fluents and actions. For 
instance. 



move(B,L) requires block(B), location(L). 

specifies the types for the arguments of action move. The literals after “requires” 
(block (B) , location (L) ) must be positive literals of the static background knowl- 
edge, given by a normal (or-free) stratified logic program. 

Causation Rules. A (causation) rule, which is main construct of /C, is syntactically 
similar to a rule of the language C [1 1, 19, 18] and has the form: 

caused f if B after A. 

Intuitively, the above rule says: if B is known to be true in the current state and A is 
known to be true in the previous state, then f is known to be true in the current state as 
well. Both the if part and the after part are allowed to be empty (which means that they 
are true). 

Default Negation, not can appear in the bodies of the rules. It allows for natural mod- 
eling of inertial properties, default properties, and dealing with incomplete knowledge 
in general, like in logic programming with answer set semantics. Strong negation (‘A,” 
written in programs as -) is allowed as well. Several shortcuts are defined for 1C , e.g. 
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inertial on(X,Y) . 

informally states that on(X, Y) holds at the current state if on(X, Y) held at the previous 
state unless — on(X, Y) is explicitly known to hold. Furthermore, 

default -on(X,Y). 

states that -on (X, Y) is assumed, unless on (X, Y) is known to hold (as it has been 
explicitly entailed by some causation rule). 

Executability of Actions. This can be expressed in a direct way: For instance, 

executable move(X,Y) if not occupied (X), not occupied (Y), 

XfY. 

states that (block) X can be moved on (location) Y if both X and Y are clear and X f Y. 
Multiple executable statements for the same action are allowed. A statement with empty 
body 



executable move(X,Y) . 

says that move is always executable, provided that the type restrictions on X and Y are 
respected (and no inconsistency arises from the execution). Execution of an action A 
under condition B is forbidden by 

nonexecutable A if B. 

In case of conflicts, nonexecutable A overrides executable A. 

Initial State Constraints. In general, a rule expresses a state constraint that must be 
fulfilled in all states. An initial state constraint (which is preceded by the keyword 
initially : ), must be satisfied only in the initial state. For example, 

initially: caused false if block(B), not supported (B) . 

enforces the fluent supported to be true on every block at the initial state; the con- 
straint is irrelevant for all subsequent states. Initial state constraints may profitably re- 
duce computation effort: If we are guaranteed that the actions preserve a property, say 
P, then it is sufficient to check the validity of P only on the initial state for ensuring it 
holds in any state. 

Parallel Execution of Actions. Simultaneous execution of a number of actions is al- 
lowed in 1C. This can be prohibited by the statement 

noConcurrency . 



which enforces the execution of at most one action at a time. 
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Handling of Complete and Incomplete Knowledge. The language allows one also to 
represent transitions between possible states of the world (which can be seen as states 
of complete knowledge). First of all, we can easily check that the knowledge on a fluent, 
say f , is complete, using a rule 

caused false if not f, not -f. 

Moreover, we can “totalize” the knowledge of a fluent by declaring 

total f . 

which means that, unless a truth value for f can be derived, the cases where f resp. - f 
is true will be both considered. 

Goals and Plans. A goal is a conjunction of ground literals, and a plan for a goal is a 
sequence of (in general, sets of) actions whose execution leads from an initial state to a 
state where all literals in the goal are true. In /C, the goal is followed by a question mark 
and by the number of allowed steps in a plan. For instance, 

on(c,b), on(b,a) ? (3) 
asks to find a plan of length 3 for the goal of Figure 1 . 

Secure Plans. A key feature of 1C is the command 

securePlan . 

by which we ask the system to compute only secure plans (a secure plan is often called 
conformant in the literature). Informally, a plan is secure if it is applicable starting at 
any legal initial state, and enforces, regardless of how the state evolves, the goal. Using 
this feature, we can also model possible-worlds planning with an incomplete initial 
state, where the initial world is known only partially, and we look for a plan reaching 
the desired goal from every possible world according to the initial state. 

Contribution of the Work 

The main contributions of the paper are the following: 

- We introduce the planning language JC and provide a declarative model theoretic 
semantics for it. 

- We illustrate the knowledge modeling features of the language by encoding some 
classical planning problems in JC. 

- We analyze the computational complexity of language 1C in the propositional case. 
Deciding the existence of an optimistic plan achieving the goal in a fixed number 
of steps is NP-complete. If the plan should be secure, the problem is obviously 
harder, because it allows us to encode also planning under incomplete initial states 
as in [1]. The problem is then E 2 -complete in general, but only mildly harder than 
NP if concurrent actions are not allowed. On the other hand, deciding existence of 
a secure plan of variable (arbitrary) length is NEXPTIME-complete, and thus not 
polynomially reducible to planning in STRIPS-like systems [6] which are PSPACE- 
complete [2]. 
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An implementation of K. exists as a frontend to the dlv system [4]. This frontend 
applies a JC evaluator on top of the dlv system, using an efficient translation from /C to 
disjunctive logic programming. 

DLV (including the /C frontend) can be freely retrieved from 
http : / /www . dbai . tuwien . ac . at/pro j / dlv/. 

To the best of our knowledge, this is the first declarative LP-based planning system 
which allows to solve S 2 -hard planning problems, like planning under incomplete ini- 
tial states. 

For space limitations, we omit some technical material here. Further details can be 
obtained from the web page mentioned above. 



2 Language K 

2.1 Syntax 

Actions, Fluents, and Types. Let and be disjoint sets of action, fluent 

and type names, respectively. These names are effectively predicate symbols with asso- 
ciated arity (> 0). Flere, U are used to describe dynamic knowledge, whereas 
(jiypis used to describe static background knowledge. 

Furthermore, let and be the disjoint sets of constant and variable symbols, 
respectively.^ 

Given p G (resp. an action (resp. fluent, type) atom is defined as 

p(ti, . . . , tn), where n is the arity of p and fi, . . . , G (j“” U 0 ’*'“’’. An action (resp. 
fluent, type) literal is an action (resp. fluent, type) atom, which is possibly preceded by 
the true negation symbol A literal (or any other syntactic object) is ground if it 
does not contain variables. 

For any literal I, let denote its complement, i.e. if ( is an atom and a if ( = ^a. 
Similarly, for a set L of literals, ^.L = {^.l \ I € L}. A set L of literals is consistent, if 
L n ~^.L = 0. Furthermore, (resp., L~) denotes the set of positive (resp., negative) 
literals in L. 

The set of all action (resp. fluent, type) literals is denoted as Cact (resp. Cfi, Ctyp)- 
Furthermore, let then C fi^typ = ^fl U Ctyp', Cdyn— Cfl U Laci {dyn stands for dynamic 
literals)', and C = Cfi^yp U C^^f ^ 



Action/Fluent Declarations. All actions and fluents have to be declared using an ac- 
tion (resp. fluent) declaration of the form: 

p{Xi ,,Xn) requires t 

1 7 ■ ■ ■ 7 (1) 

where p G C"f^t (resp. p G £y,), , . . . , G < 7 ’'“’', G Ctyp, n is the arity 

of p, and all Xi occur also in G, . . . and m > 0. If m = 0, the requires part may 
be skipped. 

* Following logic programming conventions, in this paper constant and variable symbols are 
denoted as strings starting with a lower or upper case character, respectively. 

^ Note that in this definition only positive action literals are allowed. 
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Causation Rules. Causation rules are used to define static and dynamic dependencies. 
Causation rules (rules, for short) are of the form 

caused / if 5i, . . .,6fc,not bk+i, ■ ■ . , not 5/ 

after oi, . . . , am, not Om+i , ■ ■ ■ , not a„ 

where / G £ U {false}, b\, . . . ,bi G Cfi^typ, oi, . . . , a„ G C, I > k > 0, and 
n > m > 0. Rules where n = 0 are referred to as static rules, all other rules as 
dynamic rules. When I = 0, the if part can be omitted; likewise, if n = 0, the after 
part can be skipped. If both I = n = 0, also caused is optional. Given a causation rule 
r, let h(r) = {f},post+{r) = {bi, . . . ,bk},post~{r) = {bk+i, ■ ■ ■ ,bi},pre+(r) = 
joi , . . .,am},pre~(r) = {am+i ,- . . , a„|, Izf(r) = |/,6i, . . .,6/,ai, . . .,a„j. 



Initial State Constraints. While the scope of general static rules is over all knowledge 
states, it is often useful to specify rules only for the initial states. Initial state constraints 
are static rules of the form (2) preceded by the keyword initially. For an initial 
state constraint zc. h{ic), post~^{ic), post~{ic), pre~^{ic), and pre~ (ic) are defined as 
for its rule part. 



Conditional Executability. K. allows STRIPS-style [6] conditional execution of ac- 
tions. A difference is that /C allows several alternative executability conditions for an 
action which are beyond the repertoire of standard STRIPS. An executability condition 
is an expression of the form 

executable a if 5i , . . . , 6m, not 6m-i-i , ■ ■ ■ , not 6„ (3) 

where a G £{/* bi, . . . ,bn G £, and n > m > 0. If rz = 0, the if part is 
usually skipped, expressing unconditional executability. Given an executability con- 
dition e, let 6(e) = {a}, post~^{e) = post~(e) = 0,pre+(e) = {6i,...,6m|, 
pre~{e) = {bm+i, ■ • • , 6„|, and lit{e) = {a, 6i, . . . , 6„|. 



Safety Restriction. In IC, all rules (including initial state constraints) and executability 
conditions have to satisfy the following syntactic restriction, which is similar to the 
notion of safety in logic programs [35]. All variables in a default negated type literal 
must also occur in some literal which is not a default negated type literal. 

Thus, safety is required only for variables appearing in default negated type literals, 
while it is not required at all for variables appearing in fluent and action literals. The 
reason is that the range of the latter variables is implicitly restricted by the respective 
type declaration. 



Action Descriptions, Planning Domains, Planning Problems. An action description 
is a pair {D, R) where D is a finite set of action and fluent declarations and i? is a 
finite set of safe executability conditions, safe causation rules, and safe initial state 
constraints. 
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A planning domain is a pair PD = {II, AD) , where 7T is a normal stratified datalog 
program (referred to as background knowledge) that is safe (in the standard LP sense), 
and AD is an action description. PD is positive, if no default negation occurs in AD. 
A query is of the form 



5i,...,5m,not5„+i,...,not5„? (z) (4) 

where gi, . . . , pn G Cfi are variable-free, and z > 0, n > m > 0. 

A planning problem {PD, q) is a pair of a planning domain PD and a query q. 



2.2 Semantics 

First we will define the legal instantiations of a planning problem. This is similar to 
the grounding of a logic program — the difference is that only correctly typed fluent and 
action literals are generated. 



Instantiation. Let substitutions and their application to syntactic objects be defined as 
usual (assignments of constants to variables). We first define the notion of legal action 
(resp. fluent) instantiations: 

Let PD — {n, {D, R)) be a planning domain, and let M be the (unique) answer set 
of n. Then, 9{p{Xi, . . ., A„)) is a legal action (resp. fluent) instantiation for an action 
(resp. fluent) declaration d G D of the form (1), if 6* is a substitution defined over all 
Xi, . . ., Xn such that {9{ti), . . . , 9{tm)} C M. By Cpo we denote the set of all legal 
action and fluent instantiations. 

Based on the above definition of action and fluents instantiations, we define the 
instantiation of a planning domain, PDl, as follows: 

pDi=\j u 

reReeOr 

where Or is the set of all substitutions 9 defined over all variables in r, such that 
lit(9(r)) Cdyn Q C.PD and {posb^{9{r)) U pre+(0(r))) G\ fltyp Q M hold. In other 
words, actions and fluents must agree with their declarations and positive type literals 
must agree with the background knowledge. 

PD[ has a ground action description, in which all fluent and action literals agree 
with their declarations and all type literals agree with the background knowledge. 



States and Transitions. In analogy to the definition of stable models and answer sets 
[7], we will first define the semantics for positive (i.e., default negation-free) planning 
problems. Subsequently we define a reduction from general planning problems to pos- 
itive ones. 

A consistent set of ground fluent literals is called state. A tuple t = {s. A, s') where 
s, s' are states and A is a set of action atoms is called a state transition. 

In what follows, let PD be a planning domain, whose instantiation is PD[ = 
{n, {D, R)), and M is the unique answer set of II. 




814 



Thomas Eiter et al. 



A state So is called legal initial state for a positive PD iff for each initial state 
constraint c G R, h{c) is in sq if post~^{c) C sqU M holds and sq is minimal under 
this condition. 

For a positive PD and a state s, a set A C is called executable action set w.r.t. 
s iff for each a G A there exists an executahility condition e G R such that h{e) = {a}, 
pre+(e) n Cfi,typ C s U M, andpre+(e) n C A? 

For a positive PD and a state transition t = (s, A, s') is called legal state transition 
if A is an executable action set w.r.t. s and s' is the minimal consistent set that satisfies 
all causation rules w.r.t. sU A, i-C- for every causation rule r e R,if{i)post'^{r)\^Cfi C 
s' ,{ii)pre^{r)C]Cfi C s, and (iii)pre“''(r) n£aci Q A all hold, then h(r) ^ {false} 
and h(f) C s'. Note that we need not consider type literals, as they have already been 
dealt with in the instantiation step. 

The above definitions are now generalized to a PD containing default negation by 
defining a reduction to a positive planning domain. 

For an arbitrary PD and a state transition t = (s, A, s'), the reduction PD*^ = 
(7T, {D, i?*)) is a planning domain where i?* is obtained from R by deleting those 
r G R, for which either posf“(r) n (s' U M) ^ 0 orpre~{r) n (sU AU M) ^ 0 holds, 
and by deleting all not L {L G C) from the remaining r G R. Note that PH* is positive 
and ground. 

For an arbitrary PD, a state sq is called legal initial state iff sq is a legal initial state 
for PD* with f = (0, 0, sq). 

A is an executable action set in PD w.r.t. a state s iff A is executable w.r.t. s in PD* 
witht = (s, A, 0). 

A transition t = (s, A, s') is a legal state transition in PD iff it is a legal transition 
w.r.t PD*. A sequence of state transitions T = ((sq, Ai, si), . . ., (s„_i, A„, s„)), n > 
0, is a legal transition sequence for PD, if sq is a legal initial state of PD and all 
(si_i, Aj, Sj), 1 < i < n, are legal state transitions of PD. In particular, P = () is 
empty if n = 0. 

We say that an arbitrary planning domain PD is proper if, given a state s and an 
action sequence A, the existence of a legal state transition (s, A, s') is polynomially 
decidable (i.e., we can check efficiently the existence of a successor state s'). A planning 
problem (PD, q) is proper if the underlying planning domain PD is proper. 



2.3 Plans 

Given a planning problem PP = (PD, q), where q has form (4), a sequence of action 
sets (Al, . . . , Ai), i > 0, is an optimistic plan for PP, if a legal transition sequence 
T = ((so, Al, si), . . . , (si_i, Ai, Si)) in PD exists such that T establishes the goal, 
i-^-, \_9t , ■ ■ ■ 9to\ G Si and {p^_i_i , . . . , 9n\ Fl -si — 0. 

However, the existence of an optimistic plan does not guarantee that executing the 
plan, due to incomplete information and possible alternative transitions, will always 
lead to the goal. In case of incomplete initial state specification, we must be sure that 

^ This is useful to model dependent actions, i.e. actions which depend on the execution of other 
actions. 
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the plan is executable and the goal is reached whatever is the legal initial state consistent 
with the specification. 

An optimistic plan {Ai , . . . , A„) for PP as previously is a secure plan, if for every 
legal initial state sq and legal transition sequence T = {{sq, Ai, si), . . . , {sj-i, Aj, Sj)) 
such that 0 < j < n, it holds that (i) if j = n then T establishes the goal, and (ii) if j < 
n, then Aj+i is executable in Sj w.r.t. PD, i.e., some legal transition {sj, ^j+i, Sj+i) 
exists. 

A plan {Ai, . . . , A„) is called sequential (or non-concurrent) if \Aj\ < 1, for all 
1 < j < n. 



3 The Planning System 

We have implemented a fully operational prototype supporting the 1C language as a 
frontend on top of the dlv system [4]. This frontend is invoked by the command-line 
option - FP of DLV. It reads JC files, that is, files as described in the following subsection 
whose names carry the extension .plan, and optionally also background knowledge 
in the form of stratified datalog and transforms these into the core language of dlv. The 
frontend then invokes the dlv kernel and translates possible solutions back into output 
appropriate for the planning user. 



3.1 Programs in dlv^ 

A 1C program, as implemented in dlv^ , consists of various (optional) sections that start 
with a keyword followed by a colon. The overall structure of a /C program is as follows: 



fluents ; 
actions ; 
always ; 
initially; 



goal ; 



<fluent declarations> 

<action declarations> 

<rules> 

<init rules> 

[noConcurrency . ] [securePlan . ] 

< query >? (i) 



where <fluent declarations> and <action declarations> are 
sequences of declarations as defined in Section 2, and < rules > (resp., 
<ini t rules >) is a sequence of causation rules and executability conditions which 
apply to any (resp., any initial) state. 

By default, dlv^ will look for plans allowing concurrent actions (that is, plans that 
may contain transitions (s, A, s') with |A| > 1). By specifying noConcurrency. the 
user can ask for sequential plans. In the presence of securePlan. or the command- 
line option -FPsec, dlv^ will only compute secure plans, as opposed to the default 
situation where all (optimistic) plans are computed and the user interactively decides 
whether to check their safety."^ 

In the current implementation, some syntactic conditions, ensuring proper planning domains, 
are required to allow the security check of the plans. Optimistic plans are computed under no 
restriction. 
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3.2 Language Enhancements 

In planning it is often useful to declare some fluents as inertial, which means that these 
fluents keep their truth values in a state transition, unless explicitly affected by an action. 
In the AI literature this has been studied intensively and is referred to as the frame 
problem [24, 31]. 

To allow for an easy representation of this kind of situation, we have enhanced the 
language by a shortcut inertial /. which is equivalent to the rule caused / if 
not ^./ after /. where / is a fluent literal. 

For reasoning under incomplete knowledge we introduce total / . which is a 
shortcut for caused / if not ^/. caused if not /. where / is a posi- 
tive fluent literal. Such total statements can be defined in the always : and ini- 
tially : sections of a dlv^ program, where in the latter case, only the initial state is 
completed. 

Finally, it may be convenient to explicitly forbid executing an action under specific 
circumstances. To this end, we introduce nonexecutable a B . where a is an 
action atom, as a shortcut for caused false after a,B. 



4 Knowledge Representation in K 

4.1 A Simple Blocks World Instance 

Now we are ready to give a short blocks world example. Referring to Figure 1, we want 
to turn the initial configuration of blocks into the goal state^ in three steps, where only 
one move is allowed in each step (i.e., concurrent moves are not permitted). 

First of all, the static background knowledge U consists of the following rules and 
actions: 

block (a) . block (b) . block (c) . 
location (table) . 
location (B) block (B). 

This program describes the relevant objects in our planning domain. 

The action description for the blocks world needs one action move and two fluents 
on, and occupied. We first assume that the knowledge on the initial state is complete 
(we know the location of all blocks) and correctly specified. We will then show how to 
deal with incorrect or incomplete initial state specifications. 

fluents; on(B,L) requires block (B), location (L). 

occupied (B) requires location (B). 
actions; move(B,L) requires block (B), location (L). 
always; executable move(B,L) if not occupied(B), 

not occupied (L) , B <> L. 

inertial on(B,L) . 

^ This problem illustrates the well known Sussman anomaly [33]. 
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caused occupied(B) if on(Bl,B), block(B). 
caused on(B,L) after move(B,L). 

caused -on(B,Ll) after move(B,L), on(B,Ll), L <> LI. 
initially; on(a, table). on(b, table). on(c,a). 
noConcurrency . 

goal; on (c , b) , on (b , a) , on (a, table) ? (3) 

Intuitively, the executable rule says that a block B can be moved on location 
L 7 ^ B if both B and L are clear (note that the table is always clear, as it is not a block). 
The causation rules for on and - on specify the effect of a move. It is worthwhile noting 
that the totality of these fluents is not enforced. Both on (x, y) and -on (x, y) may 
happen to be not true at a given instant of time. 

Actually, the rule for - on could be replaced by a rule stating: wherever a block is, 
it is not anywhere else (caused -on(B,Ll) if on(B,L), L <> LI.). This 
rule would give us a sharper description of the state making fluent on total at every 
instant of time. Nevertheless, the extra knowledge derived for -on from this rule is 
useless for our goal, as -on does not appear in the body of any rule, and - on (x, y) is 
used only to override the inertial property on (x, y) after moving x from y. Thus, we 
refrain from using the more general rule which would cause a computational overhead 
(as more inferences are to be done during the computation) without providing relevant 
benefits. 

The execution of this program on dlv^ computes the following: 

PLAN: move (c, table, 0) , move(b,a,l), move(c,b,2) 

Here, the additional argument in a move atom represents the instant of time when the 
action is executed. Thus, the above plan requires to first move c on the table, then to 
move b on top of a, and, finally, to move c on b. It is easy to see that this sequence of 
actions leads to the desired goal. 



4.2 Checking Correctness and Completeness of the Initial State 

In the previous example, the knowledge on the block locations in the initial state is 
complete and correctly specified with respect to domain laws. To ensure that an arbitrary 
given (partial) knowledge state is not flawed, we should check it properly. We should 
here verify that every block: (i) is on top of a unique location, (ii) does not have more 
than one block on top of it, and (iii) is supported by the table (i.e., it is either on the table 
or on a stack of blocks which is on the table) [20]. To this end, we add the declaration: 

supported (B) requires block (B). 

And we add the following rules in the initially section: 

caused false if on(B,L), on(B,Ll), LoLl . 

caused false if on(Bl,B), on(B2,B), block(B), BloB2 . 

caused supported (B) if on (B, table). 

caused supported(B) if on(B,Bl), supported (Bl) . 

caused false if not supported (B) . 
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The resulting dlv^ program does not compute any plan if the initial state is either 
incomplete (in the sense that not all block locations are known) or incorrectly specified. 
Note that, under noConcurrency, the action move preserves the properties (i),(ii), 
(iii) above; thus, we do not need to check these properties in all states, if concurrent 
actions are forbidden. 



4.3 Reasoning under Incomplete Knowledge 

Suppose now that there is a further block d in Figure 1. The exact location if d is 
unknown, but we know that it is not on top of c. 

We look for a plan that works on every possible initial state (i.e., no matter if 
on(d,b) or on (d, table) holds), and reaches the goal on (a, c) , on(c,d), 
on (d, b) , on (b, table) in four steps. We modify the program II and the goal q 
by adding (i) - on ( d , c ) and total on(X,Y) in the initially section, and (ii) 
the command securePlan. The execution of this program on dlv^ computes the 
following: 



PLAN; move (d, table , 0 ) , move(d,b,l), move(c,d,2), move(a,c,3) 

The plan is clearly valid on all possible initial legal states. Since the effects of all actions 
are determined, this plan is also secure. 

Note that an optimistic 2-step plan exists: move ( c , d , 0 ) , move ( a , c , 1 ) , as c 
could initially be on b. However, this plan is not secure. 



5 Complexity of K 

We briefly report some results on the computational complexity of planning in 1C for 
the ground (propositional) case (see [1,2] and references therein for related results). In 
particular, we consider deciding existence of a (secure) optimistic plan for a planning 
program {PD, q) and checking whether a given optimistic plan for it is secure. 

An optimistic plan can be generated nondeterministically, by guessing the transi- 
tions (si_i, Ai, Si) subsequently, starting from some (nondeterministically generated) 
legal initial state. Since this requires only polynomial workspace and NPSPACE = 
PSPACE, the problem is in PSPACE. On the other hand, STRIPS, which is PSPACE- 
complete [2], can be easily reduced to /C. If the number of steps in q is fixed, the com- 
plexity decreases because altogether there is fixed number of guesses, which have poly- 
nomial size. 

Theorem I. Deciding whether a given proper ground planning problem {PD, q) has 
an optimistic plan is PSPACE-comp/ete, and -complete if the number of steps in q is 

fixed. 

Deciding the existence of a secure plan appears to be harder, since it allows us to 
encode also planning under incomplete initial states. Already recognizing a secure plan 
is difficult. 




Planning under Incomplete Knowledge 819 



Theorem 2. Given an optimistic plan P and a proper ground planning problem 
{PD, q), deciding whether P is secure is coNP -complete. Hardness holds even if the 
number of steps in q is fixed. 

When looking for a secure plan, these complexities combine, even if the number of 
steps is bounded. 

Theorem 3. Deciding whether a given proper ground planning problem {PD, q) has 
a secure plan is NEXPTIME-com/t/ete in general and S 2 -complete, if the number of 
steps in q is fixed. 

Intuitively, a secure plan can only be built if we know all states reachable after 
steps Ai, ..., Ai so far when the next step is generated. This requires expo- 

nential work space in general. Note that NEXPTIME strictly contains PSPACE, and 
thus this problem can not be efficiently translated to traditional STRIPS planning. The 
E 2 -completeness result implies that even if short secure plans can not be efficiently 
generated by using systems which allow to solve only problems in NP, such as Black- 
box [16], CCALC [21], smodels [25], or satishability checkers. The hardness relies on 
the fact that parallel actions are possible. Note that Baral et al. [1] report the related 
result that deciding in language A [8] the existence of an, in our terminology, secure 
sequential plan of polynomially bounded length is E 2 -complete. 

Under no concurrency, the complexity remains unaffected in the general case, but 
is much lower complexity if the plan length is fixed. 

Theorem 4. Deciding whether a given proper ground planning problem {PD, q) has 
a secure sequential plan is NEXPTIME-compZete in general and D^ -complete, if the 
number of steps in q is fixed. (D^ is the conjunction o/NP and coNP.] 

Informally, the complexity drops to D^ since in the sequential case only polynomi- 
ally many candidates for secure plans of fixed length exist, which can be generated in 
polynomial time. A secure plan exists if (i) some legal initial state exists (which is in 
NP), and (ii) some of the (polynomially many) candidates has the property that it works 
on every evolution of every initial state. This check is in coNP for a single candidate 
and thus, as easily seen, also for all simultaneously. Hence, the problem is in D^ . The 
hardness for D^ implies, however, that the problem is still not efficiently representable 
in systems with expressiveness limited to NP. 

In arbitrary rather than proper planning domains, security checking as in Theorem 2 
is n 2 -complete, and deciding the existence of a secure plan of fixed length as in Theo- 
rems 3 and 4 is -complete and H^ -complete, respectively. Intuitively, this is due to 
an additional nested consistency check. In all other cases, the complexity is the same. 

6 Related Work and Conclusion 

Planning under incomplete knowledge has been widely investigated in the AI litera- 
ture. Most works extend algorithms/sy stems for classical planning, rather than using 
deduction techniques for solving planning tasks as proposed in this paper. The systems 
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Buridan [17], UDTPOP [26], Conformant Graphplan [32], CNLP [27] and CASSAN- 
DRA [28] fall in this class. In particular, Buridan, UDTPOP, and Conformant Graphplan 
can solve secure planning (also called conformant planning) like dlv^ . On the other 
hand, the systems CNLP and CASSANDRA deal with conditional planning (where the 
sequence of actions to he executed depends on dynamic conditions). 

More recent works propose the use of automated reasoning techniques for planning 
under incomplete knowledge. In [30] a technique for encoding conditional planning 
problems in terms of 2-QBF formulas is proposed. The work in [29] proposes a tech- 
nique based on regression for solving secure planning problems in the framework of the 
Situation Calculus, and presents a Prolog implementation of such a technique. In [23], 
sufficient syntactic conditions ensuring security of every (optimistic) plan are singled 
out. While sharing their logic-based nature, our work presented in this paper differs 
considerably from such proposals, since it is based on a different formalism. 

Work similar to ours has been independently reported in [9] . In that paper, the au- 
thor presents a S AT-based procedure for computing secure plans over planning domains 
specified in the action language C [1 1, 19, 18]. The main differences between our paper 
and [9] are (i) the different action languages used for specifying planning domains (C 
vs /C; the former is closer to classical logic, while the latter is more “logic programming 
oriented” by the use default negation); (ii) the different computational engines under- 
lying the two systems (a SAT Checker vs a DLP system), which imply completely 
different translation techniques for the implementation. Other recent studies on secure 
planning are reported in [3]. Experimental evaluations and a comparison of the perfor- 
mance of the various systems for secure planning are on the agenda for future work. 
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Abstract. Wire routing is the problem of determining the physical lo- 
cations of all the wires interconnecting the circuit components on a chip. 
Since the wires cannot intersect with each other, they are competing 
for limited spaces, thus making routing a difficult combinatorial opti- 
mization problem. We present a new approach to wire routing that uses 
action languages and satisfiability planning. Its idea is to think of each 
path as the trajectory of a robot, and to understand a routing problem 
as the problem of planning the actions of several robots whose paths 
are required to be disjoint. The new method differs from the algorithms 
implemented in the existing routing systems in that it always correctly 
determines whether a given problem is solvable, and it produces a solu- 
tion whenever one exists. 



1 Introduction 

Very large scale integrated circuits (VLSI), with millions of transistors and wires 
on a single silicon chip, are too complex to design without the aid of computers. 
Advances in integrated circuit technology will result in more complex chips in the 
near future — it is predicted that there will be over 1 billion transistors and wires 
on a single chip in about 10 years ^3- ^ result, research and development 

in computer-aided design (CAD) software is very active in both industry and 
academia. 

Routing is an important step in CAD for VLSI circuits H. It is the problem 
of determining the physical locations of all the wires interconnecting the circuit 
components (transistors, gates, functional units, etc.) on a chip. Since the wires 
cannot intersect with each other (otherwise resulting in short circuits), they 
are competing for limited spaces, thus making routing a difficult combinatorial 
optimization problem. In practice, the routing problem for the whole VLSI chip 
is decomposed into smaller routing problems [y]. The chip is partitioned into an 
array of rectangular regions. After determining the connections between adjacent 
regions, the routing of all the regions are carried out independently. But even 
for an individual region the problem is computationally difficult. VLSI routing 
has been shown to be NP-complete there are many heuristic routing 

algorithms in the literature Q. 

In this paper, we present a new approach to VLSI routing that uses action 
languages | and satisfiability planning Q. All existing routing systems are 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 822^^ 2000. 
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based on variations of the sequential maze routing approach using a shortest 
path algorithm connecting one wire at a time A major shortcoming of 

these algorithms is that they cannot guarantee finding a routing solution even 
when one exists. The new method differs from them in that it is complete: it 
always correctly determines whether a given routing problem is solvable, and it 
produces a routing solution whenever one exists. 




Fig. 1. A routing problem with 4 wires. 



Consider, for instance, the routing problem shown in Fig.J The wiring space 
here is a rectangular grid. The goal is to connect 4 pairs of points (“pins”) — the 
two points labeled pO, the two points labeled pi, and so on — without passing 
through the obstacles, shown in black. A solution — actually, the solution found 
by the method proposed in this paper — is given in Fig.fl If we try to solve this 
problem by finding first a shortest path between the points labeled pO, and then 
a shortest path between the points labeled pi in the part of the grid that is still 
available, we will arrive at a partial solution like the one shown in Fig.^ This 
partial solution cannot be extended to a complete solution, however, because the 
points labeled p2 cannot be connected without intersecting the first of the two 
paths selected earlier. 

The idea of the new method is to think of each path as the trajectory of 
a robot moving along the grid lines, and to understand a routing problem as 
the problem of planning the actions of several robots. In the example above, the 
problem involves 4 robots. The initial position of Robot 0 is assumed to be (6,5), 



824 



Esra Erdem, Vladimir Lifschitz, and Martin D.F. Wong 




Fig. 2. A solution to the problem from Fig.^ 




Fig. 3. A partial solution to the problem from Fig. J It cannot be extended to 
a complete solution. 
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and its goal is to reach point (10,6) (or the other way around), and similarly for 
the other robots. The actions that a robot can perform are to move left, right, 
up or down to the closest grid point, or to do nothing. We describe the effects 
of these actions in action language C Q. 

The action language C is based on the theory of causal explanation proposed 
in Q. Therefore, the view of causality adopted in C distinguishes between as- 
serting that a certain fact “holds” and making the stronger assertion that it “is 
caused” (or “has an explanation”). 

The language C has propositions of two kinds: static laws of the form 

caused F if G 



and dynamic laws of the form 

caused F if G after H. 

Here F and G are formulas whose atomic components represent fluents. The 
formula F is of a more general kind: in addition to fluents, it is allowed to 
contain the names of actions. Syntactically, action names are treated as atomic 
formulas; an assignment of truth values to action names represents the composite 
action which is executed by performing concurrently all elementary actions whose 
names are assigned the value true. 

In the language C, 

(i) an expression of the form 

U causes F if G 

where G is a propositional combination of elementary action names and F, 
G are propositional combination of fluent names, stands for the dynamic law 

caused F if true after GAG. 

(ii) an expression of the form 

nonexecutable G if F 

where G is a propositional combination of elementary action names and F 
is a propositional combination of fluent names, stands for the dynamic law 

caused false if true after FAG. 

(iii) an expression of the form 



never F 

where F is a propositional combination of fluent names, stands for the static 
law 



caused false if F. 
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These and other abbreviations are introduced in Q. 

The semantics of C defines how a set of propositions describes a “transition 
system” — a directed graph whose vertices are “states” and whose edges are la- 
beled by “actions.” A state is characterized by an assignment of truth values to 
fluent names, and an action is characterized by an assignment of truth values to 
action names. See Q for details. 

We use the Causal Calculatoi|(cCALC) to find a plan for the planning prob- 
lem that corresponds to a wire routing problem. The Causal Calculator uses 
literal completion Q to reduce a planning problem described in C to the prob- 
lem of finding a satisfying interpretation for a set of propositional formulas, and 
then passes on these formulas to a satisfiability solver, such as relsat Q. 

In the next two sections we provide a more detailed description of the new 
method as it applies to the problem above. Then we show that our approach 
can handle various kinds of additional routing constraints which ensure that 
a circuit meets its performance specification: constraints on the lengths of the 
wires, essential because signal delay through a wire is proportional to its length 
(Sections H and H, and spacing constraints between the wires, related to the 
problem of avoiding signal interferences (Section^. 



2 Input and Output of CCALC 

As discussed in the introduction, for each pair of points that need to be connected 
we imagine a robot that travels between these points. The position of Robot N 
is described by the propositional fluents at_x(N,XC) (“the a;-coordinate of N is 
XC” ) and at_y (N , YC) . We also use the expression at (N , XC , YC) that is expanded 
into the conjunction of these fluents by the CCALC macro expansion mechanism. 
The actions affecting the position of Robot N are denoted by expressions of the 
form move(N,D), where D is one of the directions left, right, down, up. 

To express that the robots’ paths don’t loop and don’t intersect each other, 
we use the propositional fluent occupied (N,XC,YC) — “point (XC,YC) has been 
visited by Robot N.” Initially, this fluent is true only if (XC,YC) is the initial 
position of Robot N. The set of true fluents of this form becomes larger as robots 
move to new positions. 

Fig. B shows the CCALC input file representing the routing problem from 
Fig. H The include directives in the middle of the file refer to two other 
files: obstaclesO . t, describing the shape of the obstacles in this example, and 
routing.!, describing the effects and the executability of actions in the routing 
domain. Parts of file routing.! are discussed in the next section. The number 
of wires and the size of the grid are represented in that file by the macros k, maxX 
and maxY. Their numeric values are defined in each particular routing problem. 

The description of the planning problem consists of a set of given facts and 
a goal. The symbol 0 : at the beginning of every fact tells CCALC that the fact is 
assumed to hold at time 0 (that is to say, is an initial condition). The first fact 

^ ifCD : / /WWW . cs .urexas . eau/users/rae/ c< 
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macros k -> 3; 

maxX -> 10; 
maxY -> 10. 

include ’ obstaclesO . t ’ . 
include ’routing.!’. 

: - plan 
facts : : 

0: (occupied(N,XC,YC) -» at (N,XC , YC) ) , 

0 : at (0 ,6 , 5) , 

0: at(l,3,4), 

0: at (2, 3,1), 

0 : at (3 , 0 , 3) ; 
goal: : 

12.. 17: (at(0,10,6) && at(l,4,8) M at(2,10,3) && at(3,6,0)). 



Fig. 4. Input file for the problem from Fig. J 

characterizes the initial value of occupied (N,XC,YC)| We could have replaced 
this conditional by an equivalence, but there is no need to do this, because file 
routing.! declares occupied(N,XC,YC) to be a fluent false by default. The 
other facts give the initial positions of the robots. The symbol 12. .17 in the 
goal instructs CCALC to try first to find a plan of length 12; if there is no such 
plan then try length 13, and so on, up to 17. In the case of the routing problem, 
the length of a plan corresponds to the maximum of the lengths of the wires. 

Given this input file, CCALC reports that there is no solution of length 12, 13 
or 14, and then produces a plan: 

0. at_y(0,5) at_y(l,4) at_y(2,l) at_y(3,3) 

at_x(0,6) at_x(l,3) at_x(2,3) at_x(3,0) 

ACTIONS: move (0 , left) moved, left) move(2, right) move(3,down) 

1. at_y(0,5) at_y(l,4) at_y(2,l) at_y(3,2) 

at_x(0,5) at_x(l,2) at_x(2,4) at_x(3,0) 

ACTIONS: move(0,up) moved, left) move(2, right) 

2. at_y(0,6) at_y(l,4) at_y(2,l) at_y(3,2) 

at_x(0,5) at_x(l,l) at_x(2,5) at_x(3,0) 

ACTIONS: move(0,up) moved, left) move(2, right) move(3,down) 



^ In CCALC input files, the propositional connectives are denoted by ->> (implication), 
&& (conjunction), ++ (disjunction) and - (negation). 
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ACTIONS: move(0,down) moved, down) 



14. at_y(0,7) at_y(l,9) at_y(2,3) at_y(3,0) 

at_x(0,10) at_x(l,4) at_x(2,10) at_x(3,5) 



ACTIONS: move(0,down) moved, down) move(3, right) 

15. at_y(0,6) at_y(l,8) at_y(2,3) at_y(3,0) 

at_x(0,10) at_x(l,4) at_x(2,10) at_x(3,6) 

This is the solution shown in Fig. ^ RELSAT took 59 seconds to find it. (In 
our experiments, we used an UltraSPARC that has 124 MB main memory, runs 
SunOS 5.5.1, and has a 167 MHz CPU.) 



3 The Routing Domain 

In file routing . tjthe effect of action move (N , right) is described by the propo- 
sition 



move (N, right) causes at_x(N,X) 

if at_x(N,XC) && X is XC+1 && XC < maxX. 

(the execution of this action when at_x(N,XC) holds for some XC that is not 
at the right boundary of the grid makes at_x(N,XC+l) true). There is no need 
to postulate that the y-coordinate of Robot N and the coordinates of the other 
robots remain the same, because the coordinates of robots are declared to be 
“inertial” — they don’t change their values if there is no evidence that they do. 
There is no need to say that at_x(N,XC) becomes false: the action affects this 
fluent indirectly, because the uniqueness of the x-coordinate of a robot is postu- 
lated in routing.t in the form 

caused -at_x(N,XC) if at_x(N,XCl) && -(XC=XC1). 

(whatever value the x-coordinate of Robot N currently has, there is a cause for 
it not to have any other value) | 

When a robot is on the right edge of the grid, it cannot move right: 

nonexecutable move (N, right) if at_x(N,XC) && XC>=maxX. 

Similar postulates describe moves in other directions. 

We prevent robots from hitting obstacles by postulating 



never at(N,XC,YC) && blocked(XC,YC) . 



File routing.t and other files related to wire routing are available on-line at 
ifCD : / / WWW. cs . unexas . eau/users/nae/ ccaxc/ccaxc . x . .^j/exaninxes/rouninET/ 

^ The solution to the frame problem and ramification problem incorporated in C and 
CCALC is based on the ideas of 
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Here blocked (XC,YC) is a macro defining the shape of the obstacles. 

Fluent occupied (N,XC,YC) is characterized by the propositions 

caused occupied(N,XC,YC) if at(N,XC,YC). 
caused occupied(N,XC,YC) after occupied(N,XC, YC) . 

(the set of points visited by Robot N includes its current position and all points 
it had visited by the previous time instant). Using this fluent, we can say that 
paths of different robots don’t intersect: 

never occupied(N,XC,YC) && occupied(Nl ,XC, YC) && (N < Nl) . 
and that a robot never visits the same point twice: 

caused false if at(N,XC,YC) after occupied(N,XC, YC) && -at(N,XC,YC) . 

The last conjunctive term is necessary to allow a robot not to move; without 
it, all robots would make the same number of moves, and all paths would have 
equal lengths. 

4 Bus Routing 

A bus is a set of wires, each connecting a source pin and a sink pin, where the 
source pins are all adjacent and the sink pins are all adjacent. In bus routing, 
given several pairs of points on a rectangular grid, we want to find a configuration 
of a bus such that all wires are of the same length: we want the signal delays 
through all wires to be equal. The need to express the equality of the lengths is 
the main special feature of bus routing problems. 

A bus routing problem, along with its solution found by CCALC, is displayed 
in Fig.^ The input file for this program is shown in Fig.^ The equality of the 
lengths of all paths is expressed there by the proposition 

caused false if at(N,XC,YC) after at(N,XC,YC). 

The run time of relsat in this example is 36 seconds. 

In some cases, a bus routing problem has no solution but becomes solvable if 
we relax the condition on the lengths of wires. For instance, with the configura- 
tion of obstacles shown in Fig.^ it is impossible to connect all pairs of pins by 
paths of the same length, but there is an “approximate solution” in which the 
lenghts of wires do not differ by more than 2 (Fig.^. 

To find an “approximate solution” for the problem presented in Fig. fusing 
CCALC, we add a constraint telling that robots always move until their goals have 
been achieved. Then we can instruct CCALC to look for paths whose lengths are 
between 11 and 13 by replacing the goal in Fig.^with 

((11: at(0,8,4) ++ 12: at(0,8,4) ++ 13: at(0,8,4)) && 

(11: at(l,8,5) ++ 12: at(l,8,5) ++ 13: at(l,8,5)) && 

(11: at(2,8,6) ++ 12: at(2,8,6) ++ 13: at(2,8,6))). 

If the goal is modified in this way (and file obstaclesl . t is modified to reflect the 
configuration of obstacles in Fig.^) CCALC generates the approximate solution 
shown in Fig.^ The run time of relsat is 36 seconds. 
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Fig. 5. A bus routing problem. The wires are required to have the same length. 



macros k -> 2; 

maxX -> 10; 
maxY -> 10; 
maxLength -> 15 . 

include ’ obstaclesl . t ’ . 
include ’routing.!’. 

"/, robots always move 

caused false if at(N,XC,YC) after at(N,XC,YC). 

: - plan 
facts : : 

0: (occupied(N,XC,YC) -» at(N,XC,YC)), 

0: at (0,1, 4), 

0 : at ( 1 , 1 , 5 ) , 

0 : at (2 , 1 ,6) ; 
goal: : 

12 . .maxLength: (at(0,8,4) && at(l,8,5) && at(2,8,6)). 



Fig. 6. Input file for the problem from Fig.J 
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Fig. 7. A bus routing problem that has no precise solution. 




Fig. 8. An approximate solution to the problem from Fig. ^ The differences 
between the lengths of wires are limited by 2. 
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5 Restricting the Lengths of Wires 

A wire routing problem may involve constraints on the lengths of some of the 
wires — that is to say, on signal delays through them. The approach to wire 
routing proposed in this paper allows us to express such constraints by simple 
changes in the goal condition of the planning problem. 




Fig. 9. A solution to a routing problem with 2 wires. 



Consider, for instance, the solution to a routing problem with 2 wires shown 
in Fig. Q This solution was found by CCALC when the problem was described 
as in Fig.^J The length of Wire 1 in this solution is 10. To instruct CCALC to 
find a solution with the length of this wire limited by 8, we replace the goal in 
Fig. with 

8: at ( 1,7, 5) , 

10: at(0,5,6). 

The solution found by CCALC after this change is shown in Fig.^J 

We can also restrict the total length of all wires — a parameter that measures 
the overall quality of the solution. To this end, we need to introduce auxiliary 
fluents length (N,L) (“the current length of the path of Robot N equals L”). We 
assume that initially this length is 0, and postulate that move(N,D) causes it to 
increase by 1. Then the requirement that the combined length of Wires 0 and 1 
be limited by maxTotalLength can be expressed by 
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macros k -> 1; 

maxX -> 10; 
maxY -> 10; 
maxLength -> 14. 

include ’ obstacles2 . t ’ . 
include ’routing.!’. 

: - plan 
facts : : 

0: (occupied(N,XC,YC) -» at (N,XC , YC) ) , 
0: at (0,1, 4), 

0: at(l,2,2); 
goal: : 

10: (at(0,5,6) && at(l,7,5)). 



Fig. 10. Input file for the problem from Fig.fl 

never (\/L0: \/Ll: (length(0,L0) && length(l,Ll) && L is LO+Ll 

&& L >= maxTotalLength) ) . 

The symbol \/ represents the existential quantifier (over a finite domain) and is 
expanded by CCALC into a finite disjunction. 

6 Spacing Constraints 

We say that two wires in a solution to a routing problem are adjacent if a 
segment of one of them and a segment of the other form two opposite sides of a 
unit square. In Fig.^ for instance, Wires 0 and 1 are adjacent, and Wires 2 and 
3 are adjacent. In this section we consider the problem of finding a wire routing 
without adjacent wires. This is a simple spacing constraint, interesting in view 
of its relation to the problem of avoiding signal interferences. 

To describe adjacency, we introduce auxiliary fluents that represent the po- 
sitions of vertical and horizontal unit segments in the trajectory of every robot. 
Fluent in_v(N,XC,YC) holds if the part of the trajectory of Robot N constructed 
so far includes the segment connecting points (XC,YC) and (XC,YC+1). Initially, 
these fluents are identically false. They are affected by actions move (N, up) and 
move (N, down) as follows: 

move(N,up) causes in_v(N,XC,YC) if at(N,XC,YC). 
move(N,down) causes in_v(N,XC,Y) 

if at(N,XC,YC) && Y is YC-1 && YOO. 

Once such a fluent becomes true, it remains true: 
caused in_v(N,XC,YC) after in_v(N,XC,YC) . 

Fluents in_h(N,XC,YC) describe the positions of horizontal segments in a similar 
way. 

Using these fluents, we can eliminate adjacent wires by postulating 
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Fig. 11. A solution to the problem from FigOwith the length of Wire 1 limited 
by 8. 




Fig. 12. A solution to a routing problem without adjacent wires. 
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never in_h(N,XC,YC) && in_h(Nl ,XC,Y) 

&& -(N=N1) && Y is YC+1 && YC < maxY. 
never in_v(N,XC,YC) && in_v(Nl ,X,YC) 

&& -(N=N1) && X is XC+1 && XC < maxX. 

Fig. shows a solution to a routing problem, with adjacent wires prohib- 
ited, that was generated by CCALC on the basis of such a formalization. In this 
example, the run time of relsat was 156 seconds. 



7 Discussion 

We showed how satisfiability planning can be applied to wire routing problems 
of several kinds. Action language C that we use to describe the effects of actions 
in the routing domain is much more expressive than older action description 
languages STRIPS and A (see Q Sections 3-6] for references and comparisons) . 
Its expressivity is essential for our purposes. 

CCALC transforms planning problems in the routing domains into proposi- 
tional satisfiability problems, and relsat serves as the search engine. In some of 
our experiments, propositional solver SATO was used instead of relsat. On 
some routing problems it performed much worse than relsat, and never much 
better. In our first example, for instance, relsat found a solution after about 
1 minute of computation, and SATO did not terminate after 2 hours. 

The new approach to wire routing always correctly determines whether a 
given problem is solvable, and it always produces a solution if it exists. Its other 
attractive feature is that some enhancements of the basic problem — in which 
lengths of wires and distances between them come into play — can be easily rep- 
resented by modifying goals or by adding auxiliary fluents. The CCALC input files 
for all examples discussed in this paper include the same file routing . t describ- 
ing the effects and executability of actions in the routing domain. In this sense, 
our representation method is similar to the work on elaboration tolerance 
described in Q. 

On the negative side, the size of the grid used in our examples is much too 
small for serious applications. Investigating the applicability of the new routing 
method to larger problems is a topic for future work. 

There are several other possible future directions that we can take. One is 
to extend the current approach to perform routing on multiple wiring layers. In 
this paper we only addressed planar routing (i.e., only one layer is available for 
wiring) . Another direction is to consider more complex spacing constraints where 
adjacent wires are allowed but the total amount of adjacencies between each pair 
of wires should be bounded. This more general formulation captures the fact 
that small amount of adjacencies may not produce enough signal interferences 
to affect circuit performance. Finally, we plan to investigate how to extend our 
new routing approach to solve the “global routing” problem which is the 
problem of determining the connections between adjacent regions after an VLSI 
chip is decomposed into an array of smaller rectangular regions. The global 
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routing problem resembles the routing problem we studied in this paper except 
that we would allow more than one wire to be placed on a grid edge. 
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Abstract. This work presents a new formal model for software config- 
uration. The configuration knowledge is stored in a configuration model 
that is specified using a rule-based language. The language has a com- 
plete declarative semantics analogous to the stable model semantics for 
normal logic programs. In addition, a new method to add diagnostic 
information in configuration models is presented. The main idea is to 
divide the configuration process into two stages. At the first stage the 
user requirements are processed to check whether there exist any suitable 
configurations in the configuration model. In the second stage unsatisfi- 
able requirements are diagnosed using a diagnostic model. The diagnostic 
model is constructed from the configuration model by adding a new set 
of atoms that represent the possible error conditions. The diagnostic out- 
put also explains why each problematic component was included in the 
configuration. As an example, a subset of the configuration problem for 
the Debian GNU/Linux system is formalized using the new rule-based 
language. Both configuration and diagnostic models of the problem are 
presented. The rule-language is implemented using an existing imple- 
mentation of the stable model semantics, the Smodels system. 



1 Introduction 

In a configuration problem, we have a complicated product that consists of 
different components, configuration objects, that may interact in complex ways. 
The collection of objects and relationships between them is called a configuration 
model. A configuration is a set of objects of the configuration model. There may 
also be a set of constraints imposed on the model that restrict the allowed object 
combinations. In a configuration process, we are given a configuration model and 
a set of user requirements and we want to find a configuration that satisfies the 
requirements. According to configurations can be divided into three classes: 

1. A valid configuration satisfies all constraints of the configuration model; 

2. A suitable configuration is a valid configuration that also satisfies all user 
requirements; and 
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3. An optimal configuration is a suitable configuration that additionally satis- 
fies some optimality criteria. 

Most work that has been done in the configuration management field has focused 
on finding valid configurations and a recent survey on different configuration 
methods can be found in Q. 

In this work we define a rule-based language RRL that can be used to express 
configuration knowledge. The RRL language allows the use of variables and it 
has a declarative semantics that is based on the stable model semantics for 
normal logic programs Q. The main advantage of a declarative semantics is 
implementation-independence. In a configuration system without a well-defined 
semantics, configurations are defined by the behavior of the configuration tool 
and if the tool is changed the set of valid configurations of the system may also 
change. In addition, if there are no suitable configurations at all, we have to 
explain the user why this is the case. This explanation is difficult to do if the 
configuration model does not have a well-defined semantics. 

One major aim of this work is to closely examine the situation where the 
user requirements cannot be satisfied. In these cases it is not enough to decide 
that a suitable configuration does not exist but we also need to give the user 
a diagnostic explanation that points out the problems. The diagnostic output 
should have at least the following properties: 

1. the diagnosis should identify what components cause the problem; 

2. for each component that is a part of the problem, the diagnosis should include 

an explanation why it was necessary to take it in the configuration; and 

3. the diagnosis should be as concise as possible. 

The reason for the second property is that the end-user may want to include 
a pair of components that are not mutually exclusive by themselves but that 
depend on a pair of conflicting components. If the justification information is 
not added to the diagnostic model, the user may have a difficult time trying to 
find out why the configuration system wants to add some seemingly unrelated 
components in the configuration. 

The third property is important when configurations consist of thousands of 
components. If the diagnosis contains a lot of unessential information, the user 
will again have a difficult time trying to find the actual problem. 

In this work we will take the approach that we will construct two distinct 
models for the configuration system. A configuration model encodes the com- 
ponents and the relationships between them and the diagnostic information is 
stored in a diagnostic model. 

During a configuration task, we first try to find a configuration that satisfies 
the user requirements. If such configuration exists, we can configure the system 
according to it. Otherwise, we know that we cannot choose the components 
in such way that the resulting configuration is both valid and satisfies the user 
requirements and we have to compute a diagnosis. We can do this by constructing 
an invalid configuration that satisfies all user requirements and explaining why 
it violates the constraints of the model. This process in illustrated in Figure H 
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Fig. 1. A conceptual flowchart of a configuration task 



The main reason why the two models are separated is simplicity. We And it 
easier to construct a configuration model when we do not have to worry about 
adding diagnostic information to it. Similarity, a diagnostic model is easier to 
construct when we do not have to worry about false alarms that are caused by 
incompatible optional components. Another reason for separation is efflciency. 
It seems that the current implementation is more efficient when the models are 
separated but the results are not conclusive and it is possible that there exists 
an efficient way to combine the data in one model. 

As a practical example, we consider the configuration management problem 
of the Debian GNU /Linux system Q. Debian is a distribution of the GNU /Linux 
operating system and currently with version 2.1 it has over 2500 distinct software 
packages. A package may interact with several other packages in various ways. 
A package may depend on functionality provided by another one, two packages 
may conflict with each other, or a package may recommend that another package 
is taken into a configuration whenever it is in it. The Debian distribution is an 
interesting case for configuration management for two main reasons: 

1. The relationships between software packages are explicitly described and 
they are collected in one place. It is possible to generate a configuration 
model of the system automatically from this information. 

2. The large number of software packages makes the configuration management 
of the Debian system a non-trivial task and if a formal method can handle 
it well, it can probably also handle other difficult cases. 

As it is not possible to model the configuration management of the Debian system 
completely in this work, we formalize only a small subset of it and concentrate on 
the diagnostic model. The whole system is modeled in with some preliminary 
evaluation results. 



2 The Rule Language 

In this section, we introduce a declarative rule-based formal language RRL which 
is a subset of the language RL defined in The language RL is based on a 
configuration rule language presented in Q. 
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The basic language component is an atom of the form 

p{ai,...,an) (1) 

where p is a predicate symbol and oi to a„ are all variables or constants. We will 
use the convention that all variables start with a capital letter and all constants 
with a lower case letter. A literal is either an atom a or its negation not a. A 
literal is a ground literal if it does not have any variables. 

A truth valuation V is a set of ground atoms. A valuation assigns a truth 
value to each ground literal. If an atom a is in V, a is true in V, otherwise it is 
false. For negative literals the conditions are reversed. If an atom a is in V, the 
literal note is false in V and vice versa. 

We encode the relationships between atoms using inference rules that have 
two possible forms: 

h ^ l\, . . . ,ln (2) 

{ hi , . . . , hjYi } < /i , . . . , (3) 

where the atom h is the rule head and the literals li, ... ,l„ form the rule body. 
The rules of the form are called basie rules and the rules of the form Q 
are called choice rules. A basic rule with an empty rule body is called a fact. 
A ground instance of a rule is obtained by replacing all variables in it with 
constants. A RRL program is a set of rules. 

The intuitive meaning of a basic rule is that if all literals in the rule body 
are true, the head atom also has to be true. If the body of a choice rule is true, 
we can include any subset of atoms hi, . . . , hm in our model. Strictly speaking, 
choice rules are not necessary as they could be replaced by a adding a rule of 
the form: 

hi ^ ll : . • . : In: nOt h^ 
h'l ^ not hi 

for each 1 < i < m. However, using choice rules makes programs more compact 
and the syntax is easy to expand to handle cases where a specific number of 
atoms hi, . . ., hm has to be true when the body is true Q. 

Next we define the formal semantics of RRL. The definition is very similar 
to the stable model semantics for normal logic programs Q. The variables are 
handled by instantiating the rules with all possible constants that are used in 
the program and computing the stable models of the resulting program. 

Definition 1. The Herbrand instantiation HI(P) of a RRL program P is the 
set of all ground instances of rules in P that can be constructed using constant 
symbols in P. 

Example 1. Let P = {p(X) ^ q(X); q(a) <— ; q(b) ^ }. The program HI(P) is 
now 

HI(R) = { p(a) ^ q(a); p(b) ^ q(b); 
q(a) ^ ; q(b) ^ } 



( 5 ) 
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Definition 2. Given a ground RRL program P and a set of atoms M we con- 
struct the reduct by 

1. replacing all choice rules 

{ , . . . , /Itti } ^ , . . ■ , 

with the set 

{/li <— /i, . . . , I 1 < i < m A /li G M} (6) 



of rules. 

2. removing each rule that has a negative literal not a in its body where a G M ; 
and 

3. removing all negative literals from the bodies of the remaining rules. 

Example 2. Let P = {{a} <— not5, {6} ^ nota} and M\ = {a}. Now we can 
construct the reduct 



= {a . 

Similarily, if we set Mi = 0, the reduct P^^ = 0. 

The reduct P^ is a set of Horn clauses so it has a unique minimal model 
MM{P^) If this minimal model coincides with M, we say that M is a 



stable model of P. 



Definition 3. Given a RRL program P and a set of atoms M , M is a stable 
model of P if and only if M = MM(HI(P)“). 



Example 3. Let P = {{a} ^ not 6, {6} ^ nota}. Now P has three stable models, 
Ml = {a}, Ml = {6}, and M3 = 0. As we saw in Example^ the reduct of P with 
regards to Mi is P^^ = {a <— } that has the minimal model {a} which coincides 
to Ml. On the other hand, M4 = {a, b} is a model of P in a propositional sense 
but it is not a stable model as the reduct P^'^ = 0 that has an empty minimal 
model. 



Theorem 1. Given a ground RRL program P the question whether there exists 
a stable model M of P is -complete. 

Proof. The NP-hardness follows directly from the fact that the problem of ex- 
istence of a stable model for a normal logic program is NP-complete | and all 
normal logic programs are RRL programs. 

If we guess the model M we can construct the reduct P^ in a linear time 
with respect to the number of literals in rule bodies and the minimal model 
MM(P^) can be computed in linear time Q. This implies that the problem is 
in NP and thus it is NP-complete. 
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{ in(P) } ^ package(P), justified(P) 

^ in(Pi), depends(Pi, P2), not in(P2) 

^ conflicts(Pi, P2), in(Pi), in(P2) 

^ user-include(P), not in(P) 

^ user-exclude(P), in(P) 
justified(P) ^ user-include(P) 
justified(P2) depends(Pi, P2), in(Pi) 
justified(P2) ^ recommends(Pi, P2), in(Pi) 

Fig. 2. The simplified Debian configuration model CM 



3 Configuring a Debian System 

In this section we formalize a small subset of the configuration management 
problem of the Debian GNU/Linux system. In particular, we will formalize only 
dependency, conflict, and recommendation relations of the system. We will leave 
out the package version information but we present the outline how it can be 
included in the model. 

A package A depends on a package B if A cannot be used at all if B is not 
installed. A package A conflicts with B if A will not operate when B is installed 
on the system. A package A recommends B if B enhances the functionality of A in 
a significant way. The recommendation relation brings the concept of optionality 
to the configuration model. If a package recommends another, we can choose to 
add the recommended package or we can leave it out. The complete formalization 
of the Debian configuration system is presented in 

The Debian configuration model CM is constructed using the RRL language 
and it can be divided into two parts: 

1. a database that stores information about the packages and their relations as 
facts; and 

2. a set of inference rules that construct the valid configurations using the facts 
stored in the database. 

The software packages are modeled as constants in the database. For each pack- 
age P we add a corresponding constant p to the program. The relations are 
modeled with predicates, for example, if a package Pi depends on P 2 , the atom 
depends(Pi , P 2 ) is added as a fact to the program. The inference rules that form 
the core of the configuration model are presented in Figure ^ 

As a Debian configuration is essentially a set of packages, we will use the 
predicate in(P) to denote that the package P is chosen to be in the configuration. 
Thus, valid configurations of a configuration model correspond to the stable 
models of the RRL program. 
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The user requirements can be modeled using two predicates user-include(P) 
and user-exclude(P). A set U of user requirements is a set of facts of the form 

user-include(P) ^ and 
user-exclude(P) ^ 

where the atom user-include(P) C C/ if the user explicitly selected P to be in the 
configuration and user-exclude(P) C U when the user wants to ensure that P is 
not in the configuration. 

Definition 4. Given a Debian configuration model CM, a set U of user re- 
quirements, and a stable model M of CM \JU , a Debian configuration Cm is 
the set of packages 

Cm = {P\ in(P) G M} . (7) 

We want the configurations to be compact. They should contain the user 
selected packages and the packages they depend on and nothing more. Addi- 
tionally, if a package is recommended by some package in the configuration, it 
may be included in the configuration but it may also be left out. We encode this 
principle by using the predicate justified(P) which is true in a stable model if the 
package P has some reason to be in a configuration. 

The basic rule of the configuration model is that a package may be added to 
a configuration if and only if it can be justified: 

{ in(P) } <— justified(P), package(P) . (8) 

The predicate package(P) is added to the rule body to ensure that only available 
packages may be added to the configuration. 

It is an error if a package Pi is in a configuration but one of its dependencies 
is not satisfied: 



^ in(Pi), depends(Pi, P 2 ), not in(P 2 ) . (9) 

We may not have two conflicting packages in one configuration: 

V- conflicts(Pi, P 2 ), in(Pi), in(P 2 ) . (10) 

If the user made an explicit choice regarding to a package P, the choice must be 
adhered: 

user-include(P), not in(P) (11) 

^ user-exclude(P) , in(P) . (12) 

A package is justified if either the user selected it, some package that has to be 
in the configuration depends on it, or some included package recommends it. 

justified(P) ^ user-include(P) 
justified(P 2 ) ^ depends(Pi, P 2 ), in(Pi) 
justified(P 2 ) recommends(Pi, P 2 ), in(Pi) . 



(13) 

(14) 

(15) 
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mail-extension 

~r 



mail-readeri-«- 



^mail-reader2 




mail-transport-agent 



-< dependency 

-* conflict 

< ■ ■ ■ recommendation 



Fig. 3. The relationships between packages in Example^ 



As an example we consider a simple system that consists of four differ- 
ent packages. There are two different mail reader packages (mail-readeri and 
mail-reader2) that are mutually exclusive and both of them need an installed 
mail transport agent (mail-transport-agent) package to work correctly. In addi- 
tion, mail-readeri recommends an extension package mail-extension that does not 
work without mail-readeri. The relationships between the packages are shown in 
Figurefland the facts that encode the relationships are presented in TableJ 

Example 4- Suppose that the user selects the mail-readeri package by adding the 
atom user-include(mail-readeri ) as a fact to the program. 

We can conclude by rules ^3 ^3 that atoms justified(mail-readeri ) and 

in(mail-readeri) have to be in the stable model of the program. As mail-readeri 
has to be in a configuration, we can justify mail-transport-agent by ^3 
mail-extension by ^3- The last package cannot be justified. We now have two 
justified packages that we can include in the configuration by the rule 0. The 
rule B forces us to add in(mail-transport-agent) to the model. The only choice 
we have left is whether to add the mail-extension package or not. Thus, we have 
two suitable configurations C\ and C 2 . 

Cl ={ in(mail-readeri), in(mail-transport-agent), in(mail-extension) } 

C2 ={ in(mail-readeri), in(mail-transport-agent) } 

Example 5. Suppose that the user decided to have the mail-extension package 
and wants to use it with mail-reader2. These requirements are modeled by adding 
facts user-include(mail-extension) and user-include(mail-reader2 ) to the program. 



Table 1. The facts used to encode Example^ 



package(mail- reader 1) depends(mail-readeri, mail-transport-agent) 

package(mail-reader2) depends(mail-reader2, mail-transport-agent) 

package(mail-extension) depends(mail-extension, mail-readeri) 

package(mail-transport-agent) conflicts(mail-readeri, mail-reader2) 

recommends(mail-readeri, mail-extension) 
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Now, by the atom in(mail-readeri) has to be in the model which leads to 
a contradiction with in(mail-reader2) by As a consequence, we do not have 
any suitable configurations. 

The main weakness of the configuration model presented above is that it does 
not model the version information of the system. This would be unacceptable in 
real applications so we need to find a way to extend the model. We present here 
only a brief outline of the extension and the details can be found in 

We associate different versions of a package together using the predicate 
available-version(P, V) that is true when a version V of a package P is present in 
the configuration model. The predicate in is divided into two cases: 

1. An atom in(P, V) is true exactly when a version V of P is chosen to be in the 
configuration; and 

2. An atom in(P) is true when any version of P is in the configuration. 

The relationships between packages may be parametrized with version numbers. 
For example, a package P may depend on Q version V or later. These kinds 
of dependencies can be modeled using atoms of the form depends(P, Q, Op, V) 
where Op is the corresponding relational operator. We then add rules that ensure 
that at least one compatible version of Q is in the configuration when P is in 
it. These rules may be expressed compactly by extending the language to allow 
cardinality literals of the form: 

L<{h,...,ln}<U (16) 

where L and U are integral lower and upper bounds, respectively, and li, . . ., 
In are literals. The intuition of a cardinality literal is that a cardinality literal 
is satisfied when the number of satisfied literals l\, . . ., l„ is between L and U, 
inclusive. Using cardinality literals the dependency constraint can be expressed 
as: 

^ 0 < {in(P2, V) : available-version(P2, V) : V > V2} < 0, 

depends(Pi, P2, >, V2), (17) 

in(Pi) 

where in(P2, V) : available-version(P2, V): V > V2 denotes the set of packages 
that may potentially satisfy the dependency. This set can be automatically com- 
puted during instantiation of the logic program. 

4 The Diagnostic Model 

We will construct the diagnostic model DM by adding a new set of atoms 
that represent the potential error conditions and explanations. We modify the 
constraints in such way that the diagnostic model will always have at least one 
stable model. The new atoms that are true in a stable model will then identify 
a set of errors in the requirements and give an explanation why this is the case. 
The new atoms can be divided into three classes: 
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in(P2) ^ in(Pi), depends(Pi, P2), package(P2) 
missing(P2) <— in(Pi), depends(Pi, P2), not package(P2) 
in(P) ^ user-include(P), package(P) 
missing(P) <— user-include(P), not package(P) 
in-conflict(Pi, P2) <— conflicts(Pi, P2), in(Pi), in(P2) 
in-conflict(P, user-exclude) <— in(P), user-exclude(P) 
needs-reason(P) ^ missing(P) 

needs-reason(Pi) <— in-conflict(Pi, P2), package(Pi) 
needs-reason(P2) ^ in-conflict(Pi, P2), package(P2) 
needs-reason(Pi) «— depends(Pi, P2), needs-reason(P2), in(Pi) 
user-selected(P) ^ needs-reason(P), user-include(P) 

needs(Pi, P2) ^ needs-reason(P2), depends(Pi, P2), in(Pi) 

Fig. 4. The simplified Debian diagnostic model DM 



1. Atoms that denote error conditions. We will use the predicates missing(P) 
and in-conflict(Pi , P 2 ) for this purpose. 

2. Atoms that mark the packages that are in some way part of the problem and 
thus need an explanation. The predicate needs-reason(P) is used for this. 

3. Atoms that explain why certain packages were taken into the configuration. 
The predicates user-selected(P) and needs(Pi, P 2 ) are used for this purpose. 

Using these predicates we can define a Debian diagnosis formally. 

Definition 5. Given a Dehian diagnostic model DM and a set U of user re- 
quirements, a diagnosis D is a four-tuple D = (M, Em, Pm, Rm), where 

1. M is a stable model of DM U U; 

2. Em is the error set 

Um = {missing(P) e M} U {in-conflict(Pi, P 2 ) G M} ; (18) 

3. Pm is the problem set 

Pm = {P I needs-reason(P) G M} ; and (19) 

4- Rm is the explanation set 

Rm = {user-selected(P) G M} U {needs(Pi, P 2 ) G M} . (20) 

The new program may have more than one diagnosis if there are more than 
one way to break the constraints. Each diagnosis corresponds to a set of choices 
that lead to a contradiction. When diagnosing a problem it is often enough to 
examine only one model. The reason for this is that if all possible choices that 
we can make lead to a contradiction, it does not matter much what particular 
set of choices we examine. However, the diagnosis should prefer conflicts over 
missing packages. The following example shows why this is necessary. 
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Example 6. Consider the situation where the user wants to have packages A and 
B in a configuration. The package A needs to have either C or D to work but 
both C and D conflict with B. 

There are three ways to invalidate the constraints. If we add C in the con- 
figuration, it is in conflict with B. The same thing happens if we add D. If we 
leave both out the dependency relation is not satisfied. 

The first two cases give us more information than the third one. In both of 
them we notice the real problem is that including both packages A and B in 
same configuration leads to a conflict. In the third case we only notice that A 
does not have its dependencies satisfied but we cannot directly see what caused 
the problem. 

The first modification to the configuration model is that we remove the rule 
B because we want the diagnosis to contain only those packages that have to 
be in there so that it will be as small as possible. In addition, this ensures that 
no false alarms are caused by adding unnecessary recommended packages in the 
configuration. 



4.1 Missing Packages 

We will use the atom missing(P) to denote that some package in the configuration 
depends on P but for some reason P is not in the configuration. As we take the 
approach that we add all necessary packages to a configuration, a package may 
be missing only if it is not present in the configuration model at all. We replace 
the rule iQ of the configuration model with the pair of rules 

in(P2) ^ in(Pi), depends(Pi, P2), package(P2) (21) 

missing(P2) in(Pi), depends(Pi, P2), not package(P2) . (22) 

The rule ensures that existing packages are added to the model and the 
rule ^9 marks non-existing packages as missing. In addition, it may be the case 
that a package the user explicitly included in the configuration is not available. 
To handle this situation we replace the rule with rules 

in(P) ^ user-include(P), package(P) (23) 

missing(P) ^ user-include(P), not package(P) . (24) 



4.2 Conflicts 

We will use the predicate in-conflict to model conflicts. We define the atom 
in-conflict(Pi, P2) to be true exactly when Pi and P2 conflict with each other 
and they both have to be in the configuration. 

In the diagnostic model we replace the rule with 



in-conflict(Pi, P2) ^ conflicts(Pi, P2), in(Pi), in(P2) . 



(25) 
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We must also handle the case where the user wants to leave out a package 
that some other package needs. We will use a special constant user-exclude and 
the rule 



in-conflict(P, user-exclude) ^ in(P), user-exclude(P) (26) 

to model these cases. 

4.3 Justifications 

When a package is missing from a configuration or two packages are in conflict, 
we would like to know why the problematic packages are necessary. In the base 
case a package is necessary if the user chose it to be in the configuration. A 
package is also necessary if some mandatory package depends on it. 

We will use the predicate needs-reason to mark the atoms that we want to 
justify. We can find the explanations by first marking the packages that directly 
cause the problems and then recursively marking all packages that depend on 
marked packages and are present in the configuration. This can be accomplished 
with four rules: 



needs-reason(P) ^ 


- missing(P) 


(27) 


needs-reason (Pi) ^ 


- in-conflict(Pi, P 2 ), package(Pi) 


(28) 


needs-reason (P 2 ) <- 


- in-conflict(Pi, P 2 ), package(P 2 ) 


(29) 


needs-reason (Pi) ^ 


- depends(Pi , P 2 ), needs-reason(P 2 ), in(Pi) . 


(30) 



We model the justifications using two predicates, user-selected and needs. The 
atom user-selected(P) is true when the user chose P to be in the configuration and 
the atom needs(Pi, P 2 ) is true if P 2 was included in the configuration because Pi 
depends on it. The justifications can be modeled with the following two rules: 

user-selected(P) ^ needs-reason(P), user-include(P) (31) 

needs(Pi, P 2 ) ^ needs-reason(P 2 ), depends(Pi, P 2 ), in(Pi) . (32) 



Example 7. Reconsider the situation that was presented in Example^ By the 
rule ^3 "'^6 have to include both atoms in(mail-reader 2 ) and in(mail-extension) 
in the model and ^3 adds atoms in(mail-readeri) and in(mail-transport-agent). 
By ^3 include the atom in-conflict(mail-readeri , mail-reader 2 ) in the model. 

As we have a conflict, we want to find the reason for it. By rules 1^3 ^3 

we know that needs-reason(mail-readeri ) and needs-reason(mail-reader 2 ) are in the 
model. Using the rule ^3 see that we have to find a reason for mail-extension, 
also. 

By using the rule ^3> explanations user-selected(mail-extension) and 

user-selected(mail-reader 2 ). We get the justification for the last package by using 
the rule ^3 to find that needs(mail-extension, mail-reader 2 ) has to be in the 
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model. Nothing else has to be included in the model so we now have the full 
diagnosis: 

E = {in-conflict(mail-readeri , mail-reader2)} 

P = {mail-readeri , mail-reader2, mail-extension} 

R = {user-selected(mail-reader2), user-selected(mail-extension) , 
needs(mail-extension, mail-readeri)} . 

5 Implementation 

The configuration and diagnostic models have been implemented as extended 
logic programs using the Smodels system developed in the Laboratory for 
Theoretical Computer Science in Helsinki University of Technology. The smodels 
system is available at 

itto: //www.tcs .nut .ii/nuD/smoaeis . 

Both the models described in this work and in Q are available at 

ittp : / /www.tcs .nut .11/ \/,f ntssvrian/ coni igurat ion/ 

There have been some preliminary tests on the full Debian configuration 
model and the results are presented in The model was generated using 
actual data from Debian version 2.1 with 2260 different packages. The model 
was tested by generating a random set of user requirements and measuring the 
time that was used to either find a suitable configuration or a diagnosis. The 
tests were run on a 233 MHz Intel Pentium II with 128 MB of main memory. 
The compilation of the model took approximately 13 seconds and after that a 
valid configuration could be found in about 2 seconds. The results were similar 
for the diagnostic model. 

The models are not yet incorporated into a concrete configuration tool but 
the test results give hope that it would be possible to use this approach also in 
practice. 

6 Conclusions and Future Work 

We presented a method to add diagnostic information to configuration models 
that are defined using a rule-based language RRL. The approach was to divide 
the configuration task into two phases. In the first phase we try to find a configu- 
ration that satisfies the user requirements. If one is found, the configuration task 
is completed. Otherwise, in the second phase we diagnose the user requirements 
trying to find an explanation why they are unsatisfiable. 

We generate the diagnostic model by adding a new set of atoms to the con- 
figuration model to represent the possible error conditions and modify the rules 
to ensure the diagnostic model has always at least one stable model whatever 
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the user requirements are. The new atoms that are true in the diagnosis iden- 
tify a set of errors in the requirements. In addition, the diagnosis also contains 
explanations that tell for each component that is related to an error the reason 
why it has to be in the configuration. 

We modeled a part of the configuration management problem of the Debian 
GNU/Linux system using RRL. Both configuration and diagnostic models were 
constructed. The configuration objects were distinct software packages that may 
depend on, conflict with, or recommend each other. The models were simplified 
and the problem of version management was addressed only briefly. 

There were two possible error types for user requirements in the Debian 
configuration model. The first one was that necessary packages might be missing 
from the configuration. The second one was that two conflicting packages might 
be in a configuration. We defined the diagnostic model in such way that conflicts 
were preferred over missing packages because they give more information to the 
user: if a package is left out because it otherwise would cause a conflict, the user 
would notice only the absence of the package but the real cause would not be 
apparent. 

The explanations are generated by marking all packages that are missing or 
in conflict with another one as problematic packages. In addition, all packages 
that depend on the problematic packages are marked, too. This is done because 
it is possible that the problems arise because some otherwise unrelated packages 
depend on conflicting packages. 

The full configuration model for the Debian system is presented in The 
model has not been incorporated into any existing tool and the next step of this 
research is to construct a simple back-end that can be used for further testing in 
real environment. If the results are still promising, the model can be integrated 
with an existing Debian configuration tool. 
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Abstract. This paper studies the expressive powers of classes of logic 
programs that are obtained by restricting the number of positive liter- 
als (atoms) in the bodies of the rules. Three kinds of restrictions are 
considered, giving rise to the classes of atomic, unary and binary logic 
programs. The expressive powers of these classes of logic programs are 
compared by analyzing the existence of polynomial, faithful, and modu- 
lar (PFM) translation functions between the classes. This analysis leads 
to a strict ordering of the classes of logic programs. The main result is 
that binary and unary rules are strictly more expressive than unary and 
atomic rules, respectively. This is the case even if we consider normal 
logic programs where negative literals may appear in the bodies of rules. 
Practical implications of the results are discussed in the context of a 
particular implementation technique for the stable model semantics of 
normal logic programs, namely contrapositive reasoning with rules. 



1 Introduction 

In logic programming a simple rule-based language is used for knowledge 
representation in a declarative fashion (see e.g. for an extensive study and 
i~ I for programming methodology). To enhance the knowledge representation 
capabilities of logic programs, Clark Q proposed a form of negation, namely 
negation as failure to prove. Logic programs that involve negation as failure are 
known as normal logic programs. Unfortunately, it turned out that it is difficult 
to incorporate the negation as failure principle into resolution theorem provers 
(c.f. SLDNF-resolution in |3) ^ satisfactory way. For example, the order in 

which rules are considered by the resolution procedure affects the answers to 
the queries. This feature makes logic programming with negation as failure less 
declarative and dependent on the implementation of the resolution procedure. 

About a decade later, Gelfond and Lifschitz | proposed a solution to this 
problem: the stable model semantics for normal logic programs. In this approach, 
negative literals in rules are interpreted simultaneously which restores the declar- 
ative nature of programming with rules. Moreover, the emphasis is more on com- 
puting complete models (or answer sets ^) for logic programs rather than using 
a resolution procedure for query answering. Nowadays, stable model semantics 
is considered as a constraint programming paradigm of its own 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 852-^| 2000. 

© Springer- Verlag Berlin Heidelberg 2000 



Comparing Expressive Powers 853 



The success of the stable model semantics is much due to implementation 
techniques that have dramatically improved during the past decade. The basic 
technique is to use well-founded models as approximations in the branch and 
bound approach However, it is possible to rehne well-founded models in order 
to obtain even tighter approximations. For instance, Niemela and Simons | i/ | 
use additional principles in their implementation (known by the name smodels). 
One of such principles uses rules contrapositively: assuming that the atom a in 
the head of a rule a <— ai, . . . , a„ is false in a stable model (being constructed), 
then one of the atoms in the body ai, . . . , a„ must also be false in the model. In 
particular, this principle becomes effective when n = 1 or when a 2 ,...,a„ are 
known to be true in the model, for instance. Then the fact that ai is false in the 
model follows immediately and rehnes the approximation a bit. This suggests 
that we could facilitate the use of this principle if we could somehow reduce the 
number of atoms that appear in the bodies of rules. These considerations lead 
to a fundamental question whether such a reduction is possible in the hrst place. 

This paper answers to this question by analyzing the expressive powers of 
classes of logic programs that are obtained by limiting the number of positive 
literals (atoms) in the bodies of rules. Comparisons are based on the existence 
of polynomial, faithful and modular (PFM) translation functions between these 
classes. We proceed as follows. We begin in Section | by presenting the basic 
notions of logic programs: syntax and semantics. After this, three central prop- 
erties of translation functions are distinguished in SectionHand the comparison 
method of the paper is explained. PFM translation functions are used in Sec- 
tion^to compare the relative expressive powers of the classes of logic programs. 
Section H generalizes the results of previous section to cover normal logic pro- 
grams, too. Some comparisons with related work are performed in Section J 
Finally, we present our conclusions in Section^ In particular, the practical im- 
plications of our results on contrapositive reasoning with rules are discussed (c.f. 
the preceding discussion). Guidelines for future work are also sketched. 



2 Logic Programs 

A logic program P is a set of rules of the form 

a < ai, . . . , a„. ( 1 ) 

The atom a is called the head of the rule while the atoms ai, . . .,a„ form the 
body of the rule. The informal intuition behind the rule Q is that the head a 
can be inferred by the rule whenever the atoms ai, . . .,a„ in the body of the 
rule have been inferred. The Herbrand base Hb(P) of P is the set of atoms that 
appear in P. In this paper, we restrict to the prwositional case and consider 
only programs that consist of propositional atom:^ 

^ Programs with variables are also covered through Herbrand instantiation. 
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2.1 Syntactic Restrictions 

As a preparation for forthcoming analysis, we distinguish classes of logic pro- 
grams that are restricted by syntax. A rule of the form |Q is called atomic, 
unary or binary, if n = 0, n < 1 or n < 2, respectively. Moreover, a rule is 
strictly unary if n = 1, i.e. it is unary and not atomic. Strictly binary rules are 
dehned analogously, i.e. n = 2. We extend these conditions to cover logic pro- 
grams in the obvious way: a logic program P satishes any of these hve conditions 
given that every rule of P satishes the condition. For instance, a strictly unary 
logic program contains only rules of the form a <— b. By these dehnitions, atomic 
programs are unary ones and unary programs are binary ones. This is how we 
obtain three classes of logic programs ordered by inclusion: M C C S. Outside 
these three classes, there are non-binary logic programs that contain at least one 
rule ^ with n > 2. Such programs belong to the class of all logic programs V 
which is a superclass of the classes A, lA and B. 

2.2 Semantics 

We resort to the standard model-theoretic semantics of logic programs that 
applies to all programs of V (see for a complete treatment) . An interpretation 
I C Hb(P) of a logic program P determines which atoms of Hb(P) are true. A 
rule a ^ ai, . . . , a„ of P is satished by I if {ai,...,a„} C I implies a € /. 
An interpretation M C Hb(P) is a model of P given that every rule of P is 
satished by M . The semantics of P is determined by the unique minimal model 
M oi P which is the intersection of all models of P We let Mm(P) stand 
for this particular model. This semantics coincides with our intuition on rules, 
i.e. the minimal model Mm(P) contains exactly those atoms of Hb(P) that can 
be inferred by using the rules of P recursively. Let us also note the obvious 
monotonicity property of minimal models: if P C P' , then Mm(P) C Mm(P'). 

The minimal model Mm(P) can be constructed iteratively as follows ^3- 
Dehne an operator Tp for sets of atoms A C Hb(P) by setting 

Tp(A) = {a e Hb(P) I a <— ai, . . .,a„ e P and {ai, . . . , a„} C A}. 

The iteration sequence of Tp is dehned as follows: Tp (A) = A, Tp (A) = 
Tp(Tp (A)) for i > 0, and the limit Tp (A) = Ui<o;Tp T* (A). It 
follows that Mm(P) = Tp (0) = lfp(Tp,0). Note that this hxed point is 
reached with a hnite number of iterations if P is hnite. Moreover, we use the 
iterative construction to dehne the level of an atom a € Mm(P), denoted by 1(a), 
which is the least natural number i such that a G Tp (0). 

3 Translations 

The author has analyzed the expressive powers of non-monotonic logics in a sys- 
tematic fashion extending previous work by Imielinski Q and Gottlob Q. 

Roughly speaking, the comparison is performed for any pair of non-monotonic 
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logics by analyzing the existence of certain kinds of translation functions be- 
tween the logics. As a result of such pairwise comparisons, we have gradually 
constructed the expressive power hierarchy (EPH) of non-monotonic logics. 

In this paper, we propose a similar framework to compare the expressive 
powers of classes C of logic programs. Our basic assumptions on any class C of 
logic programs are the following. First of all, the class C is supposed to be closed 
under unions, i.e. given any two programs P and P' from C, then also PUP' 
belongs to C. On the other hand, it is assumed that C has a semantic operator 
Seme associated with it. The operator Seme assigns a set of interpretations 
I C Hb(P) to each program P of C. Typically, these interpretations are models 
of P or partial models of P that can be extended to (total) models of P It is 
clear that each of the classes C introduced in Section^^satishes these criteria: 
the semantics assigned by the semantic operator is Semc(T’) = {Mm(P)}. 

Let us then list general requirements for a translation function Tr that trans- 
forms logic programs P of a class C into logic programs Tr(P) of another class 
C' . The latter class is assumed to be a subclass or a superclass of C. We let ||P|| 
stand for the length of P in symbols. 

Definition 1. Given two classes of logic programs C and C that are closed under 
unions and the respective semantic operators Seme and Seme', a translation 
function Tr : C ^ is 

— polynomial if for all logic programs P £ C, the time reguired to compute 
the translation Tr(P) G C is polynomial in ||P||, 

— faithfnl if (i) for all logic programs P G C, the base Hb(P) C Hb(Tr(P)) 
and (ii) the models /interpretations in Semc(P) and Semc'(Tr(P)) are in a 
one-to-one correspondence and coincide up to Hb(P), and 

— modnlar if (i) for all logic programs Pi G C and P2 G C, the translation 
Tr(Pi U P2) = Tr(Pi) U Tr(P2) and (ii) C C C implies that the translation 
Tr(P') = P' for all logic programs P' G C . 

A couple of remarks are worthwhile. The faithfulness requirement implies 
that a translation function Tr may introduce new atoms, but the number of 
such atoms is clearly bounded by the polynomiality requirement. This is a crucial 
option (c.f. Theorem^- Let us also note that if Tr is faithful, then Semc(P) = 
{M n Hb(P) I M G Semc' (Tr(P))} holds. The intuition behind the modularity 
condition is as follows. The part (i) enforces locality of Tr, since the translation of 
a program P1UP2 is obtained as the union of the translations of the subprograms 
P\ and P2- This implies that programs can be translated rule by rule. The part 
(ii) handles cases where programs of a class C are translated into programs in 
a proper subclass C of C. Such a class C is typically obtained by restricting 
the syntax of the rules of the programs in C. In this setting, we require that 
syntactically restricted rules remain intact in the translation. Note that whenever 
C' C C holds, the joint effect of (i) and (ii) is that Tr(P'UP) — P'UTr(P) holds 
for all logic programs P' G C and P £ C. 

We say that a translation function Tr : C — > C' is PFM if it satisfies all the 
three criteria. If such a translation function exists, we write C ppm C and consider 
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Table 1. Relations used by the Classification Method 



Relation 


Definition 


Explanation 


C PPM 

C PFM C' 

n ‘■~/~* n> 
U PFM ^ 


C PPM C' and C 

C PPM C' and C' pfm C 
C PFM and ppm C 


C is less expressive than C' 

C and C' are equally expressive 
C and C' are mutually incomparable 



C as expressive as C. In certain cases, we are able to construct a counter-example 
which shows that a translation function satisfying our criteria does not exist. We 
use the notation C ifpi C in such cases and we may also drop any of the three 
letters (referring to the three criteria) given that the corresponding criterion is 
not needed in the counter-example (note that C ^ C implies C iT™ C). 

The base relations and among classes of logic programs form the 
cornerstones of our classihcation method - giving rise to relations given in Table 
Q By these relations, we have accommodated the method proposed for non- 
monotonic logics to the case of logic programs. The frameworks are analo- 
gous, but different. Most importantly, the semantics of a non-monotomc theory 
is determined by a set of extensions (propositionally closed theories) while the 
semantics of a logic program is determined by a set of interpretations/models. 

4 Expressive Power Analysis 

In this paper, we analyze classes of logic programs C that are obtained from 
other classes C by restricting the syntax of the rules while the semantics of the 
programs remains unchanged. This implies directly C pfm C by the identity 
translation, since programs of C are also programs of C. By this observation, we 
obtain the relationships A ppm lA, hi ppm B and B ppm V for free. But it remains 
open whether these relationships are strict or not. 

Let us begin with the relationship of B and V . Any non-binary rule a <— 
ai,...,a„ where n > 2 can be rewritten to reduce the number of atoms that 
appear in the body of the rule. One particular technique is to introduce new 
atoms bi, . . . , b„_i and the following binary ruleij 

a ^ ai, bi ; 

bi^a2,b2; b2 ^ 33, ba ; ... ; b„_2 ^ a„_i, b„_i ; (2) 

bn — 1 3n. 

Using these binary rules, it is possible to infer a whenever ai, . . .,an are infer- 
able. As a result, any non-binary program P gets translated into a binary one 
TreiNl^*)- Most importantly, this translation satishes our criteria. 



We use semicolons to separate program rules. 
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Theorem 1. V B. 

Proof sketch. Polynomiality is obvious, since a rule ^ that has 2n + 1 symbols 
is translated into n rules having a total of 5n — 1 symbols. This implies even the 
linearity of the translation. Modularity follows also easily, since the binary rules 
of P remain intact. It remains to establish faithfulness. 

Let Q = TrBiN(^’) so that Hb(P) C Hb(Q), M = Mm(P) C Hb(P) and 
N = Mm(Q) C Hb(Q). It can be shown that M = N D Hb(P) using induction 
on i to prove Tp (0) C N and Tq (0) n Hb(P) C M. □ 

The next question concerns the strictness of the relationship U ppm B. It turns 
out in the sequel that binary programs cannot be translated into unary ones such 
that our criteria are met. We need a subsidiary result on unary programs P: if 
an atom a is included in Mm(P), then there is a single atomic rule b <— in P 
that causes the atom a to be inferable by the rules of P (i.e. to be included in 
Mm(P)). Note that Mm(P) = 0 for any strictly unary program P. 

Lemma 1. Let P = PqU Pi be a unary program where Pq contains the atomic 
rules of P and Pi contains the strictly unary rules of P. 

If a G Mm(Po U Pi) and the atomic rule a <— does not belong to Pq, then 
there is an atomic rule b <— in Pq such that a € Mm({b <— } U Pi). 

Proof We use induction on 1(a) to prove the claim for an atom a C Mm(Po U Pi) 
such that a <— does not belong to Pq. Note that the condition that we impose 
on a implies that 1(a) > 0, since a ^ TpgUPi(0) which is exactly the set of atoms 
b for which the atomic rule b <— appears in Pq. 

For the base case, assume that 1(a) = 1. Then there is a rule a <— b G Pi 
such that b G TppuPj(0). It follows that the atomic rule b <— appears in Pq. It 
is therefore clear that b G T{b^}uPi(0) ^ ^ Mm({b U Pi). 

Then consider the case 1(a) = z > 1. Then there is a rule a <— b G Pi such 
that b G TpouPi T* ^ (0). Two cases arise, (i) The atomic rule b <— belongs to Pq. 
Then a G Mm({b <— }UPi) as in the base case, (ii) Otherwise, the rule b <— does 
not belong to Pq. Since 1(b) < 1(a), it follows by the inductive hypothesis that 
there is an atom c such that b G Mm({c <— }UPi). This implies a G Mm({c <— }U 
Pi), because the rule a ^ b G Pi. Consequently, the atomic rule c <— fulhlls the 
claim of the lemma regarding the atom a. □ 

We are ready to establish that U p™ B, i.e. unary programs are strictly less 
expressive than binary ones. The proof below demonstrates how it is impossible 
to express the conjunctive condition (b and c) in the body of a rule a <— b, c 
using only unary rules. In fact, if we attempt to capture this condition in terms 
of unary rules, the condition turns into a disjunctive one: already b or c alone 
is sufhcient for inferring a (assuming that a does not follow from our translation 
directly). It is also worth pointing out that our counter-example does not de- 
pend on the polynomiality requirement. Consequently, B U holds even if we 
consider arbitrarily large translations of binary programs! 
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Theorem 2. B^U. 

Proof. Let us assume that there is a faithful and modular translation function 
TruN from binary programs to unary programs. Then consider a strictly binary 
program P = {a ^ b, c}. Let us partition Q = TruN(^*) into a set of atomic 
rules Qo and a set of strictly unary rules Qi. A case analysis follows. 

Consider a set of atomic (and unary) rules { 7 i = {b ; c <— }. By modular- 
ity, the translation Ti'un(Ci U P) = C/i U Q. It is clear that a £ Mm({ 7 i U P) 
which implies that a £ Mm({ 7 i U Q) by the faithfulness of the translation. It 
follows by Lemmajthat there is an atom d such that the atomic rule d <— is 
one of the atomic rules in Ui U Qo and a £ Mm({d <— } U Qi). This leaves us 
three possibilities: (i) the rule d <— belongs to Qq, (ii) d = b or (iii) d = c. 

Then let U2 = {b <— } so that TruN(C2 U P) = C/2 U Q holds by modularity. 
It follows that a ^ Mm(P2 U P) so that also a ^ Mm(P2 U Q) holds by the 
faithfulness of the translation. This implies that the atomic rule d <— does not 
belong to Qq, since otherwise a £ Mm(Q) and a £ Mm(P2 U Q) follow. Quite 
similarly, it follows that d h, because otherwise a £ Mm({d e-} U Qi) implies 
a £ Mm(P2 U Q). Thus d = c is necessarily the case. 

Finally, consider U3 = {c <— } for which TruN(P3 UP) = U3 U Q holds by 
modularity. Then a ^ Mm(P3 U P) holds and a ^ Mm(P3 U Q) follows by the 
faithfulness of the translation. On the other hand, we know that a £ Mm({c <— }U 
Qi) holds by the facts that a £ Mm({d <— } U Qi) and d = c. Since the program 
{c U Qi C P3 U Q, we obtain a contradiction a £ Mm(P3 U Q). □ 

Theorem 3. U ^ A. 

Proof. Let us assume that there is a faithful and modular translation function 
TrAT from unary logic programs to atomic programs. Then consider a strictly 
unary program P = {a <— b} and the translation Q = TrAT(P)- Let ^ = {b <— }. 
Since a £ Mm(T U P), also a £ Mm(^ U Q) by the faithfulness and modularity 
of TrAT- Since Q is atomic, the rule a must appear in Q. 

Note that Mm(P) = 0 so that a ^ Mm(P). It follows by the faithfulness and 
modularity of TrAT that a Mm(< 5 )- A contradiction, as a <— appears in Q. □ 

The last two theorems state that B fftw U and U ptvi A. However, this does 
not exclude the possibility that polynomial and faithful but non-modular transla- 
tion functions could be devised for these classes. For instance, consider a transla- 
tion function TrNM(P) = {a ■<— | a £ Mm(P)}. It is immediately clear that TrNM 
is faithful, since Mm(TrNM(P)) = Mm(P). It is also well known that Mm(P) 
can be computed in polynomial time (recall the iterative construction given in 
Section^ 3 . Thus Tr^jM is also polynomial. To show that TrNM is non-modular, 
we use the programs P = {a <— b} and A = {h <— } introduced in the proof of 
Theorem H Now TrNM(A U P) = {a ■<— ; b <— }, but TrNM(A) = {b <— } and 
TrNM(P) = 0 , indicating that TrNM(A U P) 7^ TrNM(A) U TrNM(P)- Gener- 
ally speaking, a non-modular translation Tr(P) is often heavily dependent on 
particular instances of P so that already slight changes to P may alter Tr(P) 
thoroughly. Consequently, a shortcoming of non-modular translations is that 
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^ PPM U PPM B PPM 'P 



Fig. 1. Classes of Logic Programs Ordered by Expressive Power 



they do not support updates. This is also clear on the basis of the translation 
function XrAT above: consider the effects of deleting A from TrNM(^ U P). 

Theorems m and ^establish a strict ordering among the classes of logic 
programs A, hi, B and V that is summarized in Figure^ 

5 Normal Logic Programs 

The next step is to extend our analysis to cover more general classes of logic 
programs: we let negation (i.e. negative literals) to appear in the bodies of rules. 
Consequently, the resulting rules are of the form 

a < 3i , . . . , 3n, ^bi, . . . , ^b^. )3) 

where bi, . . . , b^ are atoms. In the sequel, ai, . . . , a„ and ~bi, . . . , ~bm will be 
called the positive and negative body literals of the rule Q. Intuitively, this 
kind of a rule can be used for inferences like the rule Q given that none of the 
atoms bi, . . . , bm can be inferred. We extend the syntactic restrictions (atomic, 
unary and binary rules) introduced in Section ^to cover normal logic programs: 
negative body literals simply do not count, i.e. they are ignored when rules are 
classihed. For instance, the rule a <— b, ~c involving a negative literal is 
strictly unary {n = 1) as well as binary (n < 2). To give another example, the 
rule p ^ is atomic (n = 0). We introduce subscripted symbols An, hin. Bn 
and Vn to denote the respective classes of normal logic programs. 

The leading semantics for normal logic programs is the stable model semantics 
proposed by Gelfond and Lifschitz Q. Given a model candidate M C Hb(P), a 
normal logic program P is reduced to a negation-free logic program 

= {a ^ ai, . . .,a„ | a ^ ai, . . .,a„,-bi, . . .,~b^ £ P 
and M n {bi, . . . , bm} = 0 }■ 

This is how the negative body literals of all rules of P are simultaneously in- 
terpreted with respect to M. Since the reduct P^ is negation-free, it has a 
straightforward semantics determined by the unique minimal model Mm(P*^). 
This suggests that one should accept only stable models M C Hb(P) of a normal 
logic program P that satisfy the Rxed point condition 

M = Mm(P“). (5) 

Unfortunately, stable models need not exist for a normal logic program (e.g., 
P = {a <— ~a}) and stable models are not necessarily unique (e.g., the pro- 
gram P — {a <— ^b ; b <— ^a} has two stable models {a} and {b}). More- 
over, negation leads to non-monotonicity of reasoning such that conclusions 
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may be retracted (e.g., the programs P = {a <— ~b} and P' = P U {b} have 
unique stable models {a} and {b}, respectively). We will consider the classes 
of normal logic programs An, l^n, ^n and P„ under the stable semantics, i.e. 
Semc„(P) = {M C Hb(P) | M = Mm(P^)} holds for any Cn and for any P G Cn- 
It is clear that the relations An ppm Un, lAn ppm Bn and Bn ppm P„ hold, since 
the classes involved are obtained by syntactic restrictions that lead to inclusion 
C Un C Bn C Pn ill analogy to the monotonic case. From now on, our plan 
is to generalize Theorems JJandJto the case of normal logic programs. Let 
us start our considerations with non-binary normal logic programs in P„. 

Theorem 4. P„ ppm Bn- 

Proof sketch. Let P be a non-binary normal logic program. Then there is at least 
one rule B with n > 2. The strategy is to rewrite such rules so that each of 
the rules Q is modihed by adding the negative body literals ~bi, . . . , ~bm. Let 
Q — Ti'bin(^’) be the translation of P obtained by this principle. It is clear that 
the function Trem is both polynomial and modular. 

Then consider any set of atoms N C Hb(Q) and M = N D Hb(P). It is 
clear that for any binary rule Q with n < 2, the rule a <— ai, . . .,a„ belongs 
to P^ iff it belongs to . For any non-binary rule Q with n > 2 the rule 
a ^ ai, . . . , a„ belongs to P^ iff the rules Q belong to . Thus Mm(P^) = 
Mm(Q'^) n Hb(P) follows by the technique used in the proof of Theorem^ 
Then it follows easily that if TV is a stable model of Q, i.e. N = Mm(Q^), 
then M = TVnHb(P) is a stable model of P, i.e. M = Mm(P^). Then consider 
the case that M = Mm(P*^). Dehne N as M augmented with all new atoms 
bi (where 0 < i < n — 1) involved in Q for which P has a corresponding 
non-binary rule Q with n > 2, the rule a <— ai,...,a„ belongs to P^ and 
{ai_|_i, . . . , a„} C M. It follows by the dehnition of N and the preceding analysis 
that N = Mm(Q^) so that M = N C\ Hb(P). Moreover, N is the unique stable 
model of Q satisfying M = N D Hb(P), since the negative literals of Q involve 
only atoms of Hb(P) and this makes unique with respect to M. □ 

The main result of the paper follows: it is established that binary rules are 
not expressible in terms of unary rules even if we allow negative body literals. 

Theorem 5. Bn fti Un- 

Proof. Let us assume that there is a faithful and modular translation function 
TruN from binary normal logic programs to unary ones. Then consider a strictly 
binary normal logic program P = {a <— b, c} and the translation Q — TruN(^*) 
which is a unary normal logic program. Let us partition Q into a set of atomic 
rules Qo and a set of strictly unary rules Qi- Recall that the rules of Qq and Qi 
may contain negative body literals and Hb(P) C Hb(<5)- 
Then consider the sets of rules 

Ai = {h ] c ^}, A 2 = {b <— }, ^3 = {c and P = {b <— a ; c <— a}. 



It follows by the modularity of Ti'un that TruN(^i UPUP) = AiVJU U Q for 
all i £ {1, 2, 3}. Note that M = Mm(^i U P U P) = {a, b, c} is the unique stable 
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model of U 17U P, since y4i U C/U P does not contain negative literals. Because 
of the faithfulness of TruN, there is a unique stable model N of Ai U U U Q 
such that M = N D Hb(^i U P U P) = iV n {a, b, c}. This implies that a G N. 
The reduct {Ai U P U Q)^ = Ai U P U U P U Qo^ U Qi^ and N = 

Mm(^i U P U Q^). By Lemma|there is an atomic rule d <— in U Qo^ such 
that a G Mm({d <— } U P U Q^)- Three cases arise: d <— belongs to the atomic 
part Qo^ of the reduct, d = b or d = c. It follows that (i) a G Mm(P U Q^), (ii) 
a G Mm(y42 U PU Q^) or (iii) a G Mm(>l 3 U PU Q^)- Since (i) implies both (ii) 
and (iii), we may conclude that (ii) or (iii) holds. 

Recall that P contains the rules b ^ a and c <— a. Since (ii) or (iii) holds, 
it follows that c G Mm(^2 U P U Q^) or b G Mm(Gl 3 U P U Q^). Consequently, 
we have that Mm(y 42 U P U = Mm(>li U P U or Mm(>l 3 U P U = 
Mm(Gli U P U Q^). Thus TV is a stable model of GI 2 U P U Q or a stable model 
of A 3 U P U Q. Note also that a G TV holds in both cases by (ii) and (iii). 

On the other hand, the unique stable models of A2 U P U P and A3 U P U P 
are M2 = Mm(A2UPUP) = {b} and M3 = Mm(A3UPUP) = {c}, respectively. 
Then a ^ M2 and a ^ M3 hold, indicating that TruN is not faithful. □ 

It remains to explore the strictness of the relationship An ppm Un- In the 
presence of negation, it is almost possible to obtain a translation from unary 
programs to atomic ones. This is demonstrated by the following example. 

Example 1. Consider a normal logic program P = {a <— b ; b <— c} and a trans- 
lation of P into an atomic normal logic program Ti'at(P) = 

{a ^ ~b' ; b ^ ; a' ^ ~a ; b' 4— ~b ; c! <— ~c} 

where the new atoms a' b' and d mean that a, b and c are false, respectively. 
The hrst two rules of TrAx(P) express the rules of P using a kind of double 
negation while the last three rules of TrAx(P) encode the standard closed world 
assumption These programs exhibit the following stable models. 



A 


Stable models 
of AUP 


Stable models 

of AUTrAT(P) 


0 

{a^} 

{b-} 

{c-} 


0 

{a} 

{a,b} 
{a, b,c} 


ja', b',c'| 
{a, b',c'} 
{a, b,c'} 
{a, b,c} 



By the preceding analysis, the translation TrAx(P) seems to capture the 
essentials of P in a modular and faithful manner. However, severe problems 
arise if P contains a “loop” that lets one to infer a from a, for instance. The 
simplest possible example of this kind is P' = {a <— a} having a minimal model 
Mm(P) = 0. Unfortunately, the translation TrAx(P0 = {a ^ ^a' ; a' e- ^a} 
has two stable models {a'} and {a}. The former is what we would expect on the 
basis of our example, but the latter is an anomalous stable model. It is proved 
in the following theorem that such anomalous stable models cannot be avoided. 
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Theorem 6. U-a pth An- 

Proof. Let us assume that there is a faithful and modular translation function 
XrAT from unary normal logic programs to atomic ones. Then consider the unary 
(normal) logic program P = {a <— b ; b <— a} and the translation Q = TrAT(^*) 
which is an atomic normal logic program. We introduce sets of atomic rules Ai = 
{a ^}, A2 = {b ^}, A3 = {a ; b ^}. Note that for each i € { 1 , 2 , 3 }, the 
program A^UP has a unique stable model M = Mm(AiUP) = {a, b}. In addition, 
the modularity of Wat implies that the translation TrAT(AiUP) = A^UQ for all 
i G { 1 , 2 , 3 }. Note also that the Gelfond-Lifschitz reduction {Ai U Q)^ = A^UQ^ 
for any i G { 1 , 2 , 3 } and N C Hb(Ai U Q). 

Since M is the unique stable model of A\ U P, it follows by the faithfulness of 
Ti'at that the translation AiUQ has a unique stable model Ni = Mm(Ai 
such that Ni H {a, b} = M. This implies that b <— must belong to the reduct 
since is atomic. Thus also 7 Vi = Mm(A3 U holds, i.e. Ni is a 

stable model of A3 U Q. Due to symmetry present in the sets of rules P, Ai, A2 
and A3, we may conclude that there is a stable model N2 = Mm(A2 U Q^'^) of 
A2 U Q such that n {a, b} = M and the rule a ^ belongs to . Thus N2 
is also a stable model of A3 U Q. 

Since AI is the unique stable model of A3 U P, it follows by the faithfulness 
of Wat that A3 U Q has a unique stable model N3 = Mm(A3 U such 

that N3 n {a, b} = M. The uniqueness of N3 implies that iVi = = N3. 

Consequently, the reductions satisfy . Therefore, the rules 

a ^ and b 4— belong to . It follows that = Mm(Q^^), i-e. is stable 
model of Q. Recall that contains a and b. But this contradicts the faithfulness 
of Wat, since Q — Wat(A’) and P has a unique stable model Mm(P) = 0 . □ 

To make our view complete, we address the relationships between the classes 
of (negation-free) logic programs and normal logic programs in Theorem^ Note 
again that C ppm holds trivially for any of the classes C. The resulting hierarchy 
of classes of logic programs is illustrated in Figure J 

Theorem 7. ~t* C holds for any class C among A, lA, B and V. 

Proof Let us assume that there is a faithful translation function Tr from to C. 
Consider a logic program P = {a <— ^a} which serves as a representative of the 
class Cn of normal logic programs. Let Q be the translation W(P) in C. Now P 
has no stable models, but the translation Q has a unique stable model Mm(Q), 
contradicting the faithfulness of W. □ 

6 Related Work 

Let us comment on related work at hrst. Partial evaluation techniques have been 
introduced to unfold rules of programs in a semantics preserving way. A good 
example in this respect is the approach by Brass and Dix Q. They propose 
equivalence transformations for normal and disjunctive logic programs under the 
stable semantics. Let us describe these transformations by restricting to the 
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Fig. 2. Classes of Logic Programs Ordered by Expressiveness 



case of normal logic programs. Two of the transformations eliminate tautologies 
(which are rules Q with a = for some z) and inapplicable rules (which are 
rules Q with a^ = bj for some z and j). The third transformation evaluates 
partially a rule of a normal logic program P with respect to a positive body 
literal a^ in the rule. This means replacing the rule Q with a rule 
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for each rule a,- 
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^b'^, of P having a^ as the head. This is 



how the positive occurrences of a^ are replaced by its dehnition. Compared to 
the goals of this paper, partial evaluation has a quite opposite effect, as it tends 
to increase the number of positive body literals. 

It is also worthwhile to relate our framework with propositional logic. Given 
a propositional theory S, i.e. a set of propositional clauses of the form 



ai V . . . V a„ V ^bi V ... V (6) 

a model M C Hb(S') of S' is a set of atoms (considered to be true) such that 
all clauses of S evaluate to true. The famous satishability problem (SAT) Q 
is about checking whether a given set of clauses has a model. It is possible to 
capture the models of a set of clauses S with the stable models of a translation 
of S into a normal logic program. In fact, we can do this using only atomic rules. 
The idea is as follows. The rules a ^ ~a' and a' <— ^a are needed to select the 
truth value of each atom a G Hb(S'). Here a' denotes that a is false (in analogy 
to Example^. Given just these rules, we obtain all model candidates for S as 
stable models of the rules and we have to ensure yet that all clauses of the form 
Q are satisRed. This is easily accomplished by introducing a rulij 

f < ~f, ~ai, . . . , ~a„, ~bj^, . . . , ~bj^ 

where f is a new atom for each clause Q in S. These kinds of rules exclude 
model candidates in which some of the clauses is false. On the other hand, it is 
impossible to translate an atomic normal logic program P into a propositional 
theory in a faithful (one-to-one correspondence of models such that correspond- 
ing models coincide up to Hb(P)) and modular way. To establish this, let us 

^ It would be more intuitive to use a rule of the form f ^ ~f, ~ai, . . . , ~a„, bi, . . . , hm, 
which is not atomic and “double negation” is needed in order to make the rule atomic. 
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assume that there is such a faithful and modular translation function Tr. Then 
consider atomic normal logic programs Pi = {a <— ^a} and P 2 = {a <— }. The 
program P\ has no stable models while P 2 has a unique stable model M = {a}. 
Since Tr is faithful, the translation Tr(Pi) must be propositionally inconsistent. 
By the modularity of Tr, the translation Tr(Pi U P 2 ) = Tr(Pi) U Tr(P 2 ) which 
is also propositionally inconsistent, i.e. has no models. But this contradicts the 
faithfulness of Tr, since M is also the unique stable model of Pi U P 2 . These 
observations indicate that propositional theories are already strictly less expres- 
sive than atomic normal logic programs. By Figurejand the transitivity of the 
relation p™, this holds also for unary and binary logic programs. 

Our remarks on computational complexity follow. March and Truszczyhski 
^3 establish that hnding out whether a normal logic program P has a stable 
model is an NP-complete problem. By the translation sketched above, the prob- 
lem SAT is reducible in polynomial time to the problem of checking whether an 
atomic/unary /binary normal logic program has a stable model. This indicates 
that the computational complexity of the latter problem remains NP-hard under 
the three syntactic restrictions that are imposed on rules in this paper. Thus, in 
analogy to our previous experience on classifying non-monotonic logics the 
method based on PFM translation functions yields a more accurate measure of 
expressive power than the levels of polynomial time hierarchy (PFl) do. 

7 Discussion and Conclusions 

The analysis in Sectionjreveals the main constituents of rule-based reasoning. 
In the simplest form, we have just atomic rules a <— stating that the atom in 
the head is true. Unary rules enrich this setting by allowing chained inferences 
with rules. In the richest form, we have binary rules that incorporate conjunctive 
conditions. Moreover, reasoning with non-binary rules is reducible to these prim- 
itive forms. By the results of Sectionjwe know that this setting is not affected 
even if normal logic programs are considered. For instance, negation as failure is 
not sufficient to compensate conjunctive conditions nor chained inferences (c.f. 
Example^. Looking back to the hierarchy in Figure^ the number of positive 
body literals seems to be a reasonable criterion for syntactic restrictions, because 
strict differences result in expressive power. 

By Theorem Hit is impossible to rewrite normal logic programs (as long as 
we expect modularity and faithfulness) such that binary rules are removed. This 
provides a quite dehnite answer to the question posed in the introduction. Given 
that the head atom a of a binary rule a <— b, c is false in a stable model M and 
the truth values of b and c are not known, we know that b is false in M or c is 
false in M . This leads to a case analysis which can be in the worst case at least 
as expensive as ordinary branching with respect to b (i.e. analyzing separately 
the cases that b is true in M and b is false in M) or with respect to c. This is 
illustrated in our hnal example. 

Example 2. Consider a binary normal logic program 
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which has four stable models: Mi = {a,b,c}, M2 = {b,Ci}, M3 = {bi,c} and 
M4 = {bi,Ci}. Suppose we would like to compute the stable models M of P in 
which a is false. As suggested by the contrapositive interpretation of a ^ b, c, 
one possibility is to branch the search using the conditions that (i) b is false in 
M and (ii) c is false in M . While analyzing the case (i), we hnd the stable models 
M3 and M4. On the other hand, the stable models M2 and M4 are discovered 
when (ii) is analyzed. Thus M4 is encountered twice during the search. Another 
approach is to branch according to the condition (i) above and the condition 
that (iii) b is true in M. In the case (iii), the stable model M2 is found directly. 

A similar analysis can also be accomplished using the system smodels 
for computations. Given P and the command “compute { not a }” the system 
Ends us the three stable models M2, M3 and M4 of P and informs us that the 
search involved 2 choice points. The choice between the cases (i) and (ii) can 
be simulated by the commands “compute { not a, not b }” and “compute { 
not a, not c }”. Both cases yield an additional choice point so that the total 
number of choice points becomes 3 . The choice between (i) and (iii) is handled 
similarly. The command “compute { not a, b }” yields the model M2 without 
further choice points. Therefore, only 2 choice points are needed if the search 
space is split using (i) and (iii). This is exactly the number of choice points 
passed by smodels given the command “compute { not a }”. A larger search 
tree results if branching is based on the conditions (i) and (ii). 

To conclude, binary rules tend to block contrapositive inference in practice. 
This is because it is impossible to get rid of binary rules in a faithful and mod- 
ular way (Theorem ^ and there is no guarantee that contrapositive reasoning 
can be accomplished in polynomial time, if cases arising from binary rules are 
thoroughly analyzed (Example^. However, we do not claim that contrapositive 
reasoning is not useful. In particular, it is reasonable to infer that b is false if a 
is known to be false in the presence of a unary rule a <— b. Nevertheless, binary 
rules establish a limit how far it is practical to apply contrapositive reasoning. 

Finally, let us sketch future work. The current hierarchy in Figure J was 
obtained as a by-product while the possibilities for reducing the number of pos- 
itive body literals were analyzed. Consequently, the hierarchy does not cover 
many interesting classes of logic programs. Extensions to the hierarchy should 
be searched for by analyzing classes of logic programs with richer syntax (see 
^B) and different semantics (see ^^) . Our recent results on the relationship of 
partial stable models and total stable models of disjunctive logic programs 
provide a promising starting point in this respect. 
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Abstract. The computational complexity is explored of finding the min- 
imal real change of a database after an update constrained by a logic pro- 
gram. A polynomial time algorithm is discovered which solves this prob- 
lem for ground IC in partial interpretations. Formulated in a “property” 
form, even under the premise of fixed database scheme, this problem 
turns out to be complete in the first three classes of S and II poly- 
nomial hierarchies, depending on many factors: type of interpretation 
(total or partial), presence of variables, use of negation, arity of predi- 
cates, etc. Meanwhile, we show that under strong restrictions to negative 
constraints the problem is solvable in polynomial time. If the database 
scheme may vary, the complexity grows exponentially. 



1 Introduction 



Database updates whose impact on database states is specified by systems of IF- 
THEN rules or by logic programs are in the focus of research till late 80ies. The 
interest in such updates has quickened in the past few years by the emergence 
of databases with intelligent update enforcement features (such as triggers), in 
particular, of active databases ( . Initially, the interest in rule 

based updates was aroused by the need in generalizations of SQL-like declar- 
ative update definitions (cf. ^Q). Subsequently, this field was influenced by 
investigation of knowledge base updates initiated by Q. One approach, influ- 
enced by ^9, regards the result of a theory update as the theory of its updated 



(revised) models (see Another approach follows the line of where a 

propositional update formula transforms an initial formula into a new formula. 
In the first order case both the updated theory, and the update itself are repre- 
sented by logic programs (see e.g. Q). Model based updates provide new models 
(DB states) minimally deviating (in some sense) from the initial ones, some- 
times explicitly, sometimes not. An alternative operational approach to updates 



* This work was sponsored by the Russian Fundamental Studies Foundation (Grants 
98-01-00204, 99-01-00374, 00-01-00254). 



J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 867- 
@ Springer-Verlag Berlin Heidelberg 2000 



2000 . 





868 



Michael Dekhtyar, Alexander Dikovsky, and Sergey Dudakov 



is based on derivations in logic programs. For instance, abduction, sometimes 
combined with SLD or SLDNF, is used for view updates (cf. 

Still another approach to database updates was proposed and 

developed in It applies to databases with integrity constraints (IC), ex- 

pressed in the form of a logic program. Accomplishing updates in presence of such 
IC needs subsequent conflict resolution. This approach departs from the premise 
that IC is not intended for data or knowledge definition. Rather, they specify 
the conflicts to avoid after updates. So in this approach the use of exclusively 
“intended” models of IC may lead to the loss of information or to unjustified 
conflict resolution failures, which is illustrated by the following simple example. 



Example 1. The IC below expresses a typical case of an exception from a 
general rule. It consists of two clauses. The first one expresses the general rule: 
“children (proposition children^ can bathe fbathej when with parents ("parents^”. 
The other one expresses an exception from this rule: “children cannot bathe while 
the ebb tide (proposition ebb^”.' 

bathe v- children, parents 

^bathe children, ebb. 

Let us consider a DB state where children cannot bathe because of the ebb. This 
state is materialized differently in classical and partial databases. In classical 
databases the absence of a fact means that its negation holds. In a partial database 
S a fact a holds if a G S', ^a holds if^a G S explicitly, otherwise a is unknown. 

Let us consider first the classical databases. This means that we have the DB 
state I = {children, ebb}. Suppose that the parents arrive, which is expressed 
as the addition of the fact parents to I. This positive update causes the conflict 
with the first rule. The possible solutions are simple but nontrivial. The first 
solution is to replace ebb by bathe. The result is the DB state where children’s 
bathing is allowed: I\ = {children, parents, bathe}. The other is just to eliminate 
children. The resulting DB state is that where no children’s bathing is needed: 
I2 = {parents, ebb}. 

Now, let us consider the same update in the case of partial databases. The ini- 
tial DB is in this case I = {children, ebb, ^bathe}. The first solution is then to re- 
place ebb and ^bathe by bathe, the resulting DB state being: 
Ii = {children, parents, bathe}. The other solution is again to eliminate children, 
the resulting DB state being this time: I 2 = {parents, ebb, ^bathe}. 

This is why after an update all models of IC are considered, where the update is 
accomplished. However, among these models one should find one minimally devi- 
ating from the initial model. A bit more formally, this “enforced update problem 
(EUP)” is formulated as follows. Given a logic program <P which formalizes the 
IC, a correct initial DB state I \= <1, and an external update A which specifies the 
facts D+ to be added to / and the facts D~ to be deleted from it, one should find 
the minimal real change *F(/) of /, sufficient to accomplish A and to restore if 
and when it is violated (i.e. to guarantee that D+ C <F(/), >F(/) n D~ = 0, and 
>F(/) ‘T). So we see that the EUP is a “function” and not a “property” prob- 

lem. The closest “property” problems are those of existence of EUP-solutions 
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marked by presence/ absence of a given fact (OFIP), and of presence/ absence of 
a given fact in all EUP-solutions (PFIP). In papers these problems were 

investigated for databases with ground IC and were shown to be untractable in 
worst case: namely, complete in first two classes of S and U polynomial hierar- 
chies. In contrast with this, in this paper we find a polynomial time algorithm 
for the EUP itself in the same class of ground IC in partial interpretations. We 
suspect that there is no such algorithm in total interpretations. 

In this paper we investigate the impact of interpretation type and the use of 
variables in clauses of IC on the complexity of OFIP and PFIP. We show that 
for definite ground IC, and positive updates and initial states these problems 
are solvable in polynomial time in both interpretations. The use of variables in 
this positive case makes the problems complete respectively in NP and co-NP. 
Possibility of deletions makes them complete respectively in NP and co-NP for 
ground definite IC, and complete respectively in and TTf for definite IC with 
variables. In general they are respectively Hf'^omplete and 7T2-complete in par- 
tial interpretations, and ifg-complete and TTg-complete in total interpretations. 
In the case, where the DB signature may vary, the complexity of these problems 
grows exponentially. 

The paper is organized as follows. The next section contains preliminary 
notions and notation. The problems we consider are formulated in sections 3 
(Enforced Update Problem in terms of conservative update operators) and in 
section 4 (OFIP and PFIP). Subsection 4.1 contains complexity results for 
partial interpretations under the premise of fixed signature. Subsection 4.2 con- 
tains the results concerning total interpretations under the same premise. In 
subsection 4.3 the case of varying signature is considered. 



2 Preliminaries 

We assume that the reader is familiar with the basic concepts and terminology 
of logic programming and complexity theory (see ^^Q) . 

Language. Let S be a 1st order signature with a set of constants C and no 
other function symbols. Sometimes in this paper S will be fixed with infinite 

C, sometimes it will be finite and its size will be considered as a parameter 
of complexity. A domain is a finite subset D of C. For each domain D by 
A(S,D), L(S,D), B(S,D) and LB(S,D) we denote respectively the sets of all 
atoms, all literals, all ground atoms, and all ground literals in the signature S 
with constants in D. A literal contrary to a literal I is denoted by ~^.l. We set 
-n.M={^.l \ l€M}. 

Logic Programs. Integrity constraints (IC) will be expressed by generalized 
logic programs in S and D with explicit negation, i.e. finite sets of clauses 
of the form r = {I ^ where n>0 and /, S L(S, D), (note that 

negative literals are possible in the bodies and in the heads of the clauses) . For a 
clause r header) denotes its head, and body{r) its body. We will treat body{r) 
as a set of literals. D being fixed, we consider groundisations of clauses only over 

D. gr{<P) will denote the set of all ground instances of clauses in <P. IC(S, D) 
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will denote the set of all integrity constraints in the signature S with constants 

in D. 

Correct DB States. In this paper we consider both kinds of interpretations 
of ICs, total and partial, over closed domains. This means that a certain domain 
D is fixed for each problem. A partial interpretation (DB state) over D is a 
finite subset of LB(S,D). For such an interpretation I C LB(S,D) we set 
/+ = / n B(S,D) and I~ = I D ^.B(S,D). / is consistent if it contains no 
contrary pair of literals 1,^.1. Intuitively, in a consistent partial DB state / 
the atoms in I~^ are regarded as true, the atoms in ^.I~ are regarded as false, 
and all others are regarded as unknown. A partial interpretation / is total if 
/+ U ~^.I~ = B(S,D) and /+ n = 0. Note that total interpretations are 
completely defined by their positive parts, so we will identify total interpretations 
with subsets of B(S,D). Given an IC d? ^ IC(S, D) and a DB state I over D, 
a ground clause r = {I ^ l\, ...,ln) in gr{<P) is valid in I (denoted / ^ r) if 
/ \= I whenever I \= k for each 1 < z < n. For a partial DB state / and a 
ground literal I I \= I means I € /. For a total DB state / and a ground atom 
a I \= a means a G I, and I \= a means a ^ I. I is a eorrect DB state or 
a model of (denoted I \= (!>) ii it is consistent (which is always true for total 
DB states) and every clause in gr{<P) is valid in /. 

Consequence Closure. Let G IC(S, D). For a partial interpretation / we 

n 

set cl^{I) = {l\3r = {I ^ li^ ...Jn) G gr{<P) ( /\ / (= )}. A strong immediate 

Z — 1 

consequence operator is the total operator 
g, , _ J cl^{I) : cl^{I) is consistent 

J<i.(G = |lb(S,D) : c4(/) is inconsistent. 

OO 

Being continuous, Tj has the least fixed point lfp{T ^ ) = (J (Tj (0))L We denote 

z— 0 

this set by It is clear that if is consistent, then it is the least 

(partial) model of For any partial DB state I we set = MJ™”. 

Updates. When partial interpretations over D are considered, an update 
is a pair A = (D+,D~) where are subsets of LB(S,D). In the 

case of total interpretations D^,D~ are subsets of B(S,D). In both cases 
D+ n D~ = 0. Intuitively, the literals of D+ are to be added to DB state /, 
and those of D~ are to be removed from /. We will denote the components D+ 
and D~ respectively by A~^ and A~. For both kinds of interpretations UP(S, D) 
will denote the set of all updates in the signature S and with constants in D. 
We say that Z\ is accomplished in / if Z\+ C / and A~ CM = tj). 

In the sequel we will omit S , D when it causes no ambiguity. So when S 
and D are subsumed, in the place of A(S,D), L(S,D), B(S,D), LB(S,D), 
UP(S,D) we will use the notation A, L, B, LB, UP. 



3 Conservative Rule Based Updates 

In general, an update may contradict constraints. So a reasonable definition of 
an update operator should either contain a requirement of “compatibility” of an 




On Complexity of Updates through Integrity Constraints 871 



update and constraints, or specify a part of the update “compatible” with the 
constraints. The requirement of compatibility is easy to formalize. 

Definition 1. For 'F G IC and A € UP let us denote by Acc{F, A) the set of 
all models I \= F where A is accomplished. An update A is compatible with an 
IC F if Acc{F, A) 7 ^ 0. 

In we propose the following minimal deviation criterion implementing the 
intention to keep as much initial facts as possible, and then to add possibly fewer 
new facts: 

Definition 2. Let /, Ii be two DB states, and K be a class of DB states. 

We say that I\ is minimally deviating from I with respect to K if 

V/2 G K (-(/ n /i c / n /a) & ((/ n /i = / n h) \ / c /i \ /))). 

In terms of this criterion the conservative update operators we consider have been 
defined in Q as follows. 

Definition 3. Let A be a given update which is compatible with IC F. An op- 
erator F on the set of DB states is a conservative update operator if for each DB 
state I : 

• 'F{I) is a model of F, 

• A is accomplished in F{I), 

• F'(I) is minimally deviating from I with respect to Acc(F, A). 

4 Computational Complexity of Conservative Updates 

The Enforced Update Problem (EUP) we discuss in the Introduction is the 
problem of calculation of a conservative update operator F for some given IC, 
update and input state. So it is a “function” type problem. In order to measure 
the complexity of conservative updates in a “property” form we use two standard 
algorithmic problems: Optimistic and Pessimistic Fall-Into-Problem (OFIP and 
respectively PFIP) (cf. ^3). 

OFIP: Given some A G UP compatible with F G IC, an initial state I, and a 
literal I G LB, one should check whether there exists a DB state Ii such that: 

(a) IiGAcc{F,A), 

(b) Ii is minimally deviating from / with respect to Acc(F, A), and 

(c) h h I- 

PFIP: requires (c) be true for all models I\ satisfying (a),(b). 

We denote respectively by OFIP and PFIP the sets of all solutions (/, A, F, 1) 
of these problems. 

Typical database updates do not change database scheme. In logical terms 
this corresponds to the situation, where predicate signature S is fixed. Under 
this premise we consider the combined complexity of OFIP and PFIP with 
respect to the problem size evaluated as fV=|D| + |/| + |Z\| + |<?| + |^| (|| being 
the size of constant or literal sets, and of programs in some standard encoding) . 
Signature S being fixed, for a given domain D the maximal size of a DB state is 
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bounded by a polynomial of the order 0 (|D|“), where a is the maximal arity of 
predicates in S. When S is not fixed, its size is included into the problem size. 

In this paper we use the following multiparameter reduction scheme which 
serves for most lower bounds below in the case of a fixed one-predicate signa- 
ture. 

Let S = a = di A ... A dn be a 3 -CNF, where in each clause 

di = V {—)ui2 V (^)ui3 (1 < f < n) Uij are propositional variables. 

Given a set R of boolean variables we form the set of constants C{a, R) = 
{t, /, ti,t2,t3,/i,/2,/3,l,2,3, pooo,pooi,...,piii,di,...,dn} U {Cx\x G R} . In- 
formally, di encodes the zth clause, t or / fix its value, 1 , 2 , or 3 fix j in Uij, 
tj or fj fix the value of Uij, ptib^bi fixes boolean values of un,Ui2,Ui3, and Cx 
is a DB constant for the boolean variable x G R. We construct the following 
(a, i?)-dependent part J(a, R) of initial DB states. 

J(of, i?) = J U Jq U Jr, where : 

J= <j < 3 }U {s{tj,j),s{fj,j)\l <j< 3 }U 

iJbib 2 b 3 {{^i^j’Pbib 2 b 3 ) I bj = 1}U {s(/j , 7*616263 ) I bj = 0}}; 

Ja = U6i6263{'®('^i>P6i6263)l if clause is true on 616263 , 1 < z < 3 }, and 
Jr = {s{t, Cx), s(/, Cx) \ X G R}. 

Given a and two sets of variables i?i, i?2, n i?2 = 0 , we construct the set of 
atoms 

n 

ip{a,Ri,R2)= U {s{di,Pi)}U Pl{uii)U (3^2i^i2)U Pliuis), 

i=l 

where 

oi/ N j {s{Vxj Cx) , s(Vx, Wij) , s(Wij , j) , s(Wij , Pi)} , for X G R\ 

’ ~ 1 MVx, Wij), s{W,j,j), s{W,j,P,)} , forxG R2. 

Pi, Wij, Vx being object variables. Intuitively, Pi fixes a triple 7*616263 which makes 
di true, the value of Wij fixes a value bj of Uij in this triple, and finally, Vx fixes a 
value {t or /) of x. Therefore, Pj{x) describes the value of the propositional vari- 
able X in j-th literal of z-th clause. Notice that both, J{a,R) and (p{a, Ri, R2) 
contain only positive literals. 



The following lemma relates the satisfiability of a to the validity of p on J. 



Lemma 1. Let x,y be a partition of the set of variables of a 3-CNF oi{x, y). In 
our construction let C = C{oi,x) and 

/ = J(a, 0 ) U U_{s(f: Cx) I cr{x) = 1 } U {s(/, Cx) \ a(x) = 0 }, 

for some boolean substitution a : x ^ { 0 ) 1 }- Then a{ax,y) is satisfiable iff 
I ^ p{oi, X, y) o T, for some object variables substitution r. 



Proof. If a is satisfiable, then there is an extension a' of ct to y such that 
a(cr'x, cr'y) is true. Then we set rPi = Pcr'(uuUi2Ui3), 
t , if a'{u) = 1, 



tVu = 



rWij = 



f , if o-'(zz) = 0, 
tj , if a'{uij) = 1 

fj , if a'{uij) = 0 



for all zz G a; U y, 

for 1 < z < zz, 1 < j < 3 . 
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It easy to check that / \= ip{a, x, y) o t. 

Now, let ip(a,x,y) be valid in / under some object variables substitution r. 
Then rPi G {pooo,Pooi, since / ^ s{di,Pi) or, rWij G since 

I ^ s{Wij , j) o r, and tVu G {t, /} since / \= s{Vu, Wtj) o t. We define a' from r 
as follows : cr'{u) = 1 if tVu = t and cr'(u) = 0 otherwise. Let us observe that a' 
coincides with a on x. Indeed, a;, y) contains a fact s(Vx, Cx) valid in I only if 
a{x) = a'{x), for all x Gx. As (p{a,x,y) contains the facts s(U„y , Wij), s{Wij,j), 
and s{Wij,Pi), then rPi = Pa'iunui^uis)- Now, from I ^ s{di,Pi) o r it follows 
that the clause di is true under a' , hence a(ax, a'y) is true. □. 

The complexity of the problems we consider depends on many factors: 
presence of variables in clauses of IC, use of negation, arity of predicates, etc. 
The main factor is the interpretation type. It turns out that the same prob- 
lems are simpler in partial interpretations than in classical total interpretations. 
For example, in partial interpretations the compatibility problem Acc{<P, z4) 0 

for ground IC is resolved in linear time, whereas, it is fVP-complete in total 
interpretations ^3 for the same class of IC. As will be shown, in partial inter- 
pretations both problems OFIP and PFIP have a wide spectrum of complexity 
depending on specific factors, such as presence of negative literals in DB states or 
in update. The other important factor is groundness of IC. Such basic problem 
as model checking is resolved in linear time for ground IC in both interpreta- 
tions. Meanwhile, even for definite IC <P the problem MC = {< I, 'P > \ I P} 
is co-AP-complete in both interpretations, which follows for example from the 
respective complexity bounds for conjunctive queries Q. 

4.1 Complexity in Partial Interpretations 

We begin with several simple observations. 

Proposition 1. For any IC P: 

(1) if is consistent for some set of literals S, then ^ P; 

(2) if I ^P and S C I, then h 

(3) if P is compatible with some Z\, then is the least model in 

Acc{P, A)-, 

(4) if P is a definite IC compatible with some positive A (i.e., A~^ C B and 
A~ —%), and / C B, then M™'^{A'^ U I) is the only DB state minimally devi- 
ating from I with respect to Acc{P, A). 

The premise of fixed predicate signature provides important polynomial time 
algorithms. 

Proposition 2. Let P be an IC and S be a set of literals. 

(1) There is an algorithm that constructs in polynomial time, if P is 

ground. 

(2) There is a nondeterministic uniformly (i.e. in all computations) polynomial 

time algorithm, which constructs in some its computation, and a subset 

of in any its computation. 
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These propositions lead to the following interesting characterization of the EUP 
solutions in partial interpretations. 

Theorem 1. Let and A be compatible. Then Ii is minimally deviating from 
I with respect to Acc{d>, A) iff there is a maximal subset SCI such that 
Ii = U A'^) is consistent and Ii n A~ = 0. 

The proof of this theorem uses a construction from the following lemma, which 
is interesting for itself and provides important consequences for ground IC. 

Lemma 2. There is a polynomial time algorithm constructing some DB state 
Ii G Acc{'P, A) minimally deviating from I with respect to Acc{<P,A), from an 
initial DB state /, any DB state Iq G Acc{d>, A), and ground IC compatible 
with A. 

Proof Scheme: Let I = {li,l 2 , ■ ■ ■ , In}, A, and some DB state Iq G Acc{d>^ A) 
be given. We define the following sequence of sets Si, 0 < i < n. 

( Si, if M™^{Si U {^i+i}) is inconsistent 

So = (/on/)UD+ and 5,+i = or U {/,+i}) n D" ^ 0 

[ Si U {/i+i}, otherwise. 

Let Ii = M^'^^{Sn). By construction and by Proposition 1, I\ G Acc(d>, A). No 
literal I G I\Ii can be added to I\, because is inconsistent or contradicts 

A~ . No literal I G I\ \ I can be removed from Ii, because it is inferred from Sn, 
which contains only literals in / or in D'*'. Hence, I\ minimally deviates from I 
with respect to Acc{T>, A). Note that if Iq minimally deviates from / with respect 
to Acc{<P, A), then Ii = Iq. Clearly, Ii is constructed in polynomial time. □ 
Now we can prove Theorem J 

Proof Scheme: (^) Let S' = /i n / and Iq = U zi+). Being a subset 

of I\, Iq is consistent. So Iq ^ <T. By monotonicity of A^ C Iq and 

A~ n /o = 0, so Iq G Acc{d>, A). For the same reason, Iq (1 1 = h C I = S. So if 
there is some I G Ii\Iq, then Ii is not minimally deviating from Acc{'P, A). 
(<t=) Being consistent, Ii = M™'^{S U A^) is a model of <P. So h G Acc{'P, A). 
Apply the construction of Lemma 1 to so defined /i in the role of Iq. The result 
will coincide with Ii by construction. Therefore, Ii is minimally deviating from 
Acc{<T, A). □ 

If <P and A are compatible, then by Proposition^ the model Iq = 
is in Acc{'P,A). So together with Proposition^ this lemma gives a surprising 
consequence: for ground IC there is a polynomial time computable conservative 
update operator, i.e. one can find some solution of the EUP in polynomial time. 



Corollary 1. There is a polynomial time algorithm constructing some DB state 
I\ G Acc{T>, A) minimally deviating from I with respect to Acc{<P, A), from an 
initial DB state I and ground IC compatible with A. 

Sure, this doesn’t work for OFIP, because the given literal I may not fall into 
this particular solution. Indeed, as it is shown in ^ 3 , OFIP is a hard problem 
even for ground IC. 



On Complexity of Updates through Integrity Constraints 875 



Theorem 2. Let IC he ground. Then: 

(1) OFIP and PFIP belong to P in the case where: 

a) is normal (i.e. there are no negations in the heads of clauses), 
h) A is positive, i.e. A~^ C B and A~ = 0, and 
c) there are no negations in I , i.e. I 

(2) If any of conditions a), b), c) is violated, then OFIP is NP-complete and 
PFIP is co-N P -complete. 

Let us analyze the complexity of OFIP and PFIP for general IC with variables. 
There is one very special case, where these problems are solvable in polynomial 
time: that of positive DB states and updates and definite monadic IC. In this 
case one can construct the consequence closure of polynomial size. Following to 
PropositionJ(4), OFIP and PFIP are equivalent in this case. 

Proposition 3. There is a polynomial time algorithm, which decides whether 
{A,<P, I, 1) e OFIP (same for PFIP^ for definite containing only unary 
predicates, and for positive A, I, and 1. 

Even the use of a single binary predicate can increase the complexity of both 
problems, when A is positive and is a definite IC with variables. Interestingly, 
the complexity depends on positivity of 1. 

Theorem 3. In the case, where IC are definite, and updates are positive: 

(1) OFIP is NP-complete if I is positive; 

(2) OFIP is co-NP-complete if I is negative; 

both lower hounds are valid even for a one binary predicate signature. 

Proof Scheme: Lower Bound. In our reduction scheme for a 3-CNF a with 
variables V we take some new variable a and set C = C(a, {a}), A — (J(a, 0), 0), 
= {s(t,Ca) ^ </3(a,0,U)}, and I = {->s(t, Ca)}. Then a is satisfiable iff 
(/, Z\, <1, s{t, Ca)) e OFIP, and iff (/, Z\, ^s(t, Ca)) OFIP. □ 

Corollary 2. In the case, where IC are definite, and A and I are positive, 
PFIP is NP-complete. 

For the same class of IC and of updates, emergence of negative literals in initial 
DB states increases the complexity of PFIP. 

Theorem 4. In the case, where IC are definite, and A are positive, PFIP is 
Lllf-complete. 

Proof Scheme: Lower Bound. Let us consider a sentence j3 = yx3ya(x,y), 

where a is 3-CNF. Let a and h be new different variables. Then we set C = 

C{a,xU {a, 5}), / = J{a,x) U {^s{t, Cq)}, and define by: 

s{t, Ca) ^ s(/, Ca), s{t, Cx) , s(/, Cj,) , for X G x; 

s{t,Cb) ^ s{t,Ca); 

s{t, Cb) ^ (s(f, Ca)} u ip{a, X, y); 

s(ci,C 2 )^ for all s(ci, C 2 ) e J(q;, 0). 

Let A = ({s(/, Ca)}, 0) and I = s{t,Cb). Then one can prove that {I,A,<I>,1) G 
PFIP iff j3 is true. □ 
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Discarding the constraint of positivity of updates, we still increase the com- 
plexity of both problems. As it concerns monadic definite IC, their complexity 
is as that of ground IC. 

Proposition 4. In the case, where IC are definite and use only unary predi- 
cates, OFIP is NP-complete, and PFIP is co-NP-complete. 

For definite IC with arbitrary predicates the problems become complete on the 
second level of polynomial S and II hierarchies. 

Theorem 5. In the case, where IC are definite: 

(1) OFIP is S^-complete; 

(2) PFIP is n^-complete; 

both lower hounds are valid even for a one binary predicate signature. 

Proof Scheme: (1) Lower Bound. Let fl = 3xVy^a(x, y) for a 3-CNF a. We 
set C = C{a,xyj {a, b, c, d} U {bx \ x G x}), I = J{a, x) U {s{t, cj), sft, Ca)}, and 
define <P by: 

s{t, Ca) ^ s{t, Cx), s{f, Cx), for X Gx; 

s(i, Ch„) ^ s(t, Cc), s(t, Cx), and s(t, CbJ ^ s{t, Cc), s(/, Cx), for x Gx; 
s{t, Ca) ^ {s{t, Cd)} u ip{a, X, y); 
s{t, Cb) ^ s{t, Cd) U Ua;eT CbJ; 
s(ci,C2)^ for all s(ci, C2) G J(a, 0 ). 

Finally, let A = {{s{t, Cc)}, {s{t, Ca)}), and I = s{t, Cb). 

Note that for any Ii G Acc{(I,A) at most one of facts s{t,Cx), s{f,Cx) can 
belong to fi. If for some x neither s(t,Cx) nor s{f,Cx) is in I\ then I\ doesn’t 
contain s{t, Cb). 

Now, if formula j3 is true, then there is a substitution a such that a(<Ta;, y) is 
false for all y. Let us add s{t, Cx) to Ii if a(x) = true and s(/, Cx) otherwise. Then 
we have to add to I\ also all s{t,Cbfi). As a{ax,y) is false for all y, (p{a,x,y) 
cannot be true. Hence we add s{t,Cd) and therefore, also s{t,Cb) to I\. 

If (3 is false, then for every combination of s(t, Cx) and s(/, Cx) there is a 
substitution such that (p{a,x,y) is true. Hence, we should delete s{t,Cd) from 
Ii. If we don’t delete s{t,Cd), then we must delete some other fact. But we can 
delete only literals of the form s{Z, Cx) where Z G {t, /}. So we remove s{t, Cx) 
and s{f,Cx) for some x, and we cannot obtain s{t,Cbfi) for this x. In any case, 
s{t, Cb) cannot be proven, and does not belong to I\. 

(2) Lower Bound. Let us consider a sentence j3 = Vx3ya(x, y), where a is a 
3-CNF. Let a and b be some new variables. We construct C = C{a,xU {a, 5}), 
/ = J{a, 0), and IC with clauses: 

S{t, Ca) ^ S(/, Ca), s{t, Cx) , s(/, Cx), for X G X; 
s{t, Cb) ^ {s{f, Ca)} u ip{a, X, y); 
s{ci,C2) ^ for all s(ci, C2) G J(a, 0 ). 

We set A = {{s{f, Ca)}, {s{t, Ca)}) and I = s{t, Cb). Then (/, A, <P, 1) G PFIP iff 
fl is true. □ 

Interestingly enough, the general case in partial interpretations is polynomi- 
ally reduced to that of definite IC. 
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Lemma 3. OFIPond PFIP/or general (ground) IC are polynomial time equiv- 
alent to the same problems for definite (ground) IC. 

Proof. We consider only the general case. Let (/, A, <1, 1) be an instance of OFIP 
(PFIP). We add to S a new predicate symbol p' for every predicate p G S and 
replace all occurrences of ^p in /, A, <P, and I by p' . Then we fix some new ground 
atom foo and add it to D~ . Finally, we add to the rule foo ^ p{X),p'{X) 
for each predicate p G S . Let {I' , A' ,(!' ,1') be the so constructed instance 
of OFIP (PFIP). Evidently, all components of this instance except the up- 
date A' are positive. It is easy to see that {I,A,<I>,1) G OFIP (PFIP) 
{r,A)<P'J') G OFIP (PFIP). □ 

From this lemma and theorem H^e get 

Corollary 3. In general case: 

(1) OFIP is E^-complete; 

(2) PFIP is n^-complete. 

4.2 Complexity in Total Interpretations 

As it was shown in in the case of ground IC the complexity of OFIP 
and PFIP is greater for total interpretations than that in partial ones. In fact, 
OFIP and PFIP are “co-problems” in total interpretations in the sense that 
(I,A,I>,1) G PFIP iff {I, A,<I,^l) ^ OFIP . So it is enough to establish 
complexity bounds for one of the problems, e.g. for OFIP, if no constraints are 
imposed on literal 1. 

Theorem 6. In the case, where IC are ground: 

(1) both OFIP and PFIP belong to P, when IC are definite and updates are 
positive; 

(2) OFIP is NP-complete, when IC are definite; 

(3) in the general case OFIP is Elf-complete. 

Corollary 4. In the case, where IC are ground: 

(1) PFIP is co-NP-complete, when IC are definite; 

(2) PFIP is nf -complete in the general case. 

(3) OFIP (PFIP; is Ef -complete (Ilf -complete) when IC are monadic pro- 
grams with variables. 

As in the case of partial interpretations, for definite IC and positive update J the 
problems are equivalent and solvable in polynomial time, when IC are monadic, 
and are hard otherwise. 

Proposition 5. In the case, where IC are definite: 

(1) OFIP and PFIP are in P, if IC use only unary predicates, and updates are 
positive; 



^ in total interpretations this means A = 0. 



878 



Michael Dekhtyar, Alexander Dikovsky, and Sergey Dudakov 



(2) OFIP and PFIP are NP-complete (co-NP-complete), if updates are positive 
and I is positive (negative); 

(3) OFIP is S 2 -complete in general. 

Corollary 5. PFIP is n^-complete, when IC are definite. 

In the case of general IC OFIP and PFIP become complete on the third level 
of polynomial S and iT hierarchies. 

Theorem 7. 

(1) OFIP (T*FIPj is E^-complete (Il^-complete); 

(2) the lower hounds are valid even for a signature consisting of one binary 
predicate. 

Proof Scheme: Lower Bound. Let (3 = 3xiyEza(x,y,z), where a is a 3-CNF. 
We construct C = C{a,xUyU {a, b}), I = J{a, 0), and IC with clauses: 

^s(t, Ca) ^ s(t, Cx), s(/, Cx), for X Gx; 

^s(C Ca) ^ ~^s{t, Ca;), ^s(/, Ca;), for X G X; 
s{t, Cb) ^ s(t, Ca), s(t, Cy), s{f, Cy), for y Gy; 
s{t, b) ^ s{t, Ca),^s{t, Cy),^s{f, Cy), for y Gy; 
s{t, Cy) ^ s{t, Cb), and s(f, Cy) ^ s(t, Cb), for y G y; 
s(t,Cb) ^ (s(t,Ca)}U (fi(a,xUy,z). 

We set A = ({s(t, Ca)}, 0), and I = s{t, Cb). 

Then in every Ii minimally deviating from Acc(d>, A) there is exactly one of the 
facts s(t, Ca;), s(/, Ca;) for each x Gx. 

Let j3 be true. Then there is a substitution a such that Vy3za((Jir, y, z) is 
true. Let us include s{t, Cx) in Ii if a{x) = 1 and s(/, Cx) otherwise. Then we 
also must add at least one of s{t,Cy) and s{f,Cy) for all y Gy. If for some y Gy 
both s{t,Cy) and s{f,Cy) are present, then s{t,Cb) and all s{t,Cy), s{f,Cy) must 
be present too. Let us denote this DB state by I\. In order to obtain some I' 
which is closer to / than Ii in our deviation order, we should add to I' exactly 
one of s{t,Cy), s{f,Cy) for each y G y, and we should not add s{t,Cb). This, 
however, is impossible because yy3za{ax,y,'z) is true. 

Let I G I\ for some I\ minimally deviating from Acc(<P, A). Then Ii contains 
s{t, Cy) and s{f, Cy) for all y Gy. Hence, it is impossible to select exactly one of 
s{t, Cy) and s{f, Cy) in order that g^{a, x\Jy, z) would be false for all substitutions. 
Therefore, the formula Vy3za(crx, y, z) is true for the substitution a(x) = 1 if 
s(t, Cx) G I\, and (j{x) = 0 otherwise. So formula [3 is true.D 

4.3 The Case of Varying Signature 

It is no wonder that without the premise of fixed signature the complexity grows 
exponentially. 

Theorem 8. When the signature varies, then 

(1) both problems OFIP and PFIP are EXPTIME-compZete for the class of 
definite IC in partial and in total interpretations; 
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(2) both problems OFIP and PFIP are EXPTIME-compZeie in partial inter- 
pretations; 

(3) OFIP is -complete and PFIP is -complete in total 

interpretations. 

In fact, the lower bound in (1) follows from the exponential time complexity of 
Datalog and the lower bound in (3) can be derived from the same order 

lower bound for Disjunctive Datalog The point (2) follows from (1) using 
lemmaj 

We summarize our main results in the following tables. 



Complexity of OFIP with fixed signature 





Partial 


Total 


ground 


Non-ground 


ground 


Non-ground 


Positive case 


P 


NP/co-NP 


P 


NP/co-NP 


Definite IC 


NP 




NP 




General case 


NP 




yP' 

^2 


^ 3 " 



Complexity of PFIP with fixed signature 





Partial 


Total 


ground 


Non-ground 


ground 


Non-ground 


Positive case 


P 


NP/co-NP 


P 


NP/co-NP 


Definite IC 


co-NP 




co-NP 




General case 


co-NP 






ns 



5 Conclusion 



Our analysis shows that in the worst case the “property” aspects of the EUP 
are very hard even under the fixed signature premise. Nevertheless, the case of 
ground IC in partial interpretations presents a rare and surprising exclusion, 
where the EUP problem itself receives a practical polynomial time solution. As 
it concerns the EUP-solutions marked by presence or absence of a given fact, in 
quite a practical situation of definite IC they can be found in polynomial time 
in the absence of negation/deletions in updates. In the general situation some 
special means should be used in order to optimize complete choice solutions of 
the EUP. Some methods of this kind are proposed in 
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Abstract. Planning is a very important AI problem, and it is also a 
very time-consuming AI problem. To get an idea of how complex dif- 
ferent planning problems are, it is useful to describe the computational 
complexity of different general planning problems. This complexity has 
been described for problems in which planning is based on the (complete 
or partial) information about the current state of the system. In real-life 
planning problems, we can often complement the incompleteness of our 
explicit knowledge about the current state by using the implicit knowl- 
edge about this state which is contained in the description of the system’s 
past behavior. For example, the information about the system’s past fail- 
ures is very important in planning diagnostic and repair. To describe 
planning which can use the information about the past, a special lan- 
guage C was developed in 1997 by C. Baral, M. Gelfond and A. Provetti. 
In this paper, we expand the known results about computational com- 
plexity of planning (including our own previous results) to this more 
general class of planning problems. 



1 Introduction 

I. 1 Planning Problems: Towards a More Realistic Formulation 

Planning Problems: Traditional Approach, with Complete Informa- 
tion about the Initial State. Planning is one of the most important AI prob- 
lems. Traditional AI formulations of this problem mainly cover situations in 
which we have a (complete or partial) information about the current state of 
the system, and we must find an appropriate plan (sequence of actions) which 
would enable us to achieve a certain goal. 

Such situations are described, e.g., by the language A which was proposed 
in y. 

In this language, we start with a finite set of properties (fluents) = 
{/i, . . . , /„} which describe possible properties of a state. 
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A state is then defined as a finite set of fluents, e.g., {} or {/i, /a}. We are 
assuming that we have a complete knowledge about the initial state: e.g., {/i, /a} 
means that in the initial state, properties /i and /a are true, while all the other 
properties f 2 , fi, ■ ■ ■ are false. The properties of the initial state are described by 
formulas of the type “initially F,” where F is a fluent literal, i.e., either a fluent 
fi or its negation 

There is also a finite set A of possible actions. At each moment of time, an 
agent can execute an action. The results of different actions a G A are described 
by rules of the type “a causes F if Fi, . . . , F^”, where F,Fi, , Fm are fluent 
literals. A reasonably straightforward semantics describes how the state changes 
after an action: 

— If before the action a, the literals Fi , . . . , Fm were true, and the domain 
description contains a rule according to which a causes F if F\, . . . , Fm, 
then this rule is activated, and after the execution of action a, F becomes 
true. Thus, for some fluents fl, we will conclude fl and for some other, that 
^fi holds in the resulting state. 

— If for some fluent fi, no activated rule enables us to conclude that fi is true 
or false, this means that the execution of action a does not change the truth 
of this fluent. Therefore, fl is true in the resulting state if and only if it is 
true in the old state. (This case represents inertia.) 

Formally, a domain description F is a finite set of value propositions of the type 
“initially /” (which describe the initial state), and a finite set of effect propositions 
of the type “a causes / if /i, . . . , /m” (which describe results of actions). A state s 
is a finite set of fluents. The initial state sq consists of all the fluents fl for which 
the corresponding value proposition “initially ffl is contained in the domain 
description. (Here we are assuming that we have complete information about 
the initial situation.) We say that a fluent fl holds in s if fl G s; otherwise, we 
say that ~^fi holds in s. 

The transition function res{a, s) which describes the effect of an action a on 
a state s is defined as follows: 

— we say that an effect proposition “a causes F if Fi, . . . , F^” is activated in a 
state s if all m fluent literals Fi , . . . , F„ hold in s; 

— we define (a, s) as the set of all fluents fl for which a rule “a causes fl if 
Fi , . . . , Fm” is activated in s; 

— similarly, we define Vff {A, S) as the set of all fluents fl for which a rule “a 
causes if Fi, . . . , Fm” is activated in s; 

— if {a, s) n Vff {a, s) yf 0, we say that the result of the action a is undefined] 

— if the result of the action a is not undefined in a state s (i.e., if V^(a, s) D 
Vff {a, s) = 0), we define res{a, s) = (s U (a, s)) \ Vff {a, s). 

A plan a is a sequence of of actions a = [ai,...,a„]; the result 

res(a„, res(a„_i, . . . , res(ai, s) . . .)) of applying these actions to the state s is 
denoted by res{a, s). 
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To complete the description of deterministic planning, we must formulate 
possible objectives. In general, as an objective, we can take a complex combi- 
nation of elementary properties (fluents) which characterize the final state; for 
example, a typical objective of an assembling manufacture robot is to reach 
the state of the world in which all manufactured items are fully assembled. To 
simplify the description of the problem, we can always add this combination 
as a new fluent; thus, without losing generality, it is sufficient to consider only 
objectives of the type f & if. 

In these terms, the ’planning problem can be formulated as follows: given a 
set of fluents T , a goal f G if, a, set of actions A and a set of rules D describing 
how these actions affect the state of the world, to And a sequence of actions 
a = [oi, . . . , Ofc] that, when executed from the initial state of the world sq, makes 
/ true. The problem of plan checking is, given IF, Fl, a goal, and a sequence of 
actions a, to check whether the goal becomes true after execution of a in the 
initial state. 

Next Step: Planning in Case of Incomplete Information about the 
Initial State. The language A describes allows planning in the situations with 
complete information, when we know exactly which fluents hold in the initial 
state and which don’t. In real life, we often have only partial information about 
the initial state: about some fluents, we know that they are true in the initial 
state, about some other fluents, we know that they are false in the initial state; 
and it is also possible that about some fluents, we do not know whether they are 
initially true or false. 

For example, when we want a mobile robot to reach a certain point, we 
often do not have a complete information about the state of the world; this is 
especially true in space applications, when the goal of the robot is to explore 
new environments whose state is initially unknown. When we plan a diagnostic 
and repair of a complex object, be it a computer, a car, etc., we do not know 
which parts are functioning correctly and which parts are not - this is exactly 
what we are trying to And out. In terms of fluents, this means that we do not 
know the initial values of the fluents which describe the correct functionality of 
the system’s parts. 

Such situations can also be easily described by a simple modification of the 
above language A. Namely, if for some fluent /, neither the statement “initially 
/”, not the statement “initially ^/” are given, we assume that two different 
initial situations are possible: when / if initially true, and when is false in 
the initial state. As a result, instead of a single initial state sq, we may have 
several different initial states which are consistent with our knowledge about the 
system. 

In this case, the notion of a successful plan becomes slightly more complex: 
namely, we say that a plan is successful if for every initial state s which is 
consistent with our knowledge, after we apply the plan a, the desired fluent g 
holds in the resulting state res{a, s). 

Adding Sensing Actions. In real-life planning problems like the above- 
mentioned problems of robotic motion or system diagnostic, a reasonable plan 
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involves using sensors to find the missing information. Even in simple real-life 
planning situations, it is often necessary to determine the missing information. 
For example, if we want the door closed, the required action depends on whether 
the door was initially open (then we close it), or it was already closed (then we 
do nothing) . Therefore, if we do not know whether the door was initially closed 
or not, we better somehow find it out, and then, depending on the result of this 
investigation, perform the corresponding action. 

To describe such activities, we must include sensing actions - e.g., an action 
checki which checks whether the fluent fi holds in a given state - to our list of 
actions, and allow conditional plans, i.e., plans in which the next action depends 
on the result of the previous sensing action. 

To describe such actions, the language A was enriched by rules of the type “a 
determines /”, meaning that after the action a is performed, we know whether 
/ is true or not. At any given moment of time, we have the actual state s of the 
system (which may be not completely known to the agent), plus a set E of all 
possible states which are consistent with the agent’s knowledge; the pair (s, S) 
is called a k-state. A sensing action does not change the actual state s, but it 
does decrease the set E. 

Since we will now be dealing with incompleteness of information about the 
real world, we will need to reason with the agent’s knowledge about the world. 
A k-state is defined as pair (s, E), where s is the actual state, and E is the set 
of all possible states where the agent thinks it may be in. Initially, the set Eq 
consists of all the states s for which: 

— a fluent fi is true (fi G s) if the domain description D contains the proposi- 
tion “initially /j”; 

— a fluent fi is false {fi ^ s) if the domain description D contains the propo- 
sition “initially -'/i”. 

If neither the proposition “initially ff \ nor the proposition “initially ~^fA are in 
the domain description, then Eq contains some states with fi true and others 
with fi false. The actual initial state sq can be any state from the set Eq. The 
transition function due to action execution is defined as follows: 

— for proper {non-sensing) actions, (s, E) is mapped into 
{res{a, s), res{a, E)), where: 

• res{a, s) is defined as in the case of complete information, and 

• res{a, E) = {res(a, s') \ s' G E}. 

— for a sensing action a which senses fluents fi, . . . , fk - i.e., for which sensing 
propositions “a determines fA belong to the domain D - the actual state 
s remains unchanged while E is down to only those states which have the 
same values of fi as s: (s, E) (s, E'), where 

E' = {s' G E\\/i{l < i < k ^ {fi G s' fi G s))} 

In the presence of sensing, an action plan may no longer be a pre-determined 
sequence of actions: if one of these actions is sensing, then the next action may 
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depend on the result of that sensing. In general, the choice of a next action may 
depend on the results of all previous sensing actions. Such an action plan is 
called a conditional plan. 

Possibility of Knowledge about the Past. In the situations when we only 
have a partial information about the current (present) state, the additional in- 
formation can be deduced from knowing the history of the system’s behavior. 
This additional information about the past is extremely important in diagnostic 
problems: if we know what types of faulty behavior the system exhibited in the 
past, it helps in diagnostics (sometimes this information about the past is even 
sufficient for a successful repair, and no additional sensing is necessary). Sim- 
ilarly, when a medical doctor plans a cure, information about past diseases is 
as important (and sometimes even more important) than the results of different 
tests (“sensing actions”). 

Since this additional information is very important in many practical plan- 
ning problems, it is desirable to include this information into the corresponding 
AI formalisms. 

To describe the use of knowledge about the past in planning problems, in 
the language A was extended to a new language C. In this new language, 
to describe the history of the system, first of all, the current state sn is separated 
from the initial state sq, so we may have statements about what is true at sq (“F 
at So”) and statements about what is true at sn {“F at sjv”). In addition, we 
may have information about other states in the past; to describe this information, 
language C allows to use several constants Si to describe past moments of time, 
and allows: 

— statements of the type “si precedes S 2 ” which order past moments of time; 

— statements of the type “F at sA which describe the properties of the system 
at the past moments of time, and 

— statements which describe past actions: 

• “a between si, S 2 ” means that a sequence of actions a was performed at 
some point between the moments si and S 2 , and 

• “a occurs_at s” means that the sequence of actions a was implemented 
at s. 

The semantics of this history description is as follows: 

— a history is defined as a triple consisting of an initial state sq, a sequence of 
actions a = [oi, . . . , am], and a mapping t which maps each constant Si from 
the history description into an integer t(si) < m (meaning the moment of 
time when this constant actually happened, so t(so) = 0 and t(sAr) = m); for 
this history, we have, at moments of time 0, 1, . . . , m, states s(0) = sq, s(1) = 
res(ai, s(0)), s(2) = res(a 2 , s(l)), etc., and Si is identified with s(f(si)); 

— we say that the history is consistent with the given knowledge if all the 
statements from this knowledge become true under this interpretation; 

— we say that the history is possible if it is consistent and minimal in the sense 
that no history with a proper subsequence of a is consistent. 
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In this more realistic situation, we can also ask about the existence of a plan, i.e., 
a sequence (or tree) of actions with a feasible execution time which guarantees 
that for all possible current states, after this plan, the objective g G !F will be 
satisfied. 

Let us give an example of such a situation. If a lamp is not broken, then, 
when we switch it on, the light bulb should be switched on. If in the past, we 
applied the action turn_on but the lamp did not go on, this means that the 
lamp was broken at that time, and, if we know of no repair actions performed in 
the past, we can therefore conclude that the lamp is still broken. This narrative 
can be described by the following rules: “ switch_on causes lamp_on if -^broken" , 
“switch_on occurs_at si”, “si precedes S2”, “^lamp_on at S2”. From these rules, 
we can conclude that the lamp is currently broken. 



1.2 Computational Complexity of Planning problem: Why It Is 

Important, What Is Known, and What We Are Planning to Do 

It Is Important to Analyze Computational Complexity of Planning 
Problems. Planning is one of the most important AI problems, but it is also 
known to be one of the most difficult ones. While often in practical applications, 
we need the planning problems to be solved within a reasonable time, the actual 
application of planning algorithms may take an extremely long time. It is there- 
fore desirable to estimate the potential computation time which is necessary 
to solve different planning problems, i.e., to estimate the computational com- 
plexity of different classes of planning problems. Even “negative” results, which 
show that the problem belongs to one of the high-level complexity classes (e.g., 
that it is PSPACE-hard) are potentially useful: first, they prevent researchers 
from wasting their time on trying to design a general efficient algorithm; second, 
they enable the researchers to concentrate on either finding a feasible sub-class 
of the original class of planning problems, or on finding (and/or justifying) an 
approximate planning algorithm. 

Known Computational Complexity Results: In Brief. There have been 
several results on computational complexity of planning problems. These results 
mainly cover the situations in which we have a (complete or partial) information 
about the current state of the system, and we must find an appropriate plan 
(sequence of actions) which would enable us to achieve a certain goal. As we 
have mentioned earlier, such situations are described, e.g., by the language A 
which was proposed in The complexity of planning in A was analyzed in our 
earlier paper Q. 

Ideally, we want to find cases in which the planning problem can be solved by 
a feasible algorithm, i.e., by an algorithm lA whose computational time tu{w) on 
each input w is bounded by a polynomial p(|r<;|) of the length |i(;| of the input w: 
tu{x) < p(|w|) (this length can be measured bit-wise or symbol- wise) . Since, in 
practice, we are operating in a time-bounded environment, we should worry not 
only about the time for computing the plan, but we should also worry about the 
time that it takes to actually implement the plan. If an action plan consists of a 
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sequence of 2^" actions, then this plan is not feasible. It is therefore reasonable 
to restrict ourselves to feasible plans, i.e., by plans u whose length m (= number 
of actions in it) is bounded by a given polynomial _p(|w|) of the length |w| of the 
input w. For each such polynomial p, we can formulate the following planning 
problem: given a domain description D (i.e., the description of the initial state 
and of possible consequences of different actions) and a goal g (i.e., a ffuent 
which we want to be true), determine whether it is possible to feasibly achieve 
this goal, i.e., whether there exists a feasible plan a (with m < p{\D\)) which 
achieves this goal. 

By solving this problem, we do not yet get the desired plan, we only check 
whether a plan exists. However, intuitively, the complexity of this problem also 
represents the complexity of actually finding a plan, in the following sense: if 
we have an algorithm which solves the above planning problem in reasonable 
time, then we can also find this plan. Indeed, suppose that we are looking for 
a plan of length m < Pq, and an algorithm has told us that such a plan exists. 
Then, to find the first action of the desired plan, we check (by applying the 
same algorithm), for each action a £ A, whether from the corresponding state 
res{a, s) the desired goal g can be achieved in < Pq ~ 1 steps. Since a plan of 
length < Pq does exist, there is such an action, and we can take this action as 
oi. After this, we repeat the same procedure to find 02 , etc. As a result, we will 
be able to find a plan of length < Pq by applying the algorithm which checks the 
existence of the plan < Pq = p{\D\) times; so, if the existence-checking algorithm 
is feasible, the resulting plan-construction algorithm is feasible as well. 

General results on computational complexity of planning are given, e.g., in 
For the language A, computational complexity of planning was first 
studied in the results about the computational complexity of different plan- 
ning problems in A are overviewed in 

When sensing is allowed, a plan is not a sequence, but rather a tree: every 
sensing action means that we branch into two possible branches (depending on 
whether the sensed fluent is true or false), and we execute different actions on 
different branches. Similarly to the case of the linear plan, we are only interested 
in plans whose execution time is (guaranteed to be) bounded by a given poly- 
nomial p{\D\) of the length of the input. (In other words, we require that for 
every possible branch, the total number of actions on this branch is bounded by 

pm)-) 

For such planning situations, the computational complexity was also surveyed 



What We Are Planning to Do. We have mentioned that a more realistic 
description of a planning problem involves the use of history (information about 
the past) in planning. In this paper, we answer the following natural question: 
How does the addition of history change the computational complexity of differ- 
ent planning problems? 

Comment. In addition to the possibility of describing history, the language A 
can also be extended by adding static causal laws, which can make the results 
of an action non-deterministic. This non-determinism may further increase the 
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complexity of the corresponding planning problem; we are planning to analyze 
this increase in our future work. 

Useful Complexity Notions. Most papers on computational complexity of 
planning problems classify these problems to different levels of the polynomial hi- 
erarchy. For precise definitions of the polynomial hierarchy, see, e.g., Crudely 
speaking, a decision problem is a problem of deciding whether a given input w 
satisfies a certain property P (i.e., in set-theoretic terms, whether it belongs to 
the corresponding set S' = {w | P{w)}). 

A decision problem belongs to the class P if there is a feasible (polynomial- 
time) algorithm for solving this problem. 

A problem belongs to the class NP if the checked formula w G S (equiv- 
alently, P{w)) can be represented as 3uP{u,w), where P{u,w) is a feasible 
property, and the quantifier runs over words of feasible length (i.e., of length 
limited by some given polynomial of the length of the input). The class NP is 
also denoted by AiP to indicate that formulas from this class can be defined by 
adding 1 existential quantifier (hence S and 1) to a polynomial predicate (P). 

A problem belongs to the class coNP if the checked formula w G S (equiva- 
lently, P{w)) can be represented as \/uP{u, w), where P(u, w) is a feasible prop- 
erty, and the quantifier runs over words of feasible length (i.e., of length limited 
by some given polynomial of the length of the input). The class coNP is also de- 
noted by TTiP to indicate that formulas from this class can be defined by adding 
1 universal quantifier (hence 7T and 1) to a polynomial predicate (hence P). 

For every positive integer k, a problem belongs to the class AfcP if 
the checked formula w G S (equivalently, P{w)) can be represented as 
3 uiVu2 . . . P{u\, U 2 , ■ ■ ■ , Ufc, w), where P{u\, . . . , Uk, w) is a feasible property, and 
all k quantifiers run over words of feasible length (i.e., of length limited by some 
given polynomial of the length of the input). 

Similarly, for every positive integer k, a problem belongs to the class TT^P 
if the checked formula w G S (equivalently, P{w)) can be represented as 
\/ui3u2 ■ ■ . P{u\, U 2 , . ■ . , Uk, w), where P{u \, . . . , Uk, w) is a feasible property, and 
all k quantifiers run over words of feasible length (i.e., of length limited by some 
given polynomial of the length of the input). 

All these classes A^P and TT^P are subclasses of a larger class PSPACE 
formed by problems which can be solved by a polynomial-space algorithm. It is 
known (see, e.g., ^3) that this class can be equivalently reformulated as a class 
of problems for which the checked formula w G S (equivalently, P{w)) can be 
represented as Vui3u2 ■ ■ ■ P{u\, U 2 , ■ ■ ■ , Uk, w), where the number of quantifiers 
k is bounded by a polynomial of the length of the input, P{u \, . . . , Uk, w) is a 
feasible property, and all k quantifiers run over words of feasible length (i.e., of 
length limited by some given polynomial of the length of the input). 

A problem is called complete in a certain class if, crudely speaking, this is 
the toughest problem in this class (so that any other general problem from this 
class can be reduced to it by a feasible-time reduction). 

It is still not known (2000) whether we can solve any problem from the class 
NP in polynomial time (i.e., in precise terms, whether NP=P). However, it is 
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widely believed that we cannot, i.e., that NPy^P. It is also believed that to solve 
a NP-complete or a coNP-complete problem, we need exponential time « 2", 
and that solving a complete problem from one of the second-level classes E 2 P or 
7 T 2 P requires more computation time than solving NP-complete problems (and 
solving complete problems from the class PSPACE takes even longer). 

2 Results 

In accordance with the above text and with Q, we will consider the following 
four main groups of planning situations: 

— complete information about the initial state, no sensing actions allowed; 

— possibly incomplete information about the initial state, no sensing actions 
allowed; 

— possibly incomplete information about the initial state, sensing actions al- 
lowed; 

— possibly incomplete information about the initial state, full sensing (i.e., 
every fluent can be sensed). 

For comparison, we will also mention the results corresponding to the language 
A, when neither history nor static causal laws are allowed. 

2.1 Complexity of Plan Checking 

Before we describe the computational complexity of checking the existence of a 
plan, let us consider a simpler problem: if, through some heuristic method, we 
have a plan, how can we check that this plan works? 

This plan checking problem makes perfect sense only for the case of no sens- 
ing: indeed, if sensing actions are possible, then we can have a branching at every 
step; as a result, the size of the tree can grow exponentially with the plan’s ex- 
ecution time, and even if we can check this tree plan in time polynomial in its 
size, it will still take un-realistically long. 

For the language A, the complexity of this problem depends on whether we 
have complete information of the initial state or not: 

Theorem 1. (Language A, No Sensing) 

— For situations with complete information, the plan checking problem is fea- 
sible. 

— For situations with incomplete information, the plan checking problem is 
coNP -complete. 

Comment. For readers’ convenience, all the proofs are placed in the special (last) 
section. 
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Theorem 2. (Language C, No Sensing) 

— For situations with complete information about the initial state, the plan 
checking problem is II2P -complete. 

— For situations with incomplete information about the initial state, the plan 
checking problem is F[ 2P -complete. 

Comment. The problem remains 7 T 2 P-complete even if we only consider situa- 
tions with two possible actions. If we only have one action, then for complete 
information, plan checking is feasible; for incomplete information, it is coNP- 
hard. 

2.2 Complexity of Planning 

Now, we are ready to describe complexity of planning. In the framework of the 
language A (i.e., without history), most planning problems turn out to be com- 
plete in one of the classes of the polynomial hierarchy; see, e.g., Q. However, it 
turns out that when we allow history, i.e., when we move from language A to the 
language C, we get a planning problem that does not seem to be complete within 
any of the classes from the polynomial hierarchy. To describe the complexity of 
this program, we therefore had to search for appropriate intermediate classes. 

In this search, we were guided by the example of intermediate classes which 
have been already analyzed in complexity theory: namely, the classes belong- 
ing to the so-called Boolean hierarchy (see, e.g., ^^ 3 )- This hierarchy started 
with the discovery of the first such class - the class DP The original 

description of these classes uses a language which is slightly different from the 
language that we used to describe the polynomial hierarchy: namely, we de- 
scribed these classes in terms of the corresponding logical formulas, while the 
standard description of Boolean hierarchy uses oracles or sets. Therefore, before 
we explain the new intermediate complexity class which turned out just right for 
planning, let us first reformulate the notion of the Boolean hierarchy in terms of 
the corresponding logical formulas. 

After NP=i7iP and coNP=7TiP, the next classes in the polynomial hier- 
archy are E2P and II2P. In particular, E2P is a class of problems for which 
the checked formula P{w) can be represented as 3 ui\/u 2 P{ui,U 2 ,w) for some 
feasible property P{u\,U2,w). For each given w, to check whether w satisfies the 
desired property, we must therefore check whether the following formula holds: 
3 uiVu 2 < 5 (ui, U2), where by Q{u\,U2), we denoted P{u\,U2,w). In the general 
definition of this class, for each w, Q{ui,U2) can be an arbitrary (feasible) bi- 
nary predicate. Therefore, in order to find a subclass of this general class E2P 
for which decision problem is easier than in the general case, we must look for 
predicates which are simpler than the general binary predicates. 

Which predicates are simpler than binary? A natural answer is: unary pred- 
icates. It is therefore natural to consider the formulas in which Q{ui,U2) is 
actually a unary predicate, i.e., formulas in which Q{ui,U2) depends only on 
one of its variables. In other words, we have either Q(ui,U2) = Q2(ui) (here. 
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the subscript 2 in Q2 nieans that the predicate does not depend on U2), or 
Q{ui,U2) = Qi{u2). Both these classes of “simpler” binary predicates do lead 
to simpler complexity classes, but these classes are still within the polynomial 
hierarchy. Indeed: 

— the formula 3uiVu2Q2(ui) is equivalent to BuiQ2(ui) and therefore, the 
corresponding complexity class is exactly SiP (= NP); 

— the formula 3uiVu2Qi(u2) is equivalent to Vu2Qi(u2) and therefore, the 
corresponding complexity class is exactly iTiP (= coNP). 

We get non-trivial intermediate classes if we slightly modify the above idea: 
namely, if instead of restricting ourselves to binary predicates Q(ui, U2) which are 
actually unary, we consider binary predicates which are Boolean combinations 
of unary predicates. 

For example, we can consider the case when Q{ui,U2) is a con- 
junction of two unary predicates, i.e., when Q(ui,U2) is equivalent to 
Qi(u2)&^Q2(ui)- In this case, the formula 3uiVu2(Qi(u2)&Q2(ui)) is equivalent 
to 3 uiQ2(ui)&Vu2Qi(u 2)- If we explicitly mention the variable w, we conclude 
that w € S is equivalent to 3 uiP 2 {ui, w)Sz\/u2Pi{u2, w), i.e., that the set S is 
equal to the intersection of a set = {w | 3 uiP 2 {ui,w)} from the class NP and 
a set 52 = {w I Vu2Pi(u2, w)} from the class coNP, i.e., equivalently, to the dif- 
ference Si — {—S2) between two sets Si and —S2 (a complement to ^2) from the 
class NP. Such sets represent the difference class DP, the first complexity class 
from the Boolean hierarchy. If we allow more complex Boolean combinations of 
unary predicates, we get other complexity classes from this hierarchy. 

For planning, we need a simpler subclass within the class ifaP of all formulas 
P{w) of the type 3uiVu23u3P(ui, U2, U3, w). Similarly to the above description 
of the Boolean hierarchy, it is natural to consider the cases when, for every w, the 
corresponding ternary predicate P{ui, U2, U3, w) (for fixed w) can be represented 
as a Boolean combination of binary predicates Pi(u2, U3, w), ^2(^1, U3, w), and 
P3{ui,U2,w). Let us give a formal definition of such classes. 

Definition. Let k > 1 be an integer. By a k-marked propositional variable, we 
mean an expression of the type , where v is a variable and j is an integer 
from 1 to k. By a k-Boolean expression B, we mean a propositional formula 
B(vf ^ , ■ ■ ■ , vllp) la which all variables are k-marked. 

— For every k-Boolean expression B, by a class Ek{B)P, we mean the class 
of all problems for which the checked formula P{w) can he represented as 
3 uiVu 2 . . . P(ui, U2, ■ ■ ■ , Uk, w), where P{ui , . . . , Uk, w) is equal to the result 
B{Pi, . . ., Pm) of substituting, into the Boolean expression B{v {^ , . . . , v-j^), 
instead of each variable a feasible predicate Pi which does not depend 
on the variable Uj^ . 

— For every k-Boolean expression B, by a class Uk{B)P, we mean the class 
of all problems for which the checked formula P{w) can be represented as 
Vui3u2 . . .P(ui,U2, ■ . .,Uk,w), where P{ui, . . .,Uk,w) = B{Pi, . . . , Pm) and 
for each i, the corresponding predicate Pi is feasible and does not depend on 
the variable Uj^ . 




Complexity of Planning: Partial Info about the Past 893 



For example, the above class DP can be represented as 

Theorem 3. (Language £, No Sensing) For situations with complete informa- 
tion about the initial state and with no sensing, the computational complexity of 
planning is V v^fP -complete. 

Comments. 

— In other words, the corresponding planning problem is complete for the 
class of all problems in which P{w) is equivalent to 3ui'iu23us{Pi{u2,us) V 
P3{U1,U2)). 

— The fact that the planning problem is complete for an intermediate com- 
plexity class is not surprising: e.g., in it is shown that several planning 
problems are indeed complete in some classes intermediate between standard 
classes of polynomial hierarchy. 

— The problem remains V f^)P-complete even if we only consider situa- 

tions with two possible actions. If we only have one action, then for complete 
information, planning is feasible; for incomplete information, it is coNP- 
hard. 

— For A, the corresponding planning problem is NP-complete. 

Theorem 4. (Language C, No sensing) For situations with incomplete informa- 
tion about the initial state and with no sensing, the computational complexity of 
planning is V v^)P -complete. 

For A, this problem is i72P-complete. 

Theorem 5. (Language C, With Sensing) For situations with incomplete infor- 
mation about the initial state and with sensing, the computational complexity of 
planning is PSP ACE -complete. 

For A, this problem is also PSPACE-complete. 

Theorem 6. (Language C, Full Sensing) For situations with incomplete infor- 
mation about the initial state and with full sensing, the computational complexity 
of planning is F[ 2 P -complete. 

For A, this problem is also 7T2P-complete. 

What do these complexity results mean in practical terms? At first glance, 
they may sound gloomy: even NP-complete problems are extremely difficult to 
solve, and the most realistic formulations of the planning problem (with sens- 
ing) lead to PSPACE-complete problems, i.e., problems at the high end of the 
polynomial hierarchy. However, they do not sound so gloomy if we take into 
consideration that these results are about the worst-case complexity, and the 
high worst-case complexity of the problem does not mean that we cannot have 
good algorithm for many (or even for most) practical instances of this problem. 

In plain words, no matter how good a feasible planning algorithm may be, 
there will always be cases when this algorithm will fail. Our goal is therefore, 
to design feasible algorithms which will succeed on as many practical planning 
problems as possible. 
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Even the traditional planning problem, with no sensing and complete infor- 
mation about the initial state, is known to be NP-hard; this complexity result 
does not prevent us from having successful planners which help in solving many 
practical planning problems. For situations with incomplete information about 
the initial state, several ideas of approximate planning were proposed in Q; 
the corresponding simplified algorithms are much faster than the algorithms for 
solving the original planning problem (and the complexity of the corresponding 
approximate planning problem is indeed smaller; see, e.g., Q) - the downside 
being, of course, that sometimes, these approximate algorithms fail to find a 
plan. 

It is desirable to extend these (and other) heuristic planning algorithms to 
situations when some information about the current state comes in the form of 
the knowledge about the system’s past behavior. 

3 Proofs 

Proof of Theorem 1. Theorem 1 is, in effect, proven in Q. 

Proof of Theorem 2: Main Idea. Let us first show that the plan check- 
ing problem belongs to the class 7T2P. Indeed, a given plan w is successful if 
it succeeds for every possible history ui. For every given history ui, checking 
whether a given plan w succeeds is feasible; we will denote the corresponding 
predicate by S{ui, w). The condition that the history ui is possible means that 
it is consistent and that none of its sub-histories U2 is consistent. Checking con- 
sistency is feasible (we will denote the corresponding predicate by C(u)), and 
checking whether U2 is a consistent sub-history of the history ui is also feasi- 
ble; we will denote this other predicate by H{ui,U2). So, the possibility of a 
history ui can be expressed as C{ui)Sz^ 3 u 2 H{ui,U 2 ), which is equivalent to 
Vu2(C'(ui)&^iL(ui, U2)). Hence, the success of the plan w can be expressed as 
Vui(Vu2(C(ui)&^iL(ui, U2)) ^ S{ui,w)), i.e., as a formula Vui 3 u 2 (^C(ui) V 
H{ui,U 2)V S{ui,w)) from the class 7T2P. So, the plan checking problem indeed 
belongs to the class 7T2P. 

To complete the proof, we must prove that the plan checking problem is 
7 T 2 P-complete. To show it, we prove that the known 7 J 2 P-complete problem - 
namely, the problem of checking, for a given propositional formula F, whether 
a formula Va;i . . .yxm 3 xm+i ■ ■ ■ 3 xn F{x \, . . . , Xn) is true - can be reduced to 
plan checking. It is sufficient to do this reduction for the case when we have 
a complete information about the initial state; then, it will automatically fol- 
low that a more general problem - corresponding to a case when we may only 
have partial information about the initial state - is also 7 T 2 P-complete. This 
reduction is done similarly to the proofs from | (a detailed proof is posted at 
: / /www. cs .urep . eau/ viaaiij/.<iuuu/pruu-ip .ps . g: I. 

Proof of Theorems 3 and 4. Let us first show that the corresponding planning 
problem indeed belongs to the desired class. The existence of a plan means that 
there exists a plan ui such that for every possible history U2, either the history 
U2 is consistent with our knowledge and the plan ui succeeds on the current 
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state corresponding to U2 (we will denote this by S{ui,U2))] or the history U2 
is not minimal, i.e., there exists a different history U3 for which the sequence of 
actions is a subsequence of the sequence of actions corresponding to U2 , and U3 is 
also consistent with our knowledge (we will denote this property by M(u2, U3)). 

Both binary predicates S{ui, U2) and M{u2, U3) are feasible to check. There- 
fore, the existence of a plan is equivalent to a formula 3uiVu2(<S'(ui, U3) V 
3u3M{u2,U3)) with feasible predicates S and M, i.e., to the formula 
3 uiVu23u3(S'(ui, U3) V M{u2, U3)) of the desired type. 

The fact that the planning problem is complete in this class can be shown 
by a reduction to a propositional formula, a reduction which is similar to the 
one from the proofs from Q and the proof of Theorem 2; the only difference 
is that in addition to the above reduction - which, crudely speaking, simulates, 
during the period between the initial and the current state, the computation of 
the propositional expression corresponding to M{u2,U3) - we must also, after 
the current state, simulate the computation of the expression corresponding to 
the formula S{u\, U3). 

Proof of Theorem 5. Let us first show that the corresponding planning prob- 
lem belongs to the class PSPACE. Indeed, the existence of a plan means that 
there exists an action u\ such that for every possible sensing result (if any) U2 of 
this action, there exists a second action U2, etc., such that for every history hi 
which is consistent with our initial knowledge and with the follow-up measure- 
ments, either we get success, or there exists a “sub” -history h2- Both success and 
“sub-history” -ness are feasible to check; thus, the existence of a plan is equivalent 
to a formula of the type 3uiVu2 . . ., i.e., to a formula from the class PSPACE. 

As we have shown in Q, this problem is PSPACE-complete even for A, 
i.e., when no history is allowed. Thus, a more general problem from this class 
PSPACE should also be PSPACE-hard. 

Proof of Theorem 6. Let us first show that the corresponding planning prob- 
lem belongs to the class 7T2P. Since we have unlimited sensing abilities, we do 
not change our planning abilities if, before we start any planning actions, we 
first sense the values of all the fluents. We may waste some time on unnecessary 
sensing, but the total execution time of a plan remains feasible if it was originally 
feasible; therefore, the existence of a feasible plan is equivalent to the existence of 
a feasible plan which starts with full sensing. The existence of such a plan means 
that for every consistent history ui, either there is a plan U2 which succeeds 
for the current state corresponding to ui, or there exists a sub-history U3 which 
is also consistent (which makes ui impossible). Checking whether a given plan 
succeeds for a given history is feasible, and checking whether U3 is a consistent 
sub-history is also feasible, so the existence of a plan is equivalent to the for- 
mula Vui( 3 u 2 Pi(ui, U2) V 3u3P2{ui, U3)) for some feasible predicates Pi and P2. 
This formula can be reformulated as Vui3u2P(ui, U2) with P{ui,U2) denoting 
Pi(ui, U2) V P2{ui,U2)- Therefore, the problem belongs to the class 7T2P. 

As we have shown in this problem is 7T2P-complete even for A, i.e., when 
no history is allowed. Thus, a more general problem from this class 7T2P should 
also be 7T2P-hard. 
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Abstract Circumscription uses classical logic in order to modelize mles with ex- 
ceptions and implicit knowledge. Formula circumscription is known to be easier 
to use in order to modelize a situation. We describe when two sets of formulas 
give the same result, when circumscribed. Two kinds of such equivalence are in- 
teresting: the ordinary one (two sets give the same circumscription) and the strong 
one (when completed by any arbitrary set, the two sets give the same circumscrip- 
tion) which corresponds to having the same closure for logical “and” and “or”. In 
this paper, we consider only the finite case, focusing on looking for the smallest 
possible sets equivalent to a given set, for the two kinds of equivalence. We need 
to revisit a characterization result of formula circumscription. Then, we are able 
to describe a way to get all the sets equivalent to a given set, and also a way to 
get the smallest such sets. These results should help the automatic computation, 
and also the translation in terms of circumscription of complex situations. 



1 Introduction 

Circumscription uses classical logic for representing rules with exceptions. It is often 
better to use the formula version. An important aspect of formula circumscription has 
almost not been studied: what are exactly the sets of formulas which give rise to the 
same circumscription. Answering this question should have important consequences 
on the automatization of circumscription, and on the knowledge representation side. A 
possible explanation for the lack of studies on the subject is the complexity of the pre- 
dicate versions of circumscriptions. We answer this problem in the finite propositional 
case, providing a way to obtain all the sets which give the same circumscription as a 
given set. We describe also a way to get the smallest sets, in terms of cardinality. The 
method given is only semi-constructive but, to our knowledge, no previous study exist. 

Section 2 introduces ordinary and formula propositional circumscriptions. Section 3 
gives two kinds of equivalence between sets of formulas, the strongest of these equival- 
ences corresponds simply to have the same closure for logical “and” and “or”. Section 4 
gives a few preliminary technical results, including a new study about a known charac- 
terization of formula circumscription. Section 5 gives useful indications in order to find 
the sets of formulas with as few elements as possible, which are “strongly equivalent”, 
as defined in Section 3, to a given set of formulas <?. Section 6 uses the results of Sec- 
tions 4 and 5 in order to get the sets of formulas with as few elements as possible which 
are simply “equivalent” to a given set <P, meaning which give the same circumscription 
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as Section 7 provides a few examples. In particular the case where we start from an 
ordinary circumscription / and where we look for the smallest sets of formulas giving 
a formula circumscription equal to /, is considered there. 

2 Propositional Circumscription 

L being a propositional logic, V (L) is the set of its propositional symbols. We suppose 
V(L) finite in this text. As usual, L denotes also the set of all the formulas. We allow 
empty sets in partitions of V{L). Th{T) = {ipjT ^ ip\, the set of theories is T = 
{Th{T) /T C L}. Letters ip denote formulas in L. Letters T, and also 'P, or A, Y 
denote subsets of L. € ^}- Letters n and v denote interpretations for 

L. We denote the interpretations by the subset of V (L) that they satisfy: if V (L) = 
{P, Q, Z}andn = {P, Z}, then Th{y) = Th{P ^^Q ^Z).M^ ^>{¥{1.)) denotes 
the set of all the interpretations for L. For any subset M' of M, we note T/i(M') for the 
set {tp & Y / fj, \= tp for any /i G M'}. This ambiguous meaning of \= and Th is usual 
in logic. M(T) denotes the set of the models of T. The term formula will also be used 
for the quotient of this notion by logical equivalence: ip = tp iff M((p) = M('0). 

Definition 2.1. | ' ^ | A preference relation in L is a binary relation -< over M. (T) 

is the set of the elements p o/M(T) minimal for p G M(T) and no v G M(T) is 
such that V ^ p. The preferential entailment f = is defined by 

f^{T) = i.e., as C(L) is finite, M(/^(T)) = M^(T) . □ 



Lemma 2.1. [immediate] If ^ is irreflexive, then = f^i iff ^ □ 



Definition 2.2. 



(P, Q, Z) is a partition ofV{\P). P is the set of the circum- 
scribed propositional symbols, Z of the variable ones, Q of the fixed ones. 

A circumscription is a preferential entailment CIRCpP, Q, Z) = /^^.p q where 
-< (p, z) w defined by: P P{p,q,z) v if P D p C P D v and QO p = QO v. 

We define also p di{p,Q,z) v by P n ^ C P n and Qn^ = Qni^.D 



Instead of using a propositional circumscription, it is often more natural and easier to 
use formula circumscription Q. Here is the propositional version. 

Definition 2.3. T are subsets ofL, and Q, Z is a partition of V (L). The formula 
drcamscrvpiitm C I RCF of the formulas of <1>, with Q fixed, is as follows: We introduce 
the set P = {Ptp]tp^^> of new propositional symbols. 

CIRCFi-P- Q, Z)(T) = CIRC{P, Q, Z)(T U {<^ P<p}^GS-) n L. 

IfQ is empty, we write C I RC F {F) for C I RC F {<T>\ 0, H(L)). □ 



Remark 2.1. Any ordinary circumscription is a formula circumscription: 
CIRC{P, Q, Z) = CIRCF{P- Q, Z U P). □ 

We may generally consider only the case where Q = 0: 

Proposition 2.1. Q CIRCF{F, Q, Z) = CIRCF{<L U Q U -Q). 

Thus, CIRC{P, Q, Z) = CIRCf{p U Q U -Q). □ 
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Definition 2.4. Let be in M and be a subset ofL,. 

(a) We define the set of formulas <L^ = {ip&<L/^\=ip\ = Th{^) n <L. 

(b) We define two relations in M; /i v if'L^ C and ^ u if'Pn C <P,y. 

(bO //(Q, Z) is a partition ofV(L), we define two relations in M; p ^(^>;q.z) t/ if 
and = and p ^(<i.;q.z) v if^fiC<Li, andQ^^Q^. □ 

Lemma2.2. [immediate] 0. ^(g>;Q,z) = ^<?uqu^q and ^(^.;q,z) = ^<puqu^q- 

la. ^ V iff p V and v p. 

lb. p f-,p V iff for any tp & (L, if p\= p then v \= tp. 

2. C {ip}, thus {p votv p) and not {pi p 2 and p 2 ps)- 

3a. p V iff for any ip £ p ^{<^} u. 

3b. p V iff for any cp € (h, p di{^p} v, and there exists p G <!> such that p <{^p] v. 

4. -<^ and are transitive, is irreflexive while is reflexive. □ 

Thus, to know the “useful relation” (see Proposition^^ we need more than each 
<{ip } , we must know all the di{tp} ’s, a more precise information. 

Proposition 2.2. [folklore] CIRCF{<L) = f^^, CIRCF{F, Q, Z) = □ 

3 Equivalences between Sets of Circumscribed Formulas 

We examine when two sets and F give the same formula circumscription. 

Definition 3.1. and F are c-equivalent, written tP =c F, if CIRCF{(L) = 
CIRCF{(P'). <L and F are strongly equivalent, written <L =sc , if, for any set 
F' of formulas, CIRCF{<L U <L") = CIRCF{F U F'). □ 

If <P =sc then =c F . The strong version is useful because, when another rule, 
or even, as we are in the propositional case, another “individual”, is added, this corres- 
ponds to an addition of formula(s): e.g. a new bird Bk, when we know that birds Bi 
generally fly Fi, provokes the addition of a new formula Bk A ~^Fk to be circumscribed. 
If we have only the standard equivalence, we may then loose this equivalence. 

Definition 3.2. The A-closure of is the set = { A(pgi? t! for any finite F C <P}. 
The V-closure is defined similarly. The AV-closure of <T is the set 

(resp. <P'^, or ) is called a set closed for A (resp. for V, for A and Vj. □ 

We get always T G , _L G (S' = 0) and from distribution. 

Definition 3.3. 1. p is accessible for f = fy if p g /(2') — T for some theory T. 

The set of the formulas inaccessible for /wA = /^=L-Ur6T(/m-^)- 
2. The set of the formulas positive for is the set Pos{^) of the formulas p such 
that, if p\= p and p ^ v, then v \= p. 

If of Definitior^^^ we write PoSe{tl>) for the set Pos{^$), called the set 

of the formulas positive in T>, in tbe extended acception. 

If -<=F^, we write PoSm (^) for the set Pos( of the formulas positive in <P, 
in tbe minimal acception. □ 
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One technical role of the inaccessible formulas for circumscriptions is developed in 

a . Also, If is the greatest set S' such that / = CIRCF{<!>) = CIRCF{F) (Theorem 
1 below). Pos(^) is closed for A and V (next proposition, this gives a justification 
for the name of this set). We need now to remember a few results which are proved 
elsewhere (see also | ' ' | for details and examples, these results are restricted here to the 
finite case). 

Proposition 3.1. Proposition 3.1] 

1. Ifl> C L, then C PoSm{'^) C PoSe{^), = PoSm{'^) and PoSe{^) = I^^- 
2. If ^ is a binary relation in M, then Pos{p) is closed for /\ and V. □ 

It is natural to call the formulas in , “positive in <P”, thus our notation PoSmi^P)- 
There are also good reasons to call the formulas in the generally greater set PoSe{d^), 
“positive in <P”, in an extended acception. 

Lemma 3.1. Lemma 3.6] \f <P <Z F <P^'^ , we have thus a fortiori 

i.e. CIRCF{'P) = CIRCF{F). □ 

Lemma 3.2. D Lemma 3.7] CIRCF{<P) = CIRCF{I^.^) = CIRCF{PoSe{<F)). □ 

Theorem 3.3. Theorem 3.8] 1. <P =c F ijf<$ = A.? ijfPoSeifP) = PoSeiF). 
<^>=Ppose {^’)=^Posm (<P) and PoSeifP) is the greatest (for C) set F satisfying F =c 'P. 

2a. <P =sc 'F iff iff = F^'^ . Also thus A<p=A< 2 >av. 

2b. PoSm{'3^) = is the greatest set F satisfying F =sc ‘P (cf Lemmd^^^. 

3. =, <p ijf<Pii{^} =sc ^ □ 

Point 1 provides necessary and sufficient conditions for two sets of formulas to give 
the same circumscription. Point 2 provides necessary and sufficient conditions for two 
sets of formulas to give the same circumscription, even when they are augmented in 
a similar way. One of these conditions is simply having the same AV-closure. Point 
3 provides a case where c-equivalence is identical to strong equivalence: informally, 
from point 2 and Lemma^33, when there is c-equivalence and not strong equivalence 
between a set and one of its subsets, the added formulas oppose each other. This mutual 
cancellation is impossible when the two sets differ by one formula only. 

4 About the Characterization of Formula Circumscription 

From theorem^32a, we know that the smallest sets strongly equivalent to a set F are 
the smallest sets <P such that <P^'^ — F. We also know that all the elements of the set 
of all the sets of formulas strongly equivalent to a given set F correspond to the same 
pre-order relation We will study this set, focusing on the smallest sets of formulas 
belonging to this set. From theorem^Jl (or directly from lemmas and and 
from the dehnitions of C I RCF and A.?), we know that the set of all the sets of formulas 
which are c-equivalent to F correspond to the same strict order relation From the 
definitions of and A.?, we get that various large relations can be associated to a 
given strict relation A.?, which is the relation defining a given formula circumscription 
CIRCF{F). This leads us, firstly to make precise the connections between Ag> and 
then to revisit the characterization of finite formula circumscription. 
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Definition 4 . 1 . Let -< be some binary relation on a set E. We denote by (e) and 
p^{e) respectively the sets s^(e) = {e' G Eje e'} andp^{e) = {e! G Eje' -< e}. 

We suppose now that -< is a strict order (irreflexive and transitive relation). We call 
associated with ^ any pre-order (reflexive and transitive) relation ^ on E such that 
we have, for any ei, 62 inE: e\ < 62 iffci ^ C2 and 62 ei. (Assoc) 

We define the following two relations ^0 titid :<i on E: ei ^0 ^2 if ei ^ 62 or 
61 = 62, and 61 dll B2 if 61 62 or (s^{6i) = 3^(62) andp^{6i) = p^{62)). O 



Lemma 4 . 1 . 1. ^0 and are associated with ^ and, if ^ is associated with we 

have, for any ei, 62 inE: (1) if ei ^0 ^2 then ei ^ 62, (2) if ei ^ 62 then ei 62- 

2. ^0 is the only order relation ^ satisfying (Assoc). 

3. A pre-order ^ “between ^0 and ^1” is not necessarily associated with ^ is 
associated with ^ iff its graph is the reunion of the graphs of ^0 and of some 
universal relations restricted to subsets of E over which is the universal relation. 

Proof: PointH It is obvious that ^0 is associated with that each pre-order ^ 
associated with ^ satishes implication (1), that is reflexive and satisfies (Assoc). 

is transitive: We suppose 6\ 62 and 62 ^1 63. If (ei ^ 62 and 62 < 63), or 

(ei ^ 62 andp^(62) = ^^(63)), or (s^(ei) = 3^(62) and 62 ^ 63), then ei ^ 63. 
If s^(ei) = 5^(62), p^(ei) = p^{62), 3^(62) = 3^(63) and ^^(62) = ^^(63), then 
s^(ei) = 3^(63) andp^(ei) = ^^(63). In any case ei 63. 

Implication (2)| We suppose ei ^62. By (Assoc) ei ^ 62 or 62 d ei. If ei ^ 62, 
then 61 62, thus we suppose 62 ^ 61. If 6 G p^(6i), then 6 ^ 61 by (Assoc) and 

6 ^ 62 by transitivity. Thus we get 6 ^ 62 or 62 ^ 6 by (Assoc). If 62 ^ 6, we get 

61 ^ 6 by transitivity, thus 6 7^ 61 by (Assoc), a contradiction: we get 6 < 62. Thus 

P^(ei) C p^(62). By similar arguments, we get 3^(62) C 3^(61). As our hypothesis 
is symmetrical in (61, 62), we get (61) = ^^(62) and 3^(61) = 3^(62): 61 62. 

Poinfl Immediate. 

Poinfl “only if”: ^ is associated with We suppose 6 \ d 62, 62 ^ 63, • • •, 
e„-i ^ 6„, 61 -^0 62, 62 -^0 63, • • •, 6n-i ii €n. Then 6i -f 6i+i and, by (Assoc), 
Ci+i ^ ep. d is universal on the set {ci, 62, • • • , 6„}. By implication (2), is also 
universal on this set. The result is then immediate. 

“if” : ^ is a strict order and the graph of ^ is the union of the graph of ^0 and of the 
graphs of the universal relation on some subsets of E over which the restriction of is 
universal. (1) ^ is reflexive (obvious) and transitive: Let 61 , 62, 63 be distinct in E such 
that 61 ^ 62 and 62 ^ 63. If 61 ^0 62 and 62 ^0 63, then 61 ^0 63. If 61 ^0 62 and 

62 ;^o 63 then 62 63 and 63 62 thusp^(62) = p^ies) and 61 ^ 63. Similarly, if 

61 ;^o 62 and 62 ^0 63 then 3^(61) = 3^(62) and 61 ^ 63. (2) ^ satisfies (Assoc): If 
6 d e' and cf -f, 6, d is not universal on {c, c'}, thus 6 ^0 e' and 6 ^ c', thus 6 ^ c'. 
Conversely, we suppose 6 < e' . Then 6 d e! and, if e' d e, then d, thus ^1, is universal 
on {6, 6'}. As ^ is a strict order, e' -f 6. Thus, from E 6 we get 3^ (c) = 3^ (c'), a 
contradiction. Thus, we get 6 d e-' and e' 6. 

The number of all the pre-orders ^ associated with a given strict order ^ is then 
Uc^cBcardiC)^ where Bk is the Bell (or exponential) number of index k and C is the 
set of all the maximal subsets C of i? (with card{C) > 1) on which is universal. □ 



* The first author thanks Eric Badouel for this proof. 
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Theorem 4.2. A pre-circumscription f is a formula circumscription iff it is a 

preferential entailment associated with a strict order 



Proof: Theorem^Jhas independently appeared at least three times as Theorems 13- 
14], H Theorem 7] and ' ■ | Proposition 5.24-1], However, in^^^ the proof relies on 
the strict relation (i.e. in fact on the large relation ^o), and Q uses any large relation, 
but without constructive definition. For our purpose, we need to consider large relations 
and constructive definitions, which is why we provide a new proof. 

“only if”: Lemma^Jd and Proposition^^ 

“if”: The proof is built on an old result (| < Lemma 11.8, Theorems 11.6 and 11.9]): 
any pre-order ^ on a set E can be put in correspondence with the relation D on a subset 
ofV{E): For any ei, 62 in E, we have ei ^ 62 iff 5 ^( 62 ) C s^(ei). (MN) 

Step 0: Let ^ be a strict order on M and ^ be any pre-order associated with 
Step 1, first application of (MN): Let us define the formula ip^{p,), for any /z G M, 
and the set of formulas <l>^ by: = s^{p) and 

From (MN) we get p, v iff p^{v) \= (MNl) 

Step 2, second application of (MN): Starting from the set pre-ordered by we 
define the set of formulas s^('0) = {if G f \= f}- From (MN) we get, for any 
inM: ip^{p) \= ip^{u) iff C s\^{(p^{p)). (MN2) 

Weget G iffp^{p) ^ p^{v),p^{p) ^ p^{v) iff v ^ ^ from 

(MNl), and v < pifi p & s^{v) iff p [= p^{v). Thus, we get <p^{v) G 
iff <p^(u) G Th{p). This means, for any ^ G M: s\^{ip^{p)) = Th{p) n From 
(MNl) and (MN2) we get then ^ ^ iff Th{p) n C Th{y) n thus ^ ^ iff 
Th{p) n C Th{v) n d>^. Thus, from Proposition^J f = = CIRCE{<P^). □ 



Step 0 allows many possibilities. If we want to reduce the size of the set of 
formulas to circumscribe, obtained in step 1, we wil l see why it is good to choose 
and why the worst possibility is ^ 0 , as done in (H ' ' | . In step 1, with each pre-order 
we associate naturally a set of formulas . In step 2, with each set <P of formulas, we 
associate naturally a pre-order and we get . Remember that Theorem^^^ 

allows to reduce the size of the set of formulas to circumscribe. 



5 The Smallest Sets Strongly Equivalent to a Given Set 

We need a few definitions, often given in two forms: in terms of subsets of a set E, and 

in terms of formulas, where E — M and a formula can be associated with each subset. 

This is to relate these results to familiar general results about finite sets. 

Definition 5.1. 1. (a) The U-closure of a set £ of subsets of some given set E is the set 
£^ of the subsets ofE which are unions of elements in£: £'^ = E' / £' C £}. 

The n-closure of£ is defined similarly and the Un-closure of£ is £^'~^ = (5^)'^ = 
(b) We define the sets £u = {E' G £ j E' ^ (£ — and similarly £n- 
( c) For any set £ of subsets of E, we define an U-basis of £ as any set £' of subsets 
of E having the same U-closure as £ and which has a cardinal minimal with this 
property. An H-basis of £ and an UH-basis of £ are defined similarly. 
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2. Replacing “subset ” by “formula ”, U by A and H by V, gives respectively: (a) Defin- 
(b) the sets {</?})^} and 

and (c) the notions o/ A -basis, V -basis and A V -basis of a set of formulas. □ 



Proposition 5.1. [Obvious] If E is finite, then any set £ of subsets of E has exactly 
one yj-basis, which is £\j and one f]-basis, which is £n- Since M is finite, any set E of 
formulas in L has exactly one A-basis, which is S'a cind one \/ -basis, which is Ey. □ 



Definition 5.2. 1. Let £ be a set of subsets ofE and A be a pre-order in E. Wfe define: 

(a) For each e G E, the set £^ of subsets of£ by £e = {Ei G £ j e G Ei\. 

(b) Three relations on E: ei As 62 if£ei C £e 2 > £2 if£ei C £f,^, and 

Cl AAs C 2 if £ e\ — ^ 62 - 

(c) The subsets E^ = {s^{e) /cG E} and Es = E^^ ofV{E). 

(d) A subset El of E is a filter (or A if for any Cl G Ei,e G E such that ci Ac, 

we have e G Ei. Wfe denote by the set of all the filters for A and by T s the 

set of the filters for £. 

2. Let X be a set of formulas in L and A be a pre-order in M. Wfe define: 

(a) (b) Definitiorl^^(a), and(b) respectively. 

(c) The sets of formulas as in “step 1 ” in the proof of TheorenJ^^^ and <Px = 

= Wx{p) / pG M}, where (px{p) = T^xip)- 

(d) The sets of formulas F-< = {ip G L/ if p G € M and p A v, then 

V G M((/j)}, and¥ X = 

By definition, _L ^ thus _L ^ <Px- We get = CIRCE{X) from Proposition 
^3 Also, As is associated with As, and with Ax- We get then: 

Lemma 5.1. 1. Let E he some finite set, and £, f 1 , £2 be any set of subsets of E. 

(a) iff ^ gun _ 

(b) The set Es is the U-hasis of the set Ts = £'^^'. Es = (£'^'^)u- 

(c) For any pre-order A on E, we get Aj^^ = di and Aj^^ =f:Fe = d:£- 

2. In terms of formulas, X and Y being sets of formulas in L, we get: 

(a) = Ay iff ^ yAV_ 

(b) The set <Px is the V-basis of the set Fx = X^'^ . The elements of are V- 
irreducible in F^: For any <p G it does not exist any non trivial (without 
any term equal to the result) disjunction of elements of Fy which is equal to p. 

(c) For any pre-order A in M we get Afa=As>a=A. Thus, Afx=^^x =d:x- □ 

These results are known in finite set theory and distributive lattice theory (see e.g. 

Point^Jis Theorem^32, given here again in order to make precise the cor- 
respondence with the “set versions” of point^J The left most equalities in point^S 
come from point^S the right most equalities being step 2 in the proof of Theorem^J 
Thus, only point^J(or equivalently^J remains, and the proof is straightforward. 

Here is an immediate consequence of this lemma (given in terms of formulas only): 
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Proposition 5.2. The two operations :<x and define two reciprocal one-to-one 
mappings between the set of all the sets X of formulas of L which are closed for A 
and V and the set of all the pre-orders A defined on M. 

The set of all the sets X of formulas of L which are closed for A and V, is the 
set of all the distributive lattices (with T and _L) which are sublattices ofT,, where the 
operations of the lattices are A (meet) and V (join). □ 

This result can also be extracted from the classical literature about distributive lattices 
(see e.g. | Theorem 3 and Corollary 1, p. 59] or more precisely Theorem 8.19 and 
Subsection 8.20]). However, this literature uses only orders, and not pre-orders (|3] is a 
notable exception). The formulation given here makes precise the exact correspondence 
between having the same pre-order relation on M and being “strongly equivalent” with 
respect to formula circumscription in L. Let us give here another useful auxiliary result: 

Definition 5.3. A chain of strict entailment in a set X of formulas is a sequence 
(<4’i)iG{o,i,2, .,n} of elements of X such that pi ^ Ti+i and pi+i Y= pi for i G 
{0, 1, 2, • • • , n — 1}. The length of this chain is n, and the length 1{X) of X is the 
length of the longest chains of strict entailment in X. □ 



Lemma 5.2. For any set of formulas X, ^(Fx) is equal to card{T>x)- 

Notice that card{<Px) is the number of equivalence classes for in M. Thus, 

card{<Tx) < card{M) = One possible easy proof of this lemma uses 

the fact that <Px constitutes an V-basis of Fx- Also, it is a consequence of the repres- 
entation theorem (B Theorem 3, p. 59], or e.g., Q Theorem 8.17]) forhnite distributive 
lattices (Fx is a distributive lattice). □ 

Definition 5.4. 1. Iff- is a pre-order in a finite set E, Fir^ = (e) /e G E, (e) ^ 

(FA — {s-<(e)})'^} denotes the set of the elements of F^ which are H -irreducible 
inF^. If£ C V{E), we define Firs = Fir^^. 

2. If f is a pre-order inM., = fz. {<I>^ — {p})^} denotes the set of 

the formulas of<L>^ which are A-irreducible in 
If X C L, we define <hirx = d^ir^^. □ 

Notice that _L ^ <Pir^ and T ^ <Pir^. The following result is immediate: 

Proposition 5.3. 1. For any set £ of subsets of a finite set E, we have = Fir'f’^. 
Thus, a set B of subsets of a finite set E is an \JC]-basis of£ iff we have: B C Es, 
Firs C B'^ and B has the smallest possible cardinal 
2. For any set of formulas X, X^'^ = (yTirx)^^ ■ Thus, Y is an AM -basis of X iff we 
have: Y C Fx, d^irx C Y^ andY has the smallest possible cardinal. □ 

This result provides a semi-constructive way for getting an AV-basis of a given set X 
of formulas (i.e. one of the smallest sets strongly equivalent to X) by splitting this task 
in two steps. The first step is constructive: getting the set T>irx- The second step is 
much easier than the direct search for an AV-basis because we need only to search for 
what could be called an A-basis with respect to Fx of a given set <Mrx. This non 
trivial problem concerns in particular a famous result by Sperner (it is, e.g., “Sperner’s 
theorem” in Part 1.2] and “Sperner’s lemma” in Q p. 98-99]). 
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Definition 5.5. Let E be some finite set with card(E) = n. An antichain in E is a set 
of subsets of E uncompamble for C. A weak antichain £ in E is a set of subsets of E 
which is equal to its U-basis £\j (i.e., no set in £ is the union of some other sets in £ ). 
A(n) and WA{n) denote respectively the maximal number of elements in an antichain 
and in a weak antichain in E. □ 

As any antichain is a weak antichain, we get WA{n) > A{n). Sperner’s theorem states 
that A{n) is the central binomial coefficient (n, [n/2j ). This result gives, in some cases 
(case 2 in next proposition), a fully constructive way for getting an AV-basis F of a set 
X of formulas inL. It does not seem that the exact value of WA(n), not given in | ' is 
known. It is easy to realize that we get HA4(n) > WAl(n) = 27^^ (z, [z/2j ). Kleitman 
r~l has shown that a better lower bound for WA{n) is WA2{n) defined by (n, n/2) + 
(n, n/2 — 1) /n for even n and 2(n — 1, (n — 1) /2) + (n — 1, (n — 3) /2) /n for odd n. 
IIA42(n) is approached by (1 + 3/(2n))A(n) for odd n and by (1 + l/(n + 2))A(n) for 
even n []/]. For n < 12, we have IIA42(n) < IIA41(n) (and maybe WA{n) = WAl{n)) 
but for any n > 12 we have IIA42(n) > IIA41(n). 

Proposition 5.4. Let X be some finite set of formulas in L. Wfe are looking for an AV- 
basis Y of X (i.e., some set Y with the minimal cardinality k such that Y =sc X). Let 
d>irx = {pi, ■ ■ ■ , Pn} be the set introduced in Definitior^^^ with n = card{<Lirx)- 

1. In any case, k = card{Y) must satisfy WA{k) > n. 

2. If<Lirx is made of mutually exclusive formulas (ip [= —'ll) for any distinct ip 
card(Y) is the smallest k satisfying A{k) > n and it exists a constructive way for 
finding Y. This case is particular ( it means that Ax is an equivalence relation, thus 
-<x is empty), but it may help to solve more general cases. Applying this result to 
subsets of<Lirx may help to find Y (see Propositiorl^^^nd Exampl^^^below). 

3. IffLirx is made of a single chain of strict entailment, then card{Y) = card{<I>irx). 

Proof: O From Proposition^J we know that we want a subset Y = {ip\, - ■ ■ ,ip'jf\ 
of Fx such that each ipi G <Lirx is a conjunction of elements of Y : there exists an 
injective mapping I from <Pirx to a set of subsets of {1, • • • , fc} such that we have 

ipi= f\ (/?', where C {1, •••, fc} for any z G {1, •• •,n}. (1) 

j£d<Pi) 

Since the formulas in tPzrx are V -irreducible in Fx, thus in <Mrx, 

must be a weak antichain in {1, • • • , fc} and k satisfies WA{k) > n. We will see below 

(condition (C in Example^] how to improve this lower bound for k. 

Q Let I be an injective mapping from <Pirx to a set of subsets of {1, • • • , fc} and 
{V5j}jG{i,. .,fc} be some set of formulas satisfying As the formulas in tPzrx are 
mutually exclusive, we get ipi ^ ipj for any i,j distinct in {1, • • • , zz}. Thus the set 
l{<Pirx) = must be an antichain in {1, ■ ■ ■ ,k} and A{k) > zz. For 

any k such that A{k) > zz, it exists an injective mapping I from <Pirx to an antichain in 
{1, • • • , fc}. Let us choose one such I, and define the formulas (pi as follows: 

t'j= V forany j G {l,---,fc|. 
j&Kvi) 



( 2 ) 
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Clearly, S {$irxY ^ the formulas pi are mutually exclusive, we get 

This shows that the smallest k such that A{k) > n is the smallest possible k in this case. 
Moreover, this gives a fully constructive way for finding a set Y = {v?' }7g ti, -, fc>- 
Q ^irx is then a possible Y (obvious, also a consequence of Propositioi^JJ^elow). 

□ 

Example^Jbelow shows that we can sometimes do a slightly better job with weak 

antichains than with antichains. Case 3 shows that in some cases, we can be much above 
the best possibility given in 1 . Propositions ^3 and ^3 provide useful tricks which 
considerably help the search for an A V -basis (see also the examples given in Section J 
below). Here is another indication about the size of an AV-basis of X\ 

Proposition 5.5. For any set of formulas X, the cardinal of an AM -basis Y of X is 
such that we have: l{d>x) < card(Y) < card{<Pirx)- 

Proof From Proposition^Jwe know that we have cardfY) < card{<l>irx)'- indeed, 
in the worst case, we can take <Pirx as our AV-generator of X. l{d>x) < cardiY) is 
straightforward, we get even < card(y) if T fid>x- □ 

6 The Smallest Sets c-Equivalent to a Given Set 

We consider now a given CIRCF{X), and we look for the smallest (in terms of car- 
dinality) sets Y such that CIRCFfY) = CIRCF{X). 

Lemma 6.1. Let 5 be a set of subsets of some finite set E, closed for U and n (i.e. 
such that £ = Fe), and let us consider the relations -<=<£ and (Definition 

^ 3 - us call un-generator of £ any subset Q of £ such that = £. Let e\ and 
62 be two elements in E no t equ ivalent for AA and satisfying p^(ei) = p^{e 2 ) and 
s^(ei) = 5^(62) (Definition^ 3 - Let us define the relation A' in i? as follows: e A' e' 
if e A e' or (e ei and e' 62). Then A' is a pre-order in E associated with 
and we define the set £' = of all the filters for A' (clearly £' C £). 

1 . Let 5 be a UH-generator of £. Let us denote by Q' the set of all the subsets G' of E 
defined as follows: For any G G G, 

G' = GUjeSFl/e 62} if {ei, 62} n G = {ei} 

G - {e e G / 6 62} if {ei, 62} n G = {62} 

G otherwise, i.e. if {ei, 62} n G is 0 or {ei, 62}. 

Then Q' is a UH-generator of £' and card{G') < card{G). 

2 . Any UH-basis of £' has at most as many elements as a UC-basis of £. 

Notice that if we start from G = Eg, which is a UC-generator of £, we get as 

our set G' the set G' = G - {s^(ei), 3^(62)} U {(s^(ei))', (5^(62))'} where 

(s^(ei))' = s^/(ei) = s^/(e2) = s^(ei)Us^(e2) and (s^(e2))' = s^(ei)ns^(e2). 

Proof: Point 1 : If we define Aq and from ^ as in Definition ^3 we know, from 
Lemma^ 3 (poiuts 1 and 3 ) that A' is asoociated with ^ and that we have, assimilating 
a relation to its graph: Aq C A C A' C Let G and G' be as above, and let H be 
some element of £' . Clearly card{G') < card{G). Let us define the set H" as follows: 
H” — H\J {e / e -<E 62} if s^(ei) C H and {ei, 62} C iT = 0 

H — {e / e 62} if {ei, 62} C H 
H otherwise, i.e. if s^(ei) El. 
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It is immediate that if e S H" , then (e) C H" . Thus, H" S £. From = E, 

we get H" = H/Li Ci j where each Gij is in Q. Now, it is straightforward to 

check that we get H = Pl/li which establishes H G 

Point 2 The first sentence is an immediate consequence of point 1 . The particular 
case where Q = Fg is a mere application of the dehnitions involved. □ 

Proposition 6.1. (See Definition^^^ If two pre-orders F and f on E are associated 
with the same strict order -< and if the graph off is included in the graph off' , then a 
\Jf]-basis ofF^i has at most as many elements as a iJC]-basis ofF^. In particular, any 
un-basis ofF^^ has at most as many elements as a UU-basis of F^, which has itself 
at most as many elements as a UU-basis ofF^g. 



Proof: From Lemma^^^ there exists pre-orders f with f'=f^ and, for any 

i G {1, • • • ,p}, there exists two distinct ei, C 2 in E such that ei C 2 and the 

graph of is the graph of fi-i 

plus {(e, 62 ) / e ei}. Then, Lemma^Jgives the 
general result, and (^, ^') = (^O) or (^) ^ 1 ) give the results for ^0 and ^i- n 

Theorem 6.2. Let E be a set of formulas and and fo be r espec tively the greatest 
and the smallest pre-orders associated with -<=^^ (see Lemma^^g. 

1. Any AM -basis El of the set of formulas is a set of formulas having the smallest 

possible number of elements such that C IRC F(E) = CIRCF(Ei). 

2. The set F-<q (see Definition^^^ is the greatest (for Cj set of formulas such that 
CIRCF(E) = CIRCF(E'). The set of all the sets E' which are c-equivalent to 
E is the set of the sets E' such that f,p>Av (i.e. fipi ) is associated with 

Proof: 1: Lemmas^^H 
2: Rewritted from Theorem! 



^3and Proposition 

I indeed, = PoSe{E) = Icircf{<f)- n 



Thus, F^j is the “simplest” set E' of formulas closed for AV, such that E =c E' , 
for at least three respects: (1) It has the minimal cardinal possible (Lemma^J. (2) It 
has the smallest maximal chain of strict entailment (Lemma^^. (3) Any AV-basis E\ 
of F^j (i.e. of is a set with the smallest possible cardinal such that E =cEi. 



nHwe 
in^y : 



7 A Few Examples 

When looking for an AV-basis F of a set X of formulas as explained in Section| 
may get ak = card(Y) smaller than the one given by A(k) > n (see Propositio 

Example 7.1. V(L) = {A,B,C},X = {A, B, AaC, B AC}.We get fx (Definition 
^3 described as follows: p fx v iff p = v or {p, v} = {0, {C}} or p -<x v with 
p Ax V iff ((p ^ {C}, V ^ {C} and p C v)or(p = {C} and v ^ {0, {C}T^ 

We get then the following set <Ex = {filt}} ftev{v(L))-{C} (Definition^3 with: 
if{p) = ApG/i P = T). Thus, d>irx = X (Definition^H. 

The smallest k such that A(k) > 4 = card(<L>irx) is fc = 4, but we can choose 
fc = 3. Here is an injective mapping I from <Pirx to a weak antichain in {1,2,3}: 
= ^^J{B) = {2}, l(A A C) = (1, 3}, l(B AC) = (2, 3}. As we want to get 
3 page^^J I must satisfy, for any ip, %j) in <Mrx. p \= f if l{tp) C l{ip). Let us call 
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(C this condition. We define Y = {v^i}iG{i, 2 , 3 }> as in Q page^^J getting 

^ = C A {A \/ B). Even if I respects (C defining (/?' by 

Q does not always imply that we get f page^^J However, here Q is satisfied, thus 
CIRCF{X) = CIRCF{Y). As card{Y) = 3, F is one of the sets with the smal- 
lest cardinality satisfyin g Y = sc X from Proposition^^ As dix=^Y is the greatest 
relation of Definition^J we get that Y is even one of the smallest sets satisfying 
Y =c X from Theorem^^p. □ 

The next example shows how the results given in Sectionsjandjallow to find the 
various sets of formulas describing a given formula circumscription: 

Example 7.2. V(L) = {A, H, C}. We consider the set A = {A\/ B,C\/ (AAB), 

(^A A ~^B), (A V B) A ^C, A A B A ^C, A A ^B A C,^A A B A C, A A B A C} and 
/ = CIRCF{X). Here are the relations Ajjf and Ax: 

0 Ax M if M e M - {0}, {A} Ax {A, B}, {B} Ax {A, B}, {C} Ax {A, B}. 

M Ax if M Ax or ^ or {p, v} = {{A}, {H}}. 

Thus, ^X = {</:>(M)};iG-p(Y(L))-{B} with (^x (0) = T, vJx({A}) = (AVH) A^C, 

= (Aaha^c)v (^AA^HAC), :^x({A, H}) = AaHA^C, 

(fx{{A, C}) = AA^BAC, (px{{B,C}) = ^AaBAC, (px{{A,B,C}) = AAB AC. 
Then, -Pirx = {px{{A}),px{{C}),px{{A, C}),px{{B, C}),px{{A, B, C})}. 

Even if we are not in case 2 of Proposition^J we are “close enough” to this 
case and we can apply the constructive method described there. We are looking for 
a subset Y of Fx, minimal such that <Pirx C Y^. We must use four elements 
in Fx: VPA(3) = 4 < 5 = card{‘Eirx) A 7 = VPA(4). As we have also 
A(3) = 3 < 5 < 6 = A(4), we can start from an antichain without bothering with weak 
antichains. Let us choose the following injective mapping I from <l>irx into an anti- 
chain of {1, 2, 3, 4}: ;(<^x({A})) = { 1 , 2 }, l{px{{C})) = {1,3}, l{^x{{A,C})) = 
{l,Y^{ipx{.{B,C})) = {2,3}, l{pxi.{A,B,C})) = {2, 4}, which gives, by O 
page^H ^' 4 } with 

= <px{{A}) V px{{C}) V <^x({A, C}) = (A V H V C) A {^B V -C), 

^'2 = ^x{{A}) V Lpx{{B, C}) V (^x({A, B, C}) = (A A ^C) V B, 

‘Ps ~ Px(.{C}) V ipx(.{B^ C'}) = (A A B A ^C) V (^A A ^B A C) V (^A ABA C), 

= <^x({A, C}) V <^x({A, H, C}) = A A C. 

We get a set Ya of four formulas with Ya =sc X (thus / = = CIRCF{Ya)) 

and Proposition^^^ives that no set with fewer elements exist with =sc X. 

Let us consider now the greatest pre-order A^ associated with Ax (Definition^J. 
We get p dll i' iff E Ax v or p — v or {p, v} C {{A}, {B}, {C}} or {p, C 
{{A,C),{B,C),{A,B,C}}. We get 

where (0) = T, (p^^{{A}) = {{AV B)A^C)V {^AA^BAC), ip^^{{A,B}) = 
AABA^C, </ 3 ^j({A, C}) = {A\/B)AC. Thesett^ir^j is then Yj, = (0)}, 

As VLA(2) = 2 < 3 = card{Yb) < VLA(3) = 4, Propositions^^and^J state that 
we need three elements in any subset X' of F^^ = such that Y\, C (X')^. 

Then, Yj, gives an optimal solution. Yj, is thus one of the sets of formulas X' with as 
few elements as possible such that / = = CIRCF{X'). This example shows that 

choosing the relation A^ instead of dx (thus a fortiori of Aq) allows to get a smaller 
set of formulas. 

From Lemma^^H we get here 25 = H 3 x B 3 pre-orders A associated with A. □ 
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As a last example, let us apply our results to ordinary circumscription 
CIRC{V, Q, Z) = CIRCF{V\ Q, Z U P) = CIRCF{V U Q U -Q). We want to find 
one of the smallest sets of formulas F where CIRCiV, Q, Z) = CIRCF{F\ Q, ZU P) 
and we ask the same question for CIRCiV, Q, Z) = CIRCF(F). 

For the first problem, we cannot do better than the set P: 

Theorem 7.1. 1. P is one of the sets F with fewer elements such that we have 

CIRC{P, 0 , Z) = CIRCF{F- 0 , Z U P) = CIRCF{F). 

2. P is one of the sets F with fewer elements such that we have CIRC(P, Q, Z) = 
CIRCF(F\ Q, Z U P) (and it is the simplest such set). 

Sketch of the proof: 1. It is straightforward (not immediate, but automatic) to see that 
we have, if A = Pis a set of propositional symbols: l{'Px) = card{<hirx) = card{X). 
This is an important case where Proposition very precise. Moreover, if we 

define A=A(pj_z) (Definition and as in Definition^J we get = 

{Apgp/ ^*}p'cp (and Then use Theorem^3 

2. Immediate extension of point 1 . □ 

The second problem is tougher and partially left to any interested reader: 

Proposition 7.1. There exists a set F such that we have CIRC(P,Q,Z) = 
CIRCF(F) satisfying card(F) = card(P) + fcq where fcq is the smallest integer k 
such that the central binomial coefficient A{k) = {k, [k / 2 \) satisfies A{k) > 

Proof: Let P, Q, Z be a partition of V (L) and be the set of formulas <? = PUQU^Q. 
We know that we have CIRC(P, Q, Z) = CIRCF{<F). The set of the formulas (Tir$ 
contains a subset composed by formulas involving only the symbols of Q. Let us call 
(Pir{Q) this set. This set is the set of the conjunctions of literals involving all 

the elements of Q. Thus, this set is made of mutually exclusive formulas. The subset 
F(Q) of the formulas of F^ composed by formulas involving only the symbols of Q 
is obviously the set (Q U of all the formulas made in this vocabulary. We use 

the method of Proposition^3(case 2) for this subset <?zr(Q) of d>ir^. We choose a set 
I with fcq elements and an injective mapping I from F>ir{Q) to the set of subsets of / 
having [fc/2j elements. As with Q page^^J we define the set B(Q) = {A(*)}ig/ 
where p'{i) = ViG/(<p).¥>G<?>ir(Q) T- Then, we get fl page^J thus B(Q)^'^ = F(Q). 
As in the proof of case 2 in Proposition^^ we cannot do better: B(Q) is an AV-basis 
of F(Q). Thus, the set S' = P U B(Q) is such that F'^'^ = (P U Q U and we get 

CIRC{P, Q, Z) = CIRCF{F). □ 

This proof can easily be extended to prove that this set F is minimal (in cardinality) 
among the sets F which are unions of subsets of P'^'^ and of subsets of (Q U 
and such that we have CIRC{P, Q, Z) = CIRCF(F). However, this does not prove 
that F is minimal without this condition: we could imagine some tricky subset of (P U 
Q U with fewer elements. We tend to think that this choice is optimal: 

Conjecture 7.2. Any set F such that CIRC(P, Q, Z) = CIRCF(F) has at least 
card(P) + fcq elements. □ 
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Example 7.3. P = {P}, {Q} = {Qi, Q 2 , Qs}, Z = 0. 

We get card{<Pir{Q)) = 2^ = 8, card{Q U ^Q) = 2x3 = 6 and A(5) = (5, 2) = 
10 > 8. Thus, the set B(Q) has 5 elements, which is better than QU ^Q. The difference 
is not negligible, as when q = card{Q) tends to infinity, Q U has 2 x q elements 
while fcq = card(B(Q)) is approximated hy q + ln(( 7 ). Here is a possible mapping I, 
from <Pir{Q) to X, a set of subsets of / = {1, • • • , 5} with two elements: 

/(Qi A Q 2 A Qs) = {1; 2}, ^(Qi A Q 2 A = {1; 3}, ^(Qi A ^Q2 A Qs) = {Ij 4}, 
^(QiA^Q2A^Q3) = {1,5}, /(^QiAQ2AQ3) = {2,3}, /(^QiAQ2A^Q3) = {2, 4}, 
l{^Qi A ^<52 A Q3) = {2,5}, l{^Qi A ^Q2 A ^Q3) = {3,4}. 

We get then B(Q) = {v5'(*)}iG{i, -, 5 } with: 

p'{l) = Ql [= (Q1AQ2AQ3) V (QiAQ2A^Q3) V (QiA^Q 2 AQ 3 ) V (QiA^Q2A^Q3)], 

p'(2) = hQiA(Q2VQ3)MQM)=i-\{i, 2})vi~H{2, 3})vr H{2, 4})vr 1({2, 5}), 

(^'( 3 ) = (Ql A Q2 A ^<53) V (^Qi A Q2 A Q3) V (^Qi A ^Q2 A ^Q3)]> 

(f'( 4 ) = (Ql A ^<52 A Q3) V (^Qi A Q2 A ^<53) V (^Qi A ^Q 2 A ^Q 3 )]> 

:p'(5) = ^Q 2 a ~^(Qi Q 3 ) [= (Ql A ~^Q 2 a ^Q 3 ) V (^Qi A ^<52 A < 33 )]- 

Thus, we get as our set (which in this simple case can be proved to have as few 
elements as possible) the set !?'={P} U B(Q) with CIRC(P, Q, Z) = CIRCF(d^). □ 

Even if we gain a significative number of formulas with respect to the obvious set 
S' = P U Q U when Q is big enough, the formulas involved are more complicated. 
However, it is interesting to know that the set P U Q U is not optimal in cardinality, 
when we allow to replace the set Q U by another subset of (QU-Q)^'". Conjecture 
^3(not absolutely certain...) states that even if we allow to “break” the set (QU^Q)^^, 
i.e. to forget the information that Q must be fixed, we cannot do better. 



8 Conclusion and Perspective 

We have described all the sets of formulas <P which, when circumscribed, give rise to 
the same result as a given set F. Also, we have described all the sets which, when 
completed by any arbitrary set <?', give rise to the same result as a given set F, when 
completed by <P'. Our description is syntactical and very simple in the second case 
(“strong equivalence”). In the first case (“ordinary equivalence”), we have described 
a method to get all the possible sets. The method is fully constructive if we consider 
only sets of formulas which are closed for A and V (or for A alone, or V, thanks to the 
constructive definitions of the A-basis and V-basis). In particular, we have described the 
unique greatest and the unique smallest (for set inclusion) such sets which are equivalent 
to a given set. Also, we have described the greatest (unique, it is the same one as the 
preceding greatest set) set of formulas which is equivalent to a given set, without other 
condition. The problem of finding the smallest sets (in terms of cardinality, there is no 
longer uniqueness here) involves the search for one of the smallest sets having the same 
closure for A and V than a given set of formulas. We have described a semi constructive 
method for finding these sets in all the cases. The method is fully constructive in two 
particular but instructive cases, which help hnding the solution for more general cases. 
One of these cases is when we start from an ordinary circumscription CIRC(F, Q, Z) 
where the propositional symbols of P are circumscribed and those of Q fixed. In this 
case, we have proved that the natural and well known set of formulas P U Q U 
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is one of the a smallest possible sets of formulas ']/ which keeps unchanged the set 
Q U of the fixed literals. More surprisingly, we have shown that we can do better if 
we allow modifications inside the set of the fixed propositions, and conjectured that our 
proposition is still the best one, if we “forget the fixed propositions” altogether. 

As future work, we should extend these results to the infinite propositional case, 
then to the predicate case. 

Let us add a few words about the importance of such a study. Firstly, this is one 
of the most fundamental questions to ask: when sets of formulas are equivalent for 
what we do with them. Secondly, this could help the automatic computation, as we 
could choose the “easiest” equivalent sets in order to make the computation of a given 
circumscription. Clearly, a lot of work remains in that direction. Thirdly, this could help 
the modelization by circumscriptions of complex situations. The idea is to associate 
with each rule a set of formulas to be circumscribed. Then, in order to combine rules, 
we would combine the sets. For defining such combinations, it is important to know 
precisely what are these “sets” and the notions of equivalence give the answers. 
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Abstract. This paper defines a minimal change semantics for PDL, that 
is based on minimization over a change ordering of labeled Kripke mod- 
els. The definition of the change ordering has some striking resemblances 
with the notion of bisimulation. The minimal change semantics for PDL 
is shown to behave correctly in case of the notorious Yale shooting and 
stolen car example scenarios. 



1 Introduction 

Propositional dynamic logic (PDL) is designed to reason about pre- and postcon- 
dition properties of actions exhibiting choice (U), sequence (;), iteration (*), and 
test (</)?). The formalism has applications in many areas, for instance in nor- 
mative reasoning HB3, agent-performed reasoning about action and 

epistemic updates and planning In many of the application areas of 

PDL, the frame problem is encountered. In our formulation the problem reads 
as follows. 

The Frame Problem: when specifying actions declaratively, we do not want 
to involve ourselves in describing explicitly and exhaustively for each indi- 
vidual action what conditions do not change as the result of it. 

Solutions to the frame problem require that somehow a concept of ’minimal 
change’ is imposed. Surprisingly many existing approaches that try to deal with 
the frame problem in modal action logics such as PDL, mostly focus on the rep- 
resentational problem, that is, on the problem how to extend the language such 
that persistency can be expressed in an easy, intuitive, and economic way. This 

* This work is sponsored by VU-USF as part of the SINS project, and partially sup- 
ported by the Esprit Working group Aspire, contract nr. 22704 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 912^^ 2000. 
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is even more surprising if we realize that the emphasis in most first-order based 
approaches is on the semantics, that is, on the selection of 

the intuitively intended first-order models of action descriptions. In this paper we 
aim to fill in this gap, and focus on the semantics of minimal change for PDL. The 
semantics is based on a minimal change ordering of labeled Kripke structures, 
the structures that interpret PDL. The change ordering is achieved by turning 
the notion of semantical equivalence for PDL, bisimulation, into an inequiva- 
lence by incorporating a subset criterion of changes between states. The main 
virtues of the resulting non-monotonic semantics for PDL are (1) its generality, 
dealing with non-determinism, sequence, iteration and test (2) the simplicity of 
its definition (3) its intuitive appeal, exemplified by its correct behavior in case 
of the Yale shooting and stolen car scenarios. 

In section Hwe first formally introduce PDL. Section H discusses some ax- 
iomatic approaches to reasoning about persistency, in PDL and in modal action 
logics in general. In section H^e present our semantic definition of persistency 
in full PDL with choice, sequence, iteration and test. We will start with a refor- 
mulation of the notion of bisimulation, and proceed by turning this semantical 
equivalence into an inequivalences that expresses a change-ordering over Kripke 
models. In section H we will test our theory against the Yale shooting and the 
stolen car scenarios. Section ^concludes with a discussion. 

2 Propositional Dynamic Logic 

Given a set A of action symbols and a € a set 7^ of proposition symbols and 
p G V, a, well formed formula (j> of the language C{PDL) is defined through 
the following BNF : 



4> ::= p I ->(/) \ 4>\/ \ {a)4> 

a ::= a I a U a' I a; a' I a* \ (f>? 

We will usually refer to propositions p G V as fluents, emphasiszing that the 
non-monotonic minimal change semantics for PDL we define in section^focuses 
on the influence of actions on the values of these propositions. We will call 
Qf’s (regular) actions or sometimes programs. The intended meaning of a PDL 
formula (a)</> is that it is possible to execute program a and reach a state where f 
holds. The following definitional extensions are applied: (/> A '0 =def “'(“'0 V “'0), 
[a]0 =def ^(a)“'0, 0^0 =def -^(j) V tp , (j) ^ =def (0 ^ 0) A (0 ^ 0), 
T =def 0 V “'0 and T =def “'T. 

To interpret PDL, we use standard Kripke models whose transitions are pa- 
rameterized with respect to actions a G A. We call these labeled Kripke structures 
(LKSs). 

Definition 1. Given a set A of action symbols and a set V of proposition sym- 
bols, a structure S = (S, tt, Ryf) is defined as: 
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— S is a nonempty set of possible states 

— is a set of reachability relations Ra C S x S with a € A 

— TT is a valuation function tt : S 2^ that assigns to each state s a subset of 
valid propositions 

We use the notation sit s' for an a-transition from state s to s' in a structure 
S — (5, 7T, Ra)- This notation is extensively used in the definitions of orderings 
of labeled Kripke structures in section^ 

The semantics of PDL is defined by relating the modality ( . ) . to the reach- 
ability relation Ra for regular actions a, which in turn is an extension of the 
reachability relation Ra for atomic actions a. 

Definition 2. Validity S, s \= 4> of a well-formed formula 4> in a state s of a 
structure S is defined by: 



Ra 


= Ra, for a = a, a G A and Ra 


G Ra 


RaUa' 


= RaV Ra' 




Ra\a' 


— Ra ® Ra' 




Ra- 


= {Ra)* 




R(p'? 


= {(s, s) 1 5, s h <^} 




S,s\=p 


iff pG 7t(s) 




s,s\=^4> 


iff not 5, s ^ (/) 




S, s \= (f A if 


iff 5, s 1= (/) and S,s\= if 




5, s h {a)(f 


iff 3s' G S, such that s, s' G Ra 


and S,s' \= 4> 



Validity on a structure S is defined as validity in all states of the structure. If 
(j) is valid on a structure S, we say that S is a model for General validity of 
a formula (f> is defined as validity on all possible structures. A formula 4> entails 
a formula if (notation: (j) \= if) if and only if all models for (f are also models 
for if. 

Alternatively, the semantics of PDL can be defined by using a trace semantics 
for programs: atomic actions are primitive traces, a U a' is defined as the union 
of the traces that interpret a and a', a; a' is defined as concatenation of the 
traces of a and a' , and finally, a* is defined as the union of all finitely repeated 
self-concatenations of the traces that interpret a. Then {a)(f is defined as the 
existence of a trace from the current state to a state where (f holds. 

The constructs a; o', aV a' and (fl , can also be introduced as definitional 
extensions of PDL Q: [a-,a'](f =def [a] [a\J a'](f =def [a](f A [a'](f and 

\(fl\if =def 4> ^ if . The iteration cannot be introduced as a definitional exten- 
sion, which shows that the iteration is responsible for the surplus of expressive 
power of PDL with respect the multi-modal variant of the basic modal logic K, 
where modalities are just parameterized with respect to atomic actions a. 

In PDL, the intended meaning of formulas of the form <f \a]if, (which is 
equivalent to [(/>?; a]if) is that all executions of a from states where <f holds lead 

^ Note that we have a clear distinction between structures and models: a model is a 
structure that is valid for a certain formula. 
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to states where '0 holds. Formulas of this type appear frequently in applications 
of dynamic logic, for instance when PDL is used for action domain descriptions in 
planning. The PDL formula 0 ^ [a]0 is typically used to describe what changes 
as the result of the execution of a in the context 0. The formula states that it is 
not possible that if 0 does not hold in the context 0, it still does not hold after 
execution of a. But the formula does not say anything about properties that are 
independent of 0; these properties may vary freely over the execution. This is 
usually not what is intended when formulas 0 ^ [o;]0 are written down. Usually 
the formula is intended to mean: 

4> is a condition under which performing a brings about 0, 
and nothing else. 

To express the ’and nothing else’-part of this intended meaning, we need to 
able to express that properties are persistent. In the next section we will shortly 
discuss some approaches. 

3 Axiomatic Approaches to Persistency in Modal Action 
Logics 

We discuss three types of approaches: (1) non-monotonic approaches that aim at 
the definition of intended extensions of modal action logic formulas, as in default 
logic, (2) monotonic approaches that involve a notion of dependency of fluents 
on action occurrences, and (3) approaches that only focus on representational 
aspects. 

Of course it is possible to express persistency in PDL by defining completions 
with the help of formulas of the type I [a]l, with I a positive or negated 
propositional constant, and a an atomic action. But since in more general PDL 
formulas 0 — *■ [a]tp, the actions nor the properties that change value are required 
to be atomic, the question of how to define such completions intuitively and 
systematically is far from trivial. Furthermore, the number of frame formulas 
of the form I [a]l that is needed to complement a general action domain 
description in PDL to impose the intended meaning, is unacceptably high. One 
approach that attempts to define completions with formulas of the form I [a]l 
is that by Giordano, Martelli and Schwind Q. Their method only applies to 
the fragment of PDL that contains no iteration. But on the other hand they deal 
with concurrency. Their basic idea is to define extensions of action descriptions 
by adding formulas I [a]l in such a way that it is not derivable from the 
resulting completed description that action a does change the value of the literal 
1. This defines extensions of action theories as in default logic. Weaknesses of the 
approach are the appearance of multiple extensions, and the absence of iteration. 

A second type of approach that might be transposable to the PDL context is 
that of the ’monotonic’ solutions as proposed by Reiter QQ. The main idea of 
this approach is to first take stock of all actions in an action description that may 
influence a certain atomic property. This way the dependency of value changes 
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of fluents on execution of actions is described explicitly. After this process is 
completed, formulas (successor state axioms) saying that certain formulas are 
exclusively influenced by certain actions can be added to impose the intended 
semantics. A PDL approach, based on the same principles was proposed by De 
Giacomo Q. If the intended meaning of the formula "(/i — > [a\l is that a exclusively 
changes I, the formulas ijj I a]l and i/j A can be used to 

express that performance of other actions than a leave the value of I unchanged. 
A crucial element in this representation of persistency properties is the notion 
of action negation ~ a, that is interpreted as ’union of all actions other than 
a’. De Giacomo does not deflne a general procedure for addition of formulas 
of the form tp A ^ a]^l. Furthermore, it is not clear how persistency of 

fluents during execution of a is dealt with. This relates to the stolen car scenario 
that we discuss in section^ Gastilho, Gasquet and Herzig QQ also make use 
of an explicitation of the dependency of fluents on action occurrences, and use 
this explicitation to deflne how formulas of the form ^ > [a]l should be added 

to action descriptions to obtain the intended semantics. Weaknesses of their 
approach are that they do not consider iteration, and that frame properties are 
not really economically expressed by using formulas of the form I [a]L This 
relates to the representational frame problem that we discuss next. 

The representational frame problem is the problem of how to express per- 
sistency properties in an easy, intuitive and economic way. For PDL this was 
studied by Prendinger His main contributions are the addition of the fol- 
lowing operators to PDL: (1) terminal preservation expressed by tpress{(p, a), 
whose meaning is that (f> holds before and after execution of a, (2) chronologi- 
cal preservation expressed by cpress{(p, a) whose meaning is that (p is preserved 
throughout the execution of a. Prendinger defines the semantics of these con- 
structs together with their axiomatization, and gives soundness and completeness 
results. But the notions of terminal and chronological preservation as proposed 
by Prendinger can also be given as definitional extensions. 

Definition 3. Terminal preservation tpres{(p, a) and chronological preservation 
cpres{(p, a) of (p over a, as a definitional extensions in PDL: 

tpres{4>, a) =def 4> ^ H<(' 

cpres{(p, a) ^def tpres{(p, a) for a G A 

cpres{(p, aU /3) =def cpres{(p, a) A cpres{(p, (3) 
cpres{(p, a; (3) =def cpres{(p, a) A [a]cpres{(p, (3) 
cpres{(p,a*) =def [a*]cpres{(p, a) 

We omit the proof of our claim that this exactly defines the preservation 
notions of Prendinger. An implication of the validity of this claim is that the 
properties tpress{(p, a) and cpress{<p, a) do not add expressiveness to PDL, but 
can be seen as just convenient abbreviations for complex PDL formulas. In this 
way the preservation constructs contribute to the representational frame prob- 
lem. Another implication is a refinement of the commonly made claim (e.g. Q) 
that in PDL we cannot talk about properties that hold ’along the way’ when 
executing a program: it is true that we cannot say in PDL for instance ’there 
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is a possibility to successfully execute a while preserving cj) along the way’, but 
definition 3 demonstrates that we can say ’/or all possible executions of a we 
preserve 4 > along the way’. 



4 A Semantic Definition of Persistency in PDL 

In this section we define a non-monotonic minimal change semantics for PDL. 
A main difficulty to overcome is caused by the fact that actions in PDL are in 
general sequential. Due to this sequential nature of actions, we will have to define 
a notion of minimal change that is in a way distributed over series of actions that 
are being performed one after the other. We accomplish this by turning the well 
known equivalence relation bisimulation for PDL into a minimal change ordering 
of labeled Kripke structures. The definition of bisimulation deals with sequence 
of actions correctly due to its recursion. This recursion is also responsible for 
the correct distribution of minimal change over sequential actions in the change 
ordering we define. 

We want to emphasize that the relation with bisimulation is only meaningfull 
at the structural level of the definitions. What we are not saying, for instance, is 
that bisimulation is to coarse to distinguish minimal change from non-minimal 
change in PDL. We just observe that the recursion in the definition of bisumula- 
tion, together with the way that it deals with non-determinism, is exactly what 
is needed in the definition of minimal change for sequential actions too. First we 
recall the definition of bisimulation Q. 

Definition 4 . Let 5 i = (^i , tti, and S2 = (S'2, 7 T 2 , i? 3 i) LKSs, and 

let Si G Si and S2 G S2- Then si '^bis S2 if and only if: 

— 7 Tl(si) = 712(52) 

— 3 si'o^s( G R\ only if 3 S 2 St s'2 G R\, such that s( '^bis s'2 

— 3 S 2 TL s'2 G R\ only if 3 silfs'i G R\, such that s'2 '^bis Si 

We want to emphasize two features of the definition of bisimulation: (1) the 
recursion (2) the way non-determinism of actions is dealt with. The recursion 
is needed to guarantee semantical equivalence of states under nesting of modal- 
ities in modal languages. In PDL modalities may be explicitly nested, but the 
nesting can also come ’in disguise’ through formulas like [or, Pjcj) which is equiva- 
lent to the nested formula [a][/3](/). Our notion of minimal-change will also have 
to deal with nesting of modalities (or equivalently: sequence of actions), which 
motivates the recursion in the change ordering we define. PDL also deals with 
non-deterministic choice between actions. In the definition of bisimulation this 
is reflected by the requirement that an action is possible in one of the states that 

are compared, if and only if the same action is possible in the other state. It is 

clear that this should hold to guarantee semantical equivalence of both states, 
because otherwise they could simply be distinguished by a formula of the form 
^(a)T, where a denotes an action missing in one of the states. Our notion of 
minimal-change will also have to deal with non-determinism. We do not want 
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that the ordering in any way interferes with the possibility of execution of actions. 
Therefore the definition of our change ordering deals with non-determinsim ex- 
actly the same way as bisimulation does. Before defining the change ordering, we 
first extend the notion of bisimulation to complete models. We also anticipate 
on the definition of the change ordering by defining bisimulation in terms of 
changes between states. For this we need a notion of difference between states. 
The next definition defines that the difference between two states is identified 
with the set of atomic propositions that change value. 

Definitions. Given a model S = (S', tt, the difference <5(si,S2) between 
state Si G S and S2 G S is defined as the set of propositions C = (7 t(si) \ 7 t(s 2) U 
(7^\7 r(si))\( 7 ^\ 7 T(s 2 ))). 

Now we extend bisimulation to models, and reformulate it with the help of 
the notion of difference between states. 

Definition 6. Let Si = (Si , tti, and S2 = {82,7^2, R^) LKSs, and 

let Si G Si and S2 € S2. Then si S2 if and only if: 

— 3 silfs'i G R\ only if 3 S2Tf s'2 G R\, such that <5(si,s'i) 

s( S2 

— 3 S2Ti s'2 G R\ only if 3 silts'i G R\, such that <5(s2,sy 

S2 ~(5 Si 

And Si S2 if and only if: 

— 3 Si G Si only if 3 S2 G S2, such that 7 Ti(si) = 7T2 (s 2) and si S2 

— 3 S2 G S2 only if 3 si G Si, such that 772(32) = 7 Ti(si) and S2 si 

Note that the relation si S2 is not equal to the bisimulation relation 
Si S2 of definition 4. The relation si S2 expresses similarity in the course 
of changes during consecutive executions of atomic actions from states si and 
S2. We get bisimulation by adding 7 Ti(si) = 7T2 (s 2), as is done in the second part 
of the definition. This second part also states that the relation Si S2 is a 
global bisimulation relation relating all states of Si to all states of 82- 

We are now ready to make the turn from semantical equivalence to seman- 
tical inequivalence by incorporating minimal change. The only thing we do is 
replace equality of changes in the above formulation of global bisimulation by a 
subsetordering of changes. 

Definition 7. Let Si = (Si , tti, and S2 = (82,772, R"^) be two LKSs, and 
let Si G Si and S2 G S2. Then si <Cc S2 if and only if: 

— 3 siTts'i G R\ only if 3 82^82 G R\, such that <5(si,s'i) C <5(s2,S2) and 

Si ^2 

— 3 S2Ti s'2 G R\ only if 3 siUts'i G R\, such that 6(32,82) 2 <5(si,s'i) and 

s'2 Si 



= <5 (s 2, S2) and 
= <5(si,s'i) and 



And Si Cc 82 if and only if: 
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— 3 Si € S'! only «/3 S2 G S2, such that 7 Ti(si) = 712(52) and si <Cc S2 

— 3 S 2 & S 2 only if 3 si G Si, such that 712 ( 32 ) = tii(si) and S 2 si 

Intuitively the ordering says that (1) if model 5i is below or equal to 52, then 
for all possibilities in 5i to do a sequence of actions, there is a possibility in S 2 
to do the same sequence of actions, where each individual action in the sequence 
in Si changes less than or as much as the corresponding action in the sequence 
in 52, and (2) for all possibilities in S 2 to do a sequence of actions, there is a 
possibility in 5i to do the same sequence of actions, where each individual action 
in the sequence in 52 changes more than or as much as the corresponding action 
in the sequence in 5i . In section ^ where we discuss the stolen car scenario, 
we show that this definition distributes minimal change over sequence of action 
correctly. To get an impression of how this ordering deals with non-determinism 
of actions, in figure 1 we look at some example models of the formula (^a A ^6 A 
~^c) —>■ [fc](aV b), where k is an atomic action. 




Fig. 1. A comparison of models of -ia A -■6 A -■c — > [fc] (a V b) 

Clearly all structures in the figure are models of A ^6 A ->c — > [k]{a V b). 
Model 5i is a minimal model under the Cc-ordering, S 2 and S 3 are above 5i and 
are indistinguishable from eachother, and 54 is the model that forms the top of 
the ordering. Clearly 5i is not the only minimal model for ^oA^6A^c — > [fc] (aV6) 
under the Cj,-ordering, also the model where action k only makes proposition 
b true is minimal. And clearly S 2 and S 3 are not the only models that are in 
between the top model and the minimal models. The figure thus shows only a 
fragment of the ordering of the models. Metaphorically speaking, going down in 
the Ec-ordering of models for a PDL-formula (/>, transitions from certain states 
look for ’closer’ states, that is, states for which it only takes a subset of the 
current changes to reach them. Of course, they do so under the restriction that 
they keep satisfying cj). 

The Cg-ordering is reflexive and transitive, which is to say that it forms a 
pre-order on LKSs. We define that 5i =c S 2 if and only if 5i 52 and S 2 Si . 

The relation =c defines equivalence classes of models, and we get a partial order 
by considering the Cc-ordering over these equivalence classes. From definitions 
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6 and 7 it follows immediately that if two models bisimulate, they cannot be 
distinguished under the change ordering: S S' implies S =c S' . That the 
contraposition of this implication does not hold, follows from the above example. 
It holds that S2 Ec ^3 and S3 Ec S2- But there is no bisimulation, since the 
’middle’ transition in S2 has no equivalent in 53. But if we restrict ourselves to 
Ec-niinimal models, we do have that two models bisimulate if they cannot be 
distinguished under the change ordering: S ^bis S' if and only if S =c S'. We 
do not proof this formally here. We only note that this is in agreement with 
the above example, where ^2 and ^3 are both non-minimal. We now define the 
non-monotonic minimal change semantics for PDL. 

Definition 8. A PDL formula cj) preferentially entails if under minimal change, 
notation (f \=c if, if and only if all 'Q^.-minimal models of (f are models of if. 

In the next section we will demonstrate this minimal change semantics by 
applying it to the well known Yale shooting and stolen car scenarios. 

5 Benchmark Reasoning Examples 

The Yale shooting problem (Ysp) []] is a problem concerning the correct behavior 
of fluent values along possible action traces of descriptions of actions whose 
effects are described at the atomic level. In PDL the problem is described as: 

-^loaded — > [load]loaded 

alive A loaded [shoot]{^alive A ^loaded) 

T [wait]T 

There are only two fluents in the action description, which implies that min- 
imal models maximally have four states. In each state, each of the actions load, 
wait and shoot is possible. Figure 2 shows a Ec-minimal model for the Ysp. 
Transitions with more than one label are used to abbreviate separate transitions 
relating the same states, and the fluents loaded and alive are abbreviated to 
respectively I and a. 




Fig. 2. A minimal Kripke model for the Yale shooting scenario 



A Semantics for Persistency in Propositional Dynamic Logic 921 



This is by far not the only minimal model. First of all there are infinitely 
many models that bisimulate with this model, and where the loops of transi- 
tions in certain states are rolled out. As motivated in the previous section all 
these bisimulating models are minimal under the Cc-ordering. Furthermore, the 
formulas in our Ysp action description do not extort the possibility of actions 
in certain situation^ Therefore each of the transitions in the above model can 
be left out to obtain other minimal models. Leaving out transitions in the above 
model results in minimal models that are not comparable to the above one and 
to eachother (two models S and S' are not comparable if S S' and S' %cS), 
since the models will not be equal in the action sequences that are possible. The 
model of fig 2 is canonical in the sense that minimal models either bisimulate 
with it or with minimal models that can be formed by leaving out transitions. It 
is not difficult to perceive that this implies that all minimal models satisfy the 
property: alive A ^loaded — *■ [load; wait; shoot](^alive A -^loaded). 

Most other solutions to the Ysp try to deal with the trade-off between the 
minimizations concerning subsequent actions. The trade-off exists because it is 
tried to accomplish minimal change of different actions through the minimization 
of a single abnormality predicate. This results in two extensions for the Ysp 
scenario: the intended one in which the change of the wait action is none, and 
that of the shoot action is fatal, and one in which the change in the shoot-action 
is none and that of the wait-action is, surprisingly, non-empty (the gun becomes 
unloaded). In our setting, this second extension is just completely non-existent, 
because the minimal change in the wait action is not ’traded’ against minimal 
change in the shoot action. This means that our semantics does not suffer from 
the type of problems exemplified by the Yale shooting problem. The solution 
sketched by Meyer and Doherty ^3 behaves well in case of the Ysp for similar 
reasons. An interesting extension of the Ysp is the one where the wait-action is 
replaced by a spin-action that rotates the cylinder of the gun Our semantics 
deals with non-determinism in effects of actions, but needs a small extension to 
deal with this particular type of problems where fluents are explicitly declared 
not to be subject to persistency. We have to constrain the change ordering such 
that it applies only to changes in fluents that are subject to minimal change. 
Other propositions are then allowed to change value freely. 

In other approaches, the trade-off of minimal change between different actions 
has elicited answers like chronological minimization of changes. This relates to 
the well-known temporal explanation problem known as ’the stolen car problem’ 
(scp) The type of problems exemplified by the scp are an important test 
for our semantics, since they are about the minimal distribution of changes 
over sequences of actions. In the scp the change concerns the condition that a 
car becomes stolen. Initially the car is not stolen. Three sequentially performed 
actions lead from the state where the car is not stolen to the state where it is 
stolen. In the action description of the scenario, we impose a temporal order on 

^ Of course, this is only a choice we made to keep the action description simple. We 
could also have provided formulas saying for instance that shoot is not possible when 
loaded does not hold. Now the action is possible, but has no effect. 
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the three actions by using formulas of the form ^(a; (3)T , saying that we cannot 
execute j3 immediately after a. 

^{waitl;wait3)T ~^{wait3;wait2)T 

^{wait2;waitl)T -^{wait3;waitl)T 

-^stolen — > [waitl; wait2; wait3]stolen 

The minimal change semantics also behaves well if we do not force a temporal 
order on the wait actions. But to be faithfull to the original variant of the 
problem, we do impose the temporal order. The temporal order also makes it 
simpler to compare the models under the change ordering. And to make the 
comparison even more simple, in figure 3 we do not compare models globally, 
but only in a particular point, the starting point of the three subsequent wait 
actions. To ensure a global comparison of states, many transitions would have 
to be added, which would obscure the central point of the example. 



waitl . . wait2 , . waits 









stolen 


, waitl , , 


wait2 , , 


waits 




stolen 


stolen 




stolen 


waitl 


wait2 


waits 





stolen 



stolen 



Fig. 3. Models for the stolen car scenario 

Model 5i and S2 are minimal for the scp action description under the Re- 
ordering. That one of the models is not beneath or above the other in the Re- 
ordering is easily seen. Both contain the action sequence waitl, wait2, wait3. In 
the first two of these actions change less than the corresponding ones in , 
but the third one changes more. So clearly Si Re ^ 2 . In S2 the third action 
change less than the corresponding one in Si, but the first two change more. 
So clearly also S 2 Re ^ 2 . This means that 5i and S 2 are incomparable. We 
motivate that nevertheless they are both minimal by comparing them to model 
53 . In S3, after the first wait-action the car is stolen, after the second it has 
become ’unstolen’ mysteriously, and after the third it is stolen again. Clearly 
here the change from stolen to not stolen is not minimally distributed over the 
sequence of three actions. If we compare 5i and S3, we see that both the first 
and second wait-action change less, while the third changes as much as the 
corresponding action in S3. This means that Rc S3 and S3 Rc 5i, meaning 
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that Si is beneath S3 in the ordering. A similar argumentation can be given for 
the claim that at S2 is beneath S3 in the ordering. A third minimal model of the 
example is of course the one where the stealing takes place during the second 
wait-action. 



6 Discussion 

We have defined a non-monotonic minimal change semantics for PDL and we 
have shown that the semantics behaves well in case of the Yale shooting problem 
and the stolen car scenario. Our approach contrasts with most other approaches 
to persistency in modal action logics, for instance with the ones discussed in 
section H in the sense that it is purely semantical. A natural question is whether 
both types of approaches can be reconciled. But for this to succeed, the ax- 
iomatic approaches will have to account for the delicate way in which minimal 
change is distributed over sequences of actions. Constructs such as cpress{ 4 >, a) 
of definition 3 do not help much, because in such examples as the stolen car 
scenario a construct that defines persistency ’along the way’ cannot be used to 
impose that the change is brought about by either the first, second or third wait 
action. We know of no axiomatic or proof-theoretic approach that deals with 
this kind of complexity. However, for nonsequential actions, it might be possible 
to prove partial soundness and completeness results with respect to for instance 
the approach by Giordano, Martelli and Schwind This is a subject for fur- 
ther research. A more fundamental question is whether it is actually possible to 
define unique completions within PDL that extort the models minimal in the 
□c-ordering. It might be the case that this is not possible, and that we need 
different completions to account for different minimal models. 

As observed when we discussed the Yale shooting problem, in some cases 
(typically in action descriptions consisting of formulas ip —>■ [a\4> where a is 
atomic) it is possible to point out a minimal model that is canonical in the 
sense that all other minimal models either bisimulate with it or with one of 
the models that can be formed be leaving out certain transitions. We plan to 
investigate whether these canonical models might be used for model checking. 
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Abstract. We consider the problem of specifying and computing con- 
sistent answers to queries against databases that do not satisfy given 
integrity constraints. This is done by simultaneously embedding the 
database and the integrity constraints, which are mutually inconsistent 
in classical logic, into a theory in annotated predicate calculus — a logic 
that allows non trivial reasoning in the presence of inconsistency. In this 
way, several goals are achieved: (a) A logical specification of the class 
of all minimal “repairs” of the original database, and the ability to rea- 
son about them; (b) The ability to distinguish between consistent and 
inconsistent information in the database; and (c) The development of 
computational mechanisms for retrieving consistent query answers, i.e., 
answers that are not affected by the violation of the integrity constraints. 



1 Introduction 

Databases that violate stated integrity constraints is an (unfortunate) fact of life 
for many corporations. They arise due to poor data entry control, due to merges 
of previously separate databases, due to the incorporation of legacy data, and 
so on. We call such databases “inconsistent.” 

Even though the information stored in such a database might be logically 
inconsistent (and, thus, strictly speaking, any tuple should be viewed as a cor- 
rect query answer), this has not been a deterrent to the use of such databases in 
practice, because application programmers have been inventing ingenious tech- 
niques for salvaging “good” information. Of course, in such situations, what is 
good information and what is not is in the eyes of beholder, and each concrete 
case currently requires a custom solution. This situation can be compared to 
the times before the advent of relational databases, when every database query 
required a custom solution. 

Thus, the problem is: what is the definition of “good information” in an 
inconsistent database and, once this is settled, what is the meaning of a query 
in this case. Several proposals to address these problems — both semantically 
and computationally — are known {e.g., Q), and we are not going to propose 
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yet another definition for consistent query answers. Instead, we introduce a new 
semantic framework, based on Annotated Predicate Calculus Q, that leads to a 
different computational solution and provides a basis for a systematic study of 
the problem. 

Ultimately, our framework leads to the query semantics proposed in Ac- 
cording to P, a tuple t is an answer to the query Q{x) in a possibly inconsistent 
database instance r, if Q{t) holds true in all the “repairs” of the original database, 
that is in all the databases that satisfy the given constraints and can be obtained 
from r by means of a “minimal” set of changes (where minimality is measured 
in terms of a smallest symmetric set difference) . 

In Q, an algorithm is proposed whereby the original query is modified using 
the set of integrity constraints (that are violated by the database) . The modified 
query is then posed against the original database (with the integrity constraints 
ignored). In this way, the explicit integrity checking and computation of all 
database repairs is avoided. 

In this paper, we take a more direct approach. First, since the database is 
inconsistent with the constraints, it seems natural to embed it into a logic that 
is better suited for dealing with inconsistency than classical logic. In this paper 
we use Annotated Predicate Calculus (abbr. APC) introduced in Q. APC is a 
form of “paraconsistent logic,” i.e., logic where inconsistent information does 
not unravel logical inference and where causes of inconsistency can be reasoned 
about. APC generalizes a number of earlier proposals and its various 

partial generalizations have also been studied in different contexts {e.g., ^Q). 

The gist of our approach is to embed an inconsistent database theory in 
APC and then use APC to define database repairs and query answers. This 
helps understand the results of leads to a more straightforward complexity 
analysis, and provides a more general algorithm that covers classes of queries 
not included in [j]. Furthermore, by varying the semi-lattice underlying the host 
APC theory, it is possible to control how exactly inconsistency is resolved in the 
original database. 

Section^formalizes the problem of querying inconsistent databases. Section^ 
reviews the basic definitions of Annotated Predicate Calculus, and Section^ap- 
plies this calculus to our problem. In Section^ we provide a syntactic character- 
ization for database repairs and discuss the associated computational process. 
SectionH studies the problem of query evaluation in inconsistent databases and 
Section Bconcludes the paper. 

2 Preliminaries 

We assume we have a fixed database schema P = {pi, . . . ,Pn}, where pi, ..., Pn 
are predicates corresponding to the database relations; a fixed, possibly infinite 
database domain D = {ci,C2,...}; and a fixed set of built-in predicates B = 
{ei , . . . , Cm}- Each predicate has arity, i.e., the number of arguments it takes. 
An integrity constraint is a closed first-order formula in the language defined by 
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the above components. We also assume a first order language C = D \J P \J B 
that is based on this schema. 

Definition 1. (Databases and Constraints) A database instance DB is a fi- 
nite collection of facts, i.e., of statements of the form p{c\, ...,Cn), where p is a 
predicate in P and ci, ..., c„ are constants in D. 

An integrity constraint is a clause of the form 



Pi{Ti) V • • • V Pn{Tn) V ^qi(Si) V • • • V -^qm{Sm) 



where each pi (I < i < n) and qj (q < j < m) is a predicate in P U B and 
Ti , ..., Tn, Si , ..., Sm are tuples (of appropriate arities) of constants or variables. 
As usual, we assume that all variables in a clause are universally quantified, so 
the quantifiers are omitted. 

Throughout this paper we assume that both the database instance DB and 
the set of integrity constraints IC are consistent when considered in isolation. 
However, together DB U IC might not be consistent. 

Definition 2. (Sentence Satisfaction) We use \=db to denote the usual notion 
of formula satisfaction in a database. The subscript DB is used to distinguish 
this relation from other types of implication used in this paper. In other words, 

— DB \=jhbp{c), where p G P, iff p{c) G DB; 

— DB \=db q{c), where q G B, iff q{c) is true; 

— DB \=db tff it is not true that DB \=db Ti 

— DB \^db 4> iff DB \^db and DB \^db if; 

— DB \=db (VAT)(/)(Ar) iff for all d G D, DB \=db (f{d); 

and so on. Notice that the domain is fixed, and it is involved in the above defi- 
nition. 



Definition 3. (IC Satisfaction) A database instance DB satisfies a set of in- 
tegrity constraints IC iff for every p G IC, DB \=db T- 

// DB does not satisfy IC, we say that DB is inconsistent with IC. Addi- 
tionally, we say that a set of integrity constraints is consistent if there exists a 
database instance that satisfies it. 

Next we recall the relevant definitions from fH - 

Given two database instances DBi and DB2, the distance Z\(DBi,DB 2 ) 
between them is their symmetric difference: Z\(DBi,DB 2) = (DBi - DB2) U 
(DB2 — DBi). This leads to the following partial order: 

DBi<dbDB 2 iff Z\(DB,DBi) C Z\(DB,DB 2 ). 

That is, <db determines the “closeness” to DB. The notion of closeness forms 
the basis for the concept of a repair of an inconsistent database. 
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Definition 4. (Repair) Given database instances DB and DB^, we say that 
DB^ is a repair of DB with respect to a set of integrity constraints IC iff DB^ 
satisfies IC and DB^ is ^OB-Tninimal in the class of database instances that 
satisfy IC. 

Clearly if DB is consistent with IC, then DB is its own repair. Concepts 
similar to database repair were proposed in the context of database maintenance 
and belief revision 

Example 1. (Repairing a Database) Consider a database schema with two unary 
relations p and q and domain D = {a, 6, c, . . .}. Let DB = {p{a),p{b), q{a), q{c)} 
be a database instance over the domain D and let IC = {^p{x) V ^(a;)} be a set 
of constraints. This database does not satisfy IC because ^p{h) V q{h) is false. 

Two repairs are possible. First, we can make p{b) false, obtaining DB' = 
{p{a) , q{a) , q{c)} . Alternatively, we can make q{b) true, obtaining 
DB" = {p{a),p{b),q{a),q{b),q{c)}. 



Definition 5. (Consistent Answers) Let DB be a database instance, IC be set 
of integrity constraints and Q(x) be a query. We say that a tuple of constants 
i is a consistent answer to the query, denoted DB \=c Q(t), if for every repair 
DB' o/DB, DB' '^db Q{^- 

If Q is a closed formula, then true (respectively, false ) is a consistent answer 
to Q, denoted DB \=c Q, if DB' \=dbQ (respectively, DB' '^db Q) for every 
repair DB' of DB. 



3 Annotated Predicate Calcnlus 

Annotated predicate calculus (abbr. APC) H ^ generalization of annotated 
logic programs introduced by Blair and Subrahmanian Q. It was introduced 
in order to study the problem of “causes of inconsistency” in classical logical 
theories, which is closely related to the problem of consistent query answers 
being addressed in our present work. This section briefly surveys the basics of 
APC used in this paper. 

The syntax and the semantics of APC is based on classical logic, except 
that the classical atomic formulas are annotated with values drawn from a belief 
semilattice (abbr. BSL) — an upper semilattic J with the following properties: 

(i) BSL contains at least the following four distinguished elements: t (true), f 
(false), T (contradiction), and T (unknown); 

(ii) For every s G BSL, T < s < T (< is the semilattice ordering); 

(iii) lub(t, f) = T, where lub denotes the least upper bound. 

As usual in the lattice theory, lub imposes a partial order on BSL: a < 5 iff 
b — lub(a, b) and a < 6 iff a < 5 and a is different from b. Two typical examples 
of BSL (which happen to be complete lattices) are shown in Figure H both 
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Fig. 1. Typical Belief Semilattices 



of them, the lattice elements are ordered upwards. The specific BSL used in this 
paper is introduced later, in Figure^ 

Thus, the only syntactic difference between APC and classical predicate logic 
is that the atomic formulas of APC are constructed from the classical atomic 
formulas by attaching annotation suffixes. For instance, if s, t, T are elements of 
the belief semilattice, then p{X) : s, q : T, and r{X, Y, Z) : t all are atomic 
formulas in APC. 

We define only the Herbrand semantics of APC (this is all we need here), 
and we also assume that the language is free of function symbols (because we 
are dealing with relational databases in this paper). We thus assume that the 
Herhrand universe is D, the set of all domain constants, and the Herbrand base, 
HB, is the set of all ground (i.e., variable-free) atomic formulas of APC. 

A Herbrand interpretation is any downward-closed subset of HB, where a set 
I C HB is said to be downward- closed iSp : s G I implies that p : s' G I for every 
s' S BSL such that s' < s. Formula satisfaction can then be defined as follows, 
where is a variable assignment that gives a value in D to every variable: 

— I p : s, where s G BSL and p is a classical atomic formula, if and only 
if p : s G /. 

— I (() A ?/> if and only if I (j) and I ijj; 

— I |=„ —'ijj if and only if not I |=„ "(/i; 

— I (VA)V'(A) if and only if I \=u ip, for every u that may differ from v 
only in its A- value. 

It is thus easy to see that the definition of \= looks very much classical. The 
only difference (which happens to have significant implications) is the syntax 
of atomic formulas and the requirement that Herbrand interpretations must be 
downward-closed. The implication a < — b is also defined classically, as a V ~^b. 

It turns out that whether or not APC has a complete proof theory depends 
on which semilattice is used. It is shown in | that for a very large and natural 
class of semilattices (which includes all finite semilattices), APC has a sound 
and complete proof theory. 

That is, the least upper bound, lub(a, t>), is defined for every pair of elements 
a,b £ BSL. 



1 
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The reason why APC is useful in analyzing inconsistent logical theories is 
because classical theories can be embedded in APC in various ways. The most 
useful types of embeddings are those where theories that are inconsistent in clas- 
sical logic become consistent in APC. It then becomes possible to reason about 
the embedded theories and gain insight into the original inconsistent theory. 

The two embeddings defined in Q are called epistemic and ontological. Under 
the epistemic embedding, a (classically inconsistent) set of formulas such as 
S = {p(l), 9(2)} is embedded in APC as S® = jp(l) : t, p(l) : f, q(2) : t} 

and under the ontological embedding it is embedded as S° = {p(l) : t, ^p(l) : 
t, q{2) : t}| In the second case, the embedded theory is still inconsistent in 
APC, but in the first case it does have a model: the downward closure of {p(l) : 
T, q{2) : t}. In this model, p(l) is annotated with T, which signifies that its 
truth value is “inconsistent.” In contrast, the truth value of q{2) is t. More 
precisely, while both q{2) and ^9(2) follow from S in classical logic, because S 
is inconsistent, only q{2) : t (but not q{2) : f !) is implied by S®. Thus, q{2) 
can be seen as a consistent answer to the query ?— q{X) with respect to the 
inconsistent database S. 

In Q, epistemic embedding has been shown to be a suitable tool for analyzing 
inconsistent classical theories. However, this embedding does not adequately 
capture the inherent lack of symmetry present in our setting, where inconsistency 
arises due to the incompatibility of two distinct sets of formulas (the database 
and the constraints) and only one of these sets (the database) is allowed to 
change to restore consistency. To deal with this problem, we develop a new type 
of embedding into APC. It uses a lO-valued lattice depicted in Figure^ and is 
akin to the epistemic embedding of Q, but it also has certain features of the 
ontological embedding. 

The above simple examples illustrate one important property of APC: a set 
of formulas, S, might be ontologically consistent in the sense that it might have 
a model, but it might be epistemically inconsistent (abbr. e-inconsistent) in the 
sense that S ^ p : T for some p, i.e., S contains at least one inconsistent fact. 
Moreover, S can be e-consistent (he., it might not imply p : T for any p), but 
each of its models in APC might contain an inconsistent fact nonetheless (this 
fact must then be different in each model, if S is e-consistent). 

It was demonstrated in Q that ordering models of APC theories according to 
the amount of inconsistency they contain can be useful for studying the problem 
of recovering from inconsistency. To illustrate this order, consider S = {p : t, p : 
i V q : t, p : i V q : i} and some of its models: 

Ml, where p : T and q : T are true; 

M 2 , where p : T and q : T are true; 

Ms, where p : t and q : T are true. 

Among these models, both M 2 and Ms contain strictly less inconsistent infor- 
mation than Ml does. In addition, M 2 and Ms contain incomparable amounts 



2 



ip : V is to be always read as -i(p : v). 
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of information, and they are both “minimal” with respect to the amount of 
inconsistent information that they have. This leads to the following definition. 

Definition 6 . (E- Consistency Order) Given A ^ BSL, a semantic struc- 
ture I\ is more (or equally) e-consistent than I2 with respect to A (denoted 
I2 Ii) if and only if for every atom p(ti,... ,tk) and X G A, whenever 
h h ■■■ ,tk) : A then also h h ■ ■ ■ ,tk) ■ X. 

I is most e-consistent in a class of semantic structures with respect to A, if 
no semantic structure in this class is strictly more e-consistent with respect to 
A than I (i.e., for every J in the class, I <a J implies J <a I)- 



4 Embedding Databases in APC 

One way to find reliable answers to a query over an inconsistent database is to 
find an algorithm that implements the definition of consistent answers. While 
this approach has been successfully used in Q, it is desirable to see it as part 
of a bigger picture, because consistent query answers were defined at the meta- 
level, without an independent logical justification. A more general framework 
might (and does, as we shall see) help study the problem both semantically and 
algorithmically. 

Our new approach is to embed inconsistent databases into APC and study 
the ways to eliminate inconsistency there. A similar problem was considered in 
y and we are going to adapt some key ideas from that work. In particular, 
we will define an embedding, T, such that the repairs of the original database 
are precisely the models (in the APC sense) of the embedded database. This 
embedding is described below. 

First, we define a special 10- valued lattice, which defines the truth values 

appropriate for our problem. The lattice is shown in Figure^ The values T, T, 
t and f signify undefinedness, inconsistency, truth, and falsehood, as usual. The 
other six truth values are explained below. 

Informally, values tc and fc signify the truth values as they should be for the 
purpose of constraint satisfaction. The values tj and fd are the truth values as 
they should be according to the database DB. Finally, ta and fa are the advisory 
truth values. Advisory truth values are intended as keepers of the information 
that helps resolve conflicts between constraints and the database. 

Notice that lub(fd, tc) is ta and lub(td, fc) is fa. This means that in case of 
a conflict between the constraints and the database the advise is to change the 
truth value of the corresponding fact to the one prescribed by the constraints. 
Intuitively, the facts that are assigned the advisory truth values are the ones that 
are to be removed or added to the database in order to satisfy the constraints. 
The gist of our approach is in finding an embedding of DB and IC into APC 
to take advantage of the above truth values. 

Embedding the ICs. Given a set of integrity constraints IC, we define a new 
theory, T(IC), which contains three kinds of formulas: 
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Fig. 2. The lattice with constraints values, database values and advisory 
values. 



1. For every constraint in IC: 

Pl{fi) V ••• V Pn{Tn) V ~^qi{Si) V ••• V 
T(IC) has the following formula: 

Pl{fi) : tc V • • • V Pn{fn) ■■ tc V qi{Si) : fc V • • • V qm{Sm) ■ fc- 

In other words, positive literals are embedded using the “constraint-true” 
truth value, tc, and negative literals are embedded using the “constraint- 
false” truth value fc- 

2. For every predicate symbol p € P, the following formulas are in T(IC): 

p{x) : tc V p{x) : fc, ^ p{x) : tc V ^ p{x) : fc- 

Intuitively, this says that every embedded literal must be either constraint- 
true or constraint-false (and not both). 

Embedding Database Facts. T(DB), the embedding of the database facts into 
APC is defined as follows: 

1. For every fact p(d), where p G P: if p(d) € DB, then p(d) : td € T(DB): if 
p{d) i DB, then p(d) : fd G T(DB). 

Embedding Built-In Predicates. P{B), the result of embedding of the built-in 
predicates into APC is defined as follows: 

1. For every built-in fact p{d), where p € B, the fact p{d) : t is in T{B) iff p{d) 
is true. Otherwise, if p{d) is false then p{d) : f G P{B). 




934 Marcelo Arenas, Leopoldo Bertossi, and Michael Kifer 



2. ^ p{x) : T G T{B), for every built-in p G B. 

The former rule simply says that built-in facts (like 1=1) that are true in classical 
sense must have the truth value t and the false built-in facts (e.^., 2=3) must 
have the truth value f. The second rule states that built-in facts cannot be both 
true and false. This ensures that theories for built-in predicates are embedded 
in 2- valued fashion: every built-in fact in T{B) is annotated with either t or f, 
but not both. 

Example 2. (Embedding, I) Consider the database DB = {p{a) , p{b) , q{a)} over 
the domain D = {a, b} and let IC be {^p{x) V q{x)}. Then 

T(DB) = {p{a) : td, p{b) : td, q(a) : td, q(b) : fd} 

and T(IC) consists of: 

p{x) : fc V q{x) : tc, 

p{x) : tc V p{x) : fc, ^ p{x) : tc V ^ p{x) : fc, 
q{x) : tc V q{x) : fc, ^ q{x) : tc V ^ q{x) : fc 

Example 3. (Embedding, II) Let DB = {p(a, a),p(a, 5),p(6, a)}, D = {a, 6}, 
and let IC be {^p{x, y) V ^p{x, z)y y = z}. It is easy to see that this constraint 
represents the functional dependency p.l ^ p.2. Since this constraint involves 
the built-in “=” , the rules for embedding the built-ins apply. 

In this case, T(DB) = {p(a, a):td, p{a,b):td, p{b,a):td, p{b,b):id} 
and T(IC) is: 

p{x, y) : fc V p{x, z) : fc V y = z : tc, 

p{x, y) : tc V p{x, y) : fc, ^ p{x, y) : tc V ^ p{x, y) : fc. 

The embedded theory T{B) for the built-in predicate “=” is: {a = a) : t, (6 = 
b) : t, (a = 6) : f, (6 = a) : f, ^ (a; = y) : T. □ 

Finally, we define T(DB,IC) as T(DB) UT(IC) UT{B). We can now state 
the following properties that confirm our intuition about the intended meanings 
of the truth values in 

Lemma 1. If Ai is a model o/T(DB,IC), then for every predicate p G P and 
a fact p{d), the following is true: 

1. A4 ^ ^ p(d) '■ T. 

2. M \= p{d) : t V p{d) : f V p{d) : ta Vp(a) : fa. □ 

The first part of the lemma says that even if the initial database DB is inconsis- 
tent with constraints IC, every model of our embedded theory is epistemically 
consistent in the sense of Q, he., no fact of the form p(d) : T is true in any 
such modeljThe second part says that any fact is either true, or false, or it has 

® Note that an APC theory can entail p{a) : T and be consistent in the sense that 
it can have a model. However, such a model must contain p{a) : T, which makes it 
epistemically inconsistent. 
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an advisory value of true or false. This indicates that database repairs can be 
constructed out of these embeddings by converting the advisory truth values to 
the corresponding values t and f. This idea is explored next. 

Given a pair of database instances DBi and DB2 over the same domain, we 
construct the Herbrand structure Ad(DBi, DB2) = (D, Ip, Ip), where D is the 
domain of the database and Ip, Ip are the interpretations for the predicates and 
the built-ins, respectively. Ip is defined as follows: 



Ip{p{a)) 



{ t p{a) G DBi, p{a) G DB2 
f p(a) ^ DBi, p(a) ^ DB2 

fa p(a) G DBi, p{a) ^ DB2 
ta p{a) ^ DBi, p{a) G DB2 



( 1 ) 



The interpretation Ip is defined as expected: if g is a built-in, then Ip{q{a)) = t 
iff q{a) is true in classical logic, and Ip{q{a)) = f iff q{a) is false. 

Notice that Af(DBi,DB2) is not symmetric. The intent is to use these 
structures as the basis for construction of database repairs. In fact, when DBi 
is inconsistent and DB2 is a repair. Ip shows how the advisory truth values are 
to be changed to obtain a repair. 

Lemma 2. Given two database instances DB and DB^, ifDB' \=pp IC, then 
M(DB,DB') h ^(DB,IC). □ 

The implication of this lemma is that whenever IC is consistent, then the 
theory T(DB,IC) is also consistent in APC. Since in this paper we are always 
dealing with consistent sets of integrity constraints, we conclude that T (DB, IC) 
is always a consistent APC theory. 

We will now show how to generate repairs out of the models of T(DB, IC). 
Given a model M of T(DB,IC), we define DB^vi as: 

{p{d) \ p G P and M \= p{d) : t V p{d) : ta}. (2) 

Note that DB^ can be an infinite set of facts (but finite when Ai corresponds 
to a database instance). 

Lemma 3. If M is a model of T(DB,IC) such that DB^vi is finite, then 
DB7VI \=DP IC. 



Proposition 1. Let Ad be a model o/T(DB,IC). If Ai is most e-consistent 
with respect to A = {ta, fa, T } (see Definitior^^ among the models ofT (DB, IC) 
and DB 2 V 1 is finite, then DB^i is a repair o/DB with respect to IC. 



Proposition 2. If DB^ is a repair of DB with respect to the set of integrity 
constraints IC, then M(DB,DB') is most e-consistent with respect to A = 
(ta, fa, T| among the models o/T(DB,IC). 
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Example 4 - (Repairs as Most e-Consistent Models) Consider a database in- 
stance DB = {p(a)} over the domain D = {a} and a set of integrity constraints 
IC = V q{x), ~^q{x) V r(a;)}. In this case T(DB) = {p{a) : td, q{a) : 

fd, r(a) : fd}, and T(IC) is 

p{x) : fc V q{x) : tc, q{x) : fc V r(x) : tc, 

p(x) : tc V p(x) : fc, ^p(x) : tc V -^p(x) : fc, 

q(x) : tc V q(x) : fc, ^q(x) : tc V ^q(x) : fc, 

r(x) : tc V r(x) : fc, ^r(x) : tc V ~^r(x) : fc 

This theory has four models, depicted in the following table: 





p{a) q{a) r(a) 


Ml 




M2 


fa f f 


Ms 


fa f ta 


Mi 


•p -f -f 

^a ^a ^a 



It is easy to verify that Ati and At 2 are the most e-consistent models with 
respect to Z\ = {ta, fa, T } among the models in the table and the database 
instance DB^vi^ = {p(a), q(a), r(a)} and DBx^ = 0 are exactly the repairs of 
DB with respect to IC. 

Example 5 . (Example HContinued) The embedding of the database described 
in Example^has nine models listed in the following table. The table omits the 
built-in since it has the same interpretation in all models. 





p(a, 


a) p(a,b) p(b, 


a) p{b, b) 


Ml 


t 


fa 


t 


f 


M2 


t 


fa 


fa 


f 


Ms 


t 


fa 


fa 


ta 


Mi 


fa 


t 


t 


f 


Ms 


fa 


t 


fa 


f 


Mg 


fa 


t 


fa 


ta 


Ml-j 


fa 


fa 


t 


f 


Ms 


fa 


fa 


fa 


f 


M9 


fa 


fa 


fa 


ta 



It is easy to see that Aii and Ad 4 are the most e-consistent models with respect 
to Z\ = {ta,fa, T} among the models in the table, and the database instances 
DB7K1 = {p(a, a), p( 5 , a)}, and DB^^ = {p(a, 5 ), p(6, a)} are exactly the 
repairs of DB with respect to IC. 

5 Repairing Inconsistent Databases 

To construct all possible repairs of a database, DB, that is inconsistent with the 
integrity constraints IC, we need to find the set of all ground clauses of the form 



Pi : ?a V • • • V p„ : ?a, 



(3) 
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that are implied by T(DB,IC), where each ?a is either ta or fa. Such clauses 
are called a-clauses, for advisory clausesj 

A-clauses are important because one of the disjuncts of such a clause must 
be true in each model of T(DB,IC). Suppose that, say, p : ?a is true in some 
model I. This means that the truth value of p with respect to the database is 
exactly the opposite of what is required in order for I to satisfy the constraints. 
This observation can be used to construct a repair of the database by reversing 
the truth value of p with respect to the database. We explore this idea next. 

Constructing Database Repairs. Let T’^(DB,IC) be the set of all minimal a- 
clauses that are implied by T(DB,IC). “Minimal” here means that no disjunct 
can be removed from any clause in T“^(DB, IC) and still have the clause implied 
byT(DB,IC). 

In general, this can be an infinite set, but in most practical cases this set 
is finite. Conditions for finiteness of T’^(DB,IC) are given in Section ^3 If 
T‘^(DB,IC) is finite, it can be represented as the following set of clauses: 

Cl = Pi,i : ai,i V ■ • ■ V Pi,m : 

Ck — Pfc,l ■ a^^i V • * • V Pfc^rifc ■ ^k,Uk 

Here, the Pij : are ground positive literals and their annotations, j, are 

always of the form ta or fa. 

It can be shown that all a-clauses can be generated using the APC resolution 
inference rule Q between T(IC), T(DB), and T (B). It can be also shown that all 
a-clauses generated in this way are ground and do not contain built-in predicates. 

Given T’^(DB,IC) as above, a repair signature is a set of APC literals that 
contains at least one literal from each clause Ci and is minimal in the sense that 
no proper subset has a literal from each Ci. In other words, a repair signature 
is a minimal hitting set of the family of clauses Ci, . . . , Cfc Q. 

Notice that if the clauses Ci do not share literals, then each repair signature 
contains exactly k literals and every literal appearing in a clause Ci belongs to 
some repair signature. 

It follows from the construction of repairs in Q and from Propositionsjand 
^that there is a one to one correspondence between repair signatures and repairs 
of the original database instance DB. Given a repair signature Repair, a repair 
DB' can be obtained from DB by removing the tuples p(t), if p(i) : fa G Repair, 
and inserting the tuples p(t), if p(t) : ta G Repair. It can be shown that it is not 
possible for any fact, p, to occur in T’^(DB, IC) with two different annotations. 
Therefore, it is not possible that the same fact will be inserted and then removed 
(or vice versa) while constructing a repair as described here. 



4 



Here, bold face symbols, e.g., p, denote classical ground atomic formulas. 
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5.1 Finiteness of T’^(DB, IC) 

We now examine the issue of finiteness of the set T“(DB,IC). 

Definition 7. (Range- Restricted Constraints) An integrity constraint, pi{Ti)y 
• ■ • V Pn{Tn) V ^qi{T[) V • • • V is range-restricted if and only if every 

variable in Ti (1 < i < n) also occurs in some T) (1 < j < m). Both pi and qj 
can be built-in predicates. 

A set IC of constraints is range-restricted if so is every constraint in IC. 

Lemma 4. Let IC be a set of range-restricted constraints over a database DB. 
Then every a-clause implied by T(DB,IC) (i.e., every clause of the form Qj 
mentions only the constants in the active domain o/Db| 



Corollary 1. If IC is range-restricted, then T“(DB,IC) is finite. 

6 Queries to Inconsistent Databases 

In general, the number of all repair signatures can be exponential in the size 
of T‘^(DB,IC), so using this theory directly is not likely to produce a good 
query engine. In fact, for the propositional case, | shows that the problem of 
deciding whether a formula holds in all models produced by Winslett’s theory of 
updates B is II 2 -complete. Since, as mentioned before, our repairs are essentially 
Winslett’s updated models, the same result applies to our case. 

However, there are cases when complexity is manageable. It is easy to see 
that if k is the number of clauses in T‘^(DB, IC) and ni, ..., Uk are the numbers 
of disjuncts in Ci, ..., Ck, respectively, then the number of repair signatures is 
0{ni X ... X Uk). Therefore, two factors affect the number of repairs: 

1. The number of clauses in T“(DB,IC); 

2. The number of disjuncts in each clause in T“(DB,IC). 

So, we should look into those types of constraints where either k is bound or all 
but a bound number of nfs equal 1. 

Other cases when query answering is feasible arise when the set of a-clauses 
T‘^(DB,IC) is precomputed. Precomputing this set might be practical for read- 
only databases. In other cases, T’^(DB,IC) might be easy to compute because 
of the special form of constraints (and in this case, the size of T“^(DB, IC) turns 
out to be P-bounded). For instance, suppose IC consists of range-restricted 
formulas and is closed under the resolution inference rule (e.g. if IC is a set of 
functional dependencies) . In this case, a-clauses can be generated by converting 
each constraint into a query that finds all tuples that violate the constraint. For 
instance, the constraint p{x) D q{x) can be converted into the query p{x) /\^q{x) 
(which is the denial form of this constraint). If the tuple a is an answer, then 
one a-clause is p{d) : fa V q{d) : ta. 

® The active domain consists of the constants in D that appear in some database table. 
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Answering Ground Conjunctive Queries. To consistently answer a ground con- 
junctive query of the form pi A . . . A pfc A ^qi A ... A we need to check 

the following: 

For each p^: if pi G DB and Pi : fa is not mentioned in T’^(DB,IC); or if 
T‘^(DB,IC) has a clause of the form pi : ta. 

For each q^: if q^ ^ DB and q^ : ta is not mentioned in T’^(DB,IC); or if 
T’^(DB,IC) has a clause of the form q^ : fa. 

If all of the above holds, true is a consistent answer to the query. Otherwise, the 
answer is not true, meaning that there is at least one repair where our conjunctive 
query is false. (Note that this is not the same as answering false in definition^. 

Non-ground Conjunctive Queries. Let DB have the relations pi, . . . ,Pn- We 
construct a new database, DB*^’^, with relations pf , . . . , ... ,Pn (where 

O and U stand for “original” and “unknown”, resp.), as follows: 

pf consists of: all the tuples such that Piit) G DB and Pi{t) : fa is not men- 
tioned in T’^(DB,IC) plus the tuples t such that p{i) : ta is a clause in 
T‘^(DB,IC). 

p}j consists of: all the tuples t such that Pj{t) : ta or Pj{i) : fa appear in a 
clause in T’^(DB,IC) that has more than one disjunct. 

To answer an open conjunctive query, for example, p{x) A ^q{x), we pose the 
query p^{x) A ^q^{x) A ^q^{x) to DB*^’^. This can be done in polynomial time 
in the database size plus the size of the set of a-clauses. 

Ground Disjunctive Queries. Sound and complete query evaluation techniques 
for various types of queries and constraints are developed in Q. Our present 
framework extends the results in []] to include disjunctive queries. We concen- 
trate on ground disjunctive queries of the form 

Pi V • • • V Pfc V ^qi • • -^q^. (4) 

First, for each pi we evaluate the query pf and for each qj we evaluate the query 
^q^ A against the database DB*^’^. If at least one true answer is obtained, 
the answer to is true. Otherwise, if all these queries return false, we evaluate 
the queries of the form ~^pf A ~^pY and q^ against DB*^’^. For each answer true, 
the corresponding literal is eliminated from ^ . Let Pi^ V • • • V pi^ V ^qji • • • ^(Ijt 
be the resulting query. If this query is empty, then the answer to the original 
query is false, i. e., the original query is false in every repair. If the resulting query 
is not empty, we must check if there is a minimal hitting set for T‘^(DB, IC), that 
contains {^Pq, . . . ,^Pi^,qji, . . . ,qjt}. If such a hitting set exists, the answer 
to the original query is maybe, meaning that there is at least one repair where 
the answer is false. Otherwise, the answer to the query is true. 

Therefore, the problem of answering disjunctive queries for a given 
T’^(DB,IC) is equivalent to the problem of deciding whether a given set can 
be extended to a minimal hitting set of the family. Since this is an NP-complete 
problem, we have the following result. 
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Propositions. Suppose that T®(DB,IC) has been precomputed. Then the 
problem of deciding whether true is a consistent answer to a disjunctive ground 
query is NP-complete with respect to the size o/DB plus T’^(DB,IC). 

7 Conclusions 

We presented a new semantic framework, based on Annotated Predicate Cal- 
culus Q, for studying the problem of query answering in databases that are 
inconsistent with integrity constraints. This was done by embedding both the 
database instance and the integrity constraints into a single theory written in an 
APC with an appropriate truth values lattice. In this way, we obtain a general 
logical specification of database repairs and consistent query answers. 

With this new framework, we are able to provide a better analysis of the com- 
putational complexity of query answering in such environments and to develop 
a more general query answering mechanism than what was known previously 
B. We also identified certain classes of queries and constraints that have lower 
complexity, and we are looking into better query evaluation algorithms for these 
classes. 

The development of the specific mechanisms for consistent query answering 
in the presence of universal ICs, and the extension of our methodology to con- 
straints that contain existential quantifiers {e.g., referential integrity constraints) 
is left for future work. 
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Abstract. In this paper, an algorithm for obtaining consistent answers 
to queries posed to inconsistent relational databases is presented. This is 
a query rewriting algorithm proven to be sound, terminating and com- 
plete for some classes of integrity constraints that extend those previously 
considered in Complexity issues are addressed. 

The implementation of the algorithm in XSB presented here takes advan- 
tage of the functionalities of XSB, as a logic programming language with 
tabling facilities, and the possibility of coupling it to relational database 
systems. 



1 Introduction 

It is usually assumed that data stored in a database is consistent; and not having 
this consistency is considered a dangerous situation. However, it often happens 
that this is not the case and the database reaches an inconsistent state in the 
sense that the database instance does not satisfy a given set of integrity con- 
straints IC. This situation may arise due to several reasons. The initial problem 
was due to poor design of the database schema itself or a malfunctioning appli- 
cation that made the system reach the inconsistent state. 

Nowadays, other sources of inconsistencies have appeared. For example, in a 
datawarehouse context Q, inconsistencies may appear, among other reasons to 
integration of different data sources. In particular, in the presence of duplicate 
information, and to delayed update of the datawarehouse views. 

Either case, having a consistent database or not, the information stored in it 
remains relevant to the user and is potentially useful, as long as the distinction 
between consistent and inconsistent data can be made, and they can be separated 
when answering queries. 

The common solution for the problem of facing inconsistent data is to repair 
the database and take it back to a consistent state. However, this approach is 
very expensive in terms of computing power, complexity and in some cases we 
might lose potentially relevant data in the process. In addition, a particular user, 
without control on the database administration, might want to impose his/her 
particular, soft or hard constraints on the database (or some views) . In this case, 
the database cannot be repaired. 



J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 942^^ 2000. 
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Example 1. Consider the inclusion dependency stating that a purchase must 
have a corresponding client: V(u, v). {Purchase{u, v) Client{x)). The follow- 
ing database instance r violates the IC: 

Purchase Client 

C Cl c 

d 62 

d 6i 

When repairing the database we might be tempted to remove all the purchases 
done by client d which provide us with useful information about a client’s be- 
havior, no matter whether he is a valid client or not. □ 

A promising alternative to restoring consistency is to keep the inconsistent data 
in the database and modify the queries in order to retrieve only consistent in- 
formation. By using this kind of approach we can still use the inconsistent data 
for analysis (purchases of customer d in Example^ ■ 

A semantic notion of consistent answer to a query was given in Q. In essence, 
a tuple answer t is a consistent answer to a query Q{x) if Q(t) becomes true in 
every repair of the inconsistent database instance r that can be obtained by a 
minimal set of changes on r. Of course, the idea is not to construct all possible 
minimal repairs and then query; this would impossible or too complex. It is 
necessary to search for an alternative mechanism. 

In this context, an operator was presented in Q which does not repair the 
database but that, given the query Q(x), computes a modified query Tj^(Q)(a;) 
whose answers, when posed to the original database instance r, are consistent in 
the semantic sense already explained. The operator produces query rewritings 
that are sound, complete and terminating for interesting syntactic classes of 
queries and constraints Q. However, this operator has some drawbacks: it is hard 
to implement due to its recursive nature and a semantic termination condition. 

In this paper we address the problem of designing and implementing an alter- 
native operator inspired by T,^ . The new operator corresponds to an algorithm, 
called QUECA, for “QUEiy for Consistent Answers”, which, given a first order 
querj^Qi generates again a new query QUECA{Q), whose answers in r are con- 
sistent with IC, but as opposed to it guarantees termination, soundness and 
completeness for a larger set of integrity constraints. 

The implementation is done in XSB Q, a powerful logic programming system, 
which is provided with useful functionalities for the right implementation and 
operation of the consistent query answering algorithm. 

In Section H we will show the most relevant characteristics of the operator 
and what makes it difficult to implement. We will also give a description of 
what we will understand by a database repair, query, integrity constraint and 
consistent answer. Next, in Section|we present the algorithms which generate a 
query QUECA{Q) for a given first order query Q. In Section^the properties of 
these algorithms are analyzed, namely: scope, runtime complexity, termination, 
soundness and completeness. In Section H we describe issues regarding the im- 
plementation done in XSB. Finally, in Sectionjwe draw some conclusions and 



^ Aggregate queries are being treated in Q. 
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propose some extensions to the solution presented in this article. Due to space 
restrictions we do not give proofs of propositions; we leave them for an extended 
version. 



2 Preliminaries 



2.1 Basic Notions 



We start from a fixed set, IC, of integrity constraints associated to fixed relational 
database schema. We assume that IC is consistent. A database instance r is 
consistent if it satisfies IC, that is r 1= IC. Otherwise, we say that r is inconsistent. 
If r is inconsistent, its repairs are database instances (wrt the same schema and 
domain) that, each of them, satisfy IC and differ from r by a minimal set of 
inserted or deleted tuples. A tuple t is a consistent answer to a query Q{x) wrt 
IC, and we denote this with r \=c Q(t), if for every repair r' of r, r' 1= Q{t). 



Example 2. Consider a distributors database. Provider{u, v) means that product 
V is provided by u, and Receives{u,v) that product v is received from provider 
u. The following ICs state that the products supplied by a provider are received 
from him (and vice versa), and that a provider supplies only one product. 

\/u,v. {Provider (u,v) Receives{u,v)) , 



\/u,v. {Receives {u,v) Provider {u,v)) 
Vu, V, z. {Provider{u, v) A Provider{u, z) 
The following database instance r, which violates IC, 



= z) 



Provider 



a 

a 

d 



has two repairs: 



r' : Provider Receives 



Receives 
a b 
a c 
d e 

' : Provider Receives 



a 

d 



a 

d 



a 

d 



a 

d 



Here, the only consistent answer to the query Provider{u, v)l in the database 
instance r is {d, e): r \=c Provider{d, e). 



2.2 The T^j Operator 

The T;^ operator ^ is defined based on a previous residue calculation stag(| 
which generates the necessary rules to feed the operator. Generally speaking, it is 
defined as a collection of operators Tq . . . T„ (for some n called finiteness point), 
that were calculated based on the residues generated for that query according 
to the existing set IC of integrity constraints. The (semantical) finiteness point 
was defined as the step in which further computation (i.e. calculate T„_|_i) had 
no practical sense because T„ ^ T„+i. We illustrate the application of this 
operator by means of an example. 



^ See SectionsJand^Jfor a description of what residues are and how to obtain them. 
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Example 3. With the set of integrity constraints of exampleHand with the query 
P{u,v), we will compute Ti^{P{u,v)), letting P stand for Provider and R for 
Receives. 

To{P{u,v)) =P{u,v) . 

Ti(P(u, v)) =P{u, v) A {R{u, v) A {^P{u, z) V v = z)) . 

T2(P(u, f)) =P{u, v) A {{R{u, v) A P{u, v)) A {{^P{u, z) A ~^R{u, z)) V v = z)) . 
Ts(P(u, v)) =P(u, v) A {{R{u, v) A P(u, v) A (R(u, v) A {^P{u, w)\/ v = w))) A 
{{^P{u, z) A ^R{u, z) A ^P{u, z))\/ v = z)) . 

It seems as if is very different from T2, however, if we rewrite them by hand 
we have 

T2(P(m, v)) =P{u, v) a {R{u, v) a P{u, v) A {{^P{u, z)V v = z) A 
{^R{u, z)\/ V = z))) . 

T3(P(u, ti)) =P{u, v) A {R{u, v) A P{u, v) A {{R{u, v) V ~^P{u, w)) A 

{R{u, v) M V = w) A {^P{u, z)\/ V = z) A {^R{u, z)\/ v = z) A 
{^P{u, z)\/ V = z))) . 

We can easily see that T2 (P(m, t;)) = T3(P(u, v)), therefore the finiteness point 
is 2 and the modified query is Tq{P{u, v)) A Ti{P{u, v)) A T2(P(u, f)). □ 

Although operator is sound, it lacks a more general completeness result; 
and when thinking of a possible implementation, the termination issue is critical 
because the finiteness point can be very complicated to detect, even in simple 
examples like the one above (or may be an undecidable problem). An initial 
approach consisted in using Otter Q, but it turned out to be cumbersome and 
sometimes it did not deliver the expected results. For instance, it was not able to 
solve the previous example. Furthermore, even if it does work, the offline nature 
of such process makes it unsuitable for a real world implementation where a user 
should interact directly with the query answering system. 

Thus we need to modify the previous approach to improve the results regard- 
ing termination, and possibly extending completeness as well. 

In consequence, we face the problem of modifying T^, providing a new, more 
practical mechanism, but preserving the nice properties had in terms of 
soundness and completeness. We need to add a stronger termination property 
which makes the new mechanism more likely for implementation. The basic 
approach involves identifying a stronger syntactical condition to achieve seman- 
tically correct results. 



2.3 Integrity Constraints 

In this paper we will only consider only static first order integrity constraints. 
As in Q, we will only consider universal constraints that can be transformed 
into a standard format 
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Definition 1. An integrity constraint is in standard format if it has the form 

m n 

V( Y Pi{xi) V \f V if) , 

i—1 i—1 

where V represents the universal closure of the formula, Xi, yi are tuples of 
variables, the Pi ’s and Qi ’s are atomic formulas based on the schema predicates 
that do not contain constants, and if is a formula that mentions only built-in 
predicates. 

Notice that in these ICs, constants, if needed, can be pushed into if. Also 
notice that equality is allowed in if. 

Because of implementation issues we shall negate the ICs in standard format, 
representing ICs as denials, that is as range restricted goals of the form 

■>— h A ■ ■ ■ A In , (1) 

where each U is a literal and variables are assumed to be universally quantified 
over the whole formula. We must emphasize the fact that this is just notation, 
and from now on we shall talk about of ICs assuming they are in denial form in 
the sense of classical logic and not of logic programming. 

We shall note, however, that not all integrity constraints may be transformed 
into standard format, and therefore are not considered in this article. Such is 
the case of unsafe ICs 0, as Vxdy. {P{x)) Q{x,y). 

3 Query Generation for Consistent Answers 

The whole process of query rewriting for consistent answers relies on the concept 
of residues developed in the context of semantic query optimization 5. Residues, 
simpR put, show the interaction between an integrity constraint and a literal 
nam^ Thus, a literal name which does not appear in any constraint does not 
have any (non-maximal Q) residues, i.e. there are no restrictions applied to that 
literal. Similarly, a literal that appears more than once in an IC or set of ICs, may 
have several residues, which may or may not be redundant (see Definition^. 

To calculate the residues in a database schema, we will introduce Algorithm^ 
which shows how to systematically obtain residues for a given literal name. 
Because only literal names appearing in an integrity constraint generate (non- 
maximal) residues, the algorithm will only be applied to them, and not to every 
relation in r. 

Once we have calculated all the residues associated to a literal name appear- 
ing in IC, we shall present a second algorithm QUECA, that will generate the 

® Literal names denote relations, so different literals may have the same literal name, 
e.g. P{u) and P{v) have the same literal name P. Literal names may be negative, 
e.g. ^P, where P is a predicate name; and have an associated arity that further 
differentiates them (like Prolog convention), so from now on when talking about a 
literal, say P{u,v), we are really talking about its literal name, P/2. 
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queries for consistent answers on the basis of the residues that have been already 
computed. We will also show how this algorithm differs from the operator 
presented in not only in terms of termination, but in the operation itself and 
the necessary conditions for sound execution. 



3.1 Residue Calculation 

The first step in the residue calculation determines for whom they are to be 
calculated. In our case, it is for every literal name appearing in an integrity 
constraint. Because of this we must first build a list of ICs and a list of the distinct 
literal names Lp appearing in IC. This list of integrity constraints Ljc will only 
include the bodies of the ICs(represented in the form ^). That is, given the set 
of integrity constraints IC, we build Lie = {[^lA. . .A/„] | V(^ /i A. . .A/„) G IC}. 
It should be noted that when negating a member of Lie we obtain a clause. 

Example 4- Let IC be the following set of integrity constraints taken from Ex- 
ample expressed in the form Q. 

^ P{u,v) A ^R{u,v) . 

^P{u,v) A R{u,v) . 

<— P{u, v) A P{u, z) Ay z . 

From this we would generate Lie = {[P{u, v) A ~^R{u, p)], [^P{u, v) A R{u, ■(;)], 
[P{u, v) A P(u, z) Ay ^ z]} and Lp = {P{u, v), R{u, v), ~^P{u, v), ~^R{u, f)}. We 
should recall that in Lp we have the following literal names: P/2, R/2, ~^P/2 
and ^R/2. □ 

Next, to calculate the residues coming from I G Lp, and ic G Lie, we use the 
subsumption algorithm presented in However, because we are dealing with 
an implementation, we need a systematical procedure to obtain residues. The 
method utilized is formalized as Algorithm J 

Example 5. (Example OContinued) Applying Algorithm^up to line 13, to I = 
P{u, v) and every member of Lie, we would obtain one residue for each occur- 
rence of P/2: residuei{P{u, z;)) := R{u, v), residue 2 {P{u, z;)) := ~^P{u, z)\/ v = z 
and residue^{P{u, v)) := ~^P{u, w)\/w = v. Here we may find redundant residues 
(see Definition^. □ 

Finally, a conjunction of all the residues associated to a given I G Lp is 
created and denoted by residues (1). In this process, we take care of eliminating 
redundant residues as we build the conjunction (steps 14-21 in Algorithm^ in 
order to reduce complexity in the following phase (QUECA). 

Definition 2 (Residue Redundancy). Let RA(p be a conjunction of residues 
associated to a literal I, where R is a clause and y) a conjunction of clauses. We 
will say R is redundant in R A (p if exists a clause R' G (p and a substitution 
a : {V ar{R'^C/ ar{l)) (Var{R) \ Var{l)), such that R'a = R. 

* Var(X) is the set of all (quantified or unquantified) variables in the expression X. 
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Algorithm 1 Compute residues{l) 

Require: Set of integrity constraints in denial form IC. 

Ensure: residues{l) is a formula in CNF that contains all the residues associated to a 
literal 1. 

1: Create list Lie of integrity constraint bodies and a list Lp of distinct literal names 
in Lie- 

2: for all I G Lp do 

3: i = l 

4: for all ic G Lie do 

5: for each occurrence of I in ic do 

6: delete I from ic i— > ic 

7: negate ic {Now ic is in clausal form} 

8: residuei{l) ic 

9: i \= i + 1 

10: end for 

11: end for 

12: n{l) := i {the number of residues associated to 1} 

13: end for 

14: for all I £ Lp do 

15: residues(l) \= 0 

16: for all i := 1 to n{l) do 

17: if residuei{l) is not redundant then 

18: residues{l) := residues{l) A residuei{l) 

19: end if 

20: end for 

21: end for 



Note that, in the definition above, if R is redundant in R A ip, then R A ip 
is logically equivalent to ip. The elimination of redundant residues is based on 
unification and is done in steps 14-21 of Algorithm^ 

Example 6 . (Example Q Continued) By Definition Q we have that 
residue^{P{u,v)) is a redundant residue, because there exists a substitution 
(T : z ^ w, such that residue 2 {P{u,v))a = residue^{P{u,v)). Thus, we have 
residues{P{u, u)) = [R{u, u)] A [~^P{u, z)\/ v = z]. □ 

Note that the definition does not state that it detects all redundancies, but 
only those subject to the sufficient condition presented. For example, if we con- 
sider the following residues for R{x)-. residue\{R{x)) = P{x) V x > 100 and 
residue 2 {R{x)) = P{x) V x > 50. Clearly residuei includes the information in 
residu 62 , so residue 2 would be redundant; However, DefinitionHdoes not detect 
it. This occurs mainly when ICs are redundant, which can easily be avoided for 
cases like these. As shown in Example^ functional dependencies are a common 
case of ICs which generate redundant residues according to Definition^ The 
reason why residue redundancy is not treated further is due to the complexity of 
implementation, which could be far higher than the performance improvement 
we could get in the next stage {QUECA). Besides, residue redundancy can be- 
come such a large subject that it would deviate the central point of attention of 
this article, which is to build the queries for consistent answers. 
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Example 7. Finally, by applying Algorithmjto the set IC presented in Exam- 
pleH we would obtain: 

residues{P{u, t>)) ={R{u, f)) A {^P{u, z)\/ v = z) , 
residues{-^P{u,v)) ={-^R{u,v)) , 
residues{R{u,v)) =P{u,v) , 
residues{-^R{u,v)) =^P{u,v) . 



3.2 Query Generation (QUECA) 

Once all the residues have been computed, and given a query Q, we can generate 
the query, QUECA{Q), which will deliver consistent answers from a consistent 
or inconsistent database. This query differs from Q only when Q has residues, 
so QUECA{Q) should be only executed for literal names appearing in IC. 

Initially the query QUECA{Q) is equal to Q, plus a list ofrcnding residues 
which are the residues associated to Q calculated by Algorithm^jThese residues 
are not yet part of the query, they form a list of pending clauses that must be 
resolved via some condition if they should belong to the query. This condition 
is, informally, if they add new information to it or not. If they do not, they are 
discarded; but if they do, they must be added to the query and their residues 
appended at the end of the residue list. This procedure is iterated until no 
residues are left to resolve, i.e. either we run out of residues or they have all 
been discarded. We will see later that the procedure does not always terminate. 

Example 8. Consider the following hypothetical pairs of queries and residues: 

Query : 1. S{u) Residues : S{u) 

2. M{u) N{u) 

3. P{u,v) \/z {P{u,v) W ^Q{u, z)) . 

Clearly in the first case, the residue can be discarded because it adds no new 
information to the query. However, in the second and third cases the residues 
must be added to the corresponding query, and their residues to the Pending 
Residue List. So we would have 

Query : 1. S{u) Residues : 0 

2. M{u) A N{u) residues {N {u)) 

3. P(u, v) A Vz (P(u, v) V z)) residues{P{u, v) V ~^Q{u, z)). 

□ 

This method works when only conjunctions are involved (case 2 in Exam- 
ple J, because determining if a residue should be part of the query or not is 
easy. However, most of the residues are clauses (case 3 in Example fl, so we 
must somehow deal with disjunction. 

The way to solve this problem is by keeping conjunctions together, i.e. work- 
ing in DNF. To do so, when a clausal residue adds new information to a query, 
we make as many copies of the query as literals in the residue we are adding. 

The residues are in CNF, we will treat every clause as an element of a list. 
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and append to each of them exactly one of the literals in the residue. The pend- 
ing residue list of each of these new copies must then be the existing list plus 
the residues coming from the newly appended literal. We shall informally call 
this a split operation. These copies, connected together by disjunctions, would 
constitute the final query QUECA{Q). 

Example 9. (Example J Continued) In the third case of the previous example 
we would then have 

Query : Residues : 

3. El : P(u, v) A P(u, 'c) R\ : residues{P{u, v)) 

E 2 : v) A ^Q{u, z) i ?2 : residues{~^Q{u, z)) . 

So, we have QUECA{Q) = Vz(Ei V E 2 ) where Ei is a disjunctionless formula, 
and Residues = i?i, i? 2 , where each Ri belongs to its corresponding Ei. □ 

This clarifies the need for a new notation that will enable us to keep track 
of the residues involved in building each E. Furthermore, this notation should 
not only include the literals in E and its associated Pending Residue List, but 
it should also “remember” the last residue that provoked one of these split 
operations, in order to avoid inserting a residue whose information was already 
inserted earlier. For these purposes we define a Temporary Query Unit (TQU). 

Definition 3. A temporary query unit, D : E • R, consists of a set of clauses 
D, a conjunction of literals E and a conjunction of residues R. 

Both symbols, : and •, are only used to separate D, E and R from each other. 
D represents the last residues involved in building E and R is the conjunction 
of residues 4>i f\ ■■■ A 4>n yet to be resolved. We shall note that all variables 
coming from a residue appear universally quantified in D and if (see Example^]. 
Both symbols have higher precedence that any other connective. In this way, 
QUECA{Q) can be seen as a disjunction of temporary query units, V TQU, 
when we reach the point in which R = 0 for every TQU . 

Example 10. (Example ^Continued) Using the new notation for the third case 
we would have: 

QUECA{P{u,v)) : 

TQU I \i z{P{u,v)\/ ^Q{u, z))] : P{u,v) A P{u,v) • residues{P{u,v)) V 
TQU 2 [Vz(P(u, v) V ^Q{u, z))] : P{u, v) A \/z^Q{u, z) • residues {^Q{u, z)) . 



The critical step is then determining when a residue should be added to 
the query and when its information is already in it, i.e. it should be discarded. 
It is easy to see that when E 1= ((ijor D N (ji, then (ji can be discarded. If 
either condition is not satisfied, the residue must be included in the queryjln 
example we have from TQUi that D 1= residues {P{u)), thus they can be 



° The required condition is that every term in fi belongs to E. 

^ We will see that sometimes only part of the residue must be included. 
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discarded and the iteration would have ended for TQU i- This is the semantic 
result we want to obtain via syntactical means. The usual way to attain this is 
via unification. 

In our case we will define a sort of one way unification in which only certain 
types of variables will be involved: New Variables in a TQU and Free Variables 
in a Residue. 

Definition 4. A New Variable in a TQU = D : EuR associated to a query Q is 
a variable that belongs to newVar(TQU) := Var(E) \ Var{Q) and is universally 
quantified. 

Definition 5. Given a TQU — D : E • R, a Free Variable in a Residue € R 
is a variable that belongs to freeVar{(j>) := Var{4>) \ Var{E) and is universally 
quantified. 

Because in a TQU consists of a recently resolved residue, it also behaves 
as one and has Free Variables in the sense of definition ^ For instance, in ex- 
ample^] we have newVar{TQU 2 ) = {z} and freeVar{Di) = {z}. From these 
definitions it is clear that we can substitute a freeVar for any other variable 
because they occur nowhere else than in that residue. 

We can now formally define the meaning of the information of a residue 
already in a TQU. 

Definition 6. We will say the information of a residue f> = h V ■ ■ ■ U U is 
already in a TQU = D : E • R, and will write £ D : E, whenever there exists 
a substitution a : freeVar{<f>) newVar(TQU) U freeVar{D), such that fia G D 
or for all i, ka G E. In case only some ka G E, we will say the information of 
a residues is already partially in a TQU, and we will write 4> pG„ D : E. 

Notice that if freeVar{(j)) = 0, then a could be e (the identity). 
Consequently we have that, when verifying whether to add a residue = 
h V ■ ■ ■ V Im to a, query, if G D : E, then is discarded. Otherwise, it must be 
added to E and one of the mentioned split operations must take place. However, 
if 4> Gp,e D ■. E, then we must keep a copy of D : E • R; and for all the cases in 
which liO ^ E, liO must be appended to a copy Ei of E and its residues must be 
added at the end of a copy Ri of R. 

Example 11. (Example^JContinued) By using the method presented above the 
second P{u, v) would not be included in TQUi, that is 
QUECA{P{u,v)) : 

TQU I [P{u,v)\/ ^Q{u, z)] : P{u,v) • residues{P{u,v)) V 

TQU 2 [P{u,v) U ^Q{u, z)] : P{u,v) A \/z^Q{u, z) • residues {^Q{u, z)) . □ 

The procedure just described is formalized in Algorithm^ 

Example 12. (Example H Continued) We will show how AlgorithmHcomputes 
QUECA{P{u, v)), which is equivalent to T 2 (P(u, v)), being 2 the finiteness point. 
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By rearranging the result by hand, we obtain 

QUECA{P{u, w)) =P{u, v) A R{u, v) A Vz [{^P{u, z) A ~^R{u, z))y v = z] 

QUECA{P{u, v)) =P{u, v) A R{u, v) A Vz z) V r; = z) A 

{^R{u, z)\/ V = z)] 

and we can see how the constraints get spread towards the related literals, in 
this case i?/2, where we can see how the functional dependency of the second 
argument of P/2 has generated a functional dependency for the second argument 
of R/2 due to the nature of IC. This example was shown to be non terminating 
for (see Example^, but is now solved by QUECA. □ 
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Algorithm 2 Generate a QUEry for Consistent Answers for a literal 1: 

QUECA{1) 

Require: Algorithm 1 has been executed. 

Ensure: QUECA{1) contains the expected results. 

1: QUECA{1) ■- 0 
2: TQUs := 0 : I • residues{l) 

3: while TQUs A ^ do 

4: select(extract) first TQU from TQUs {D: E • R) 

5: if R — 0 then 

6: QUECA{1) := QUECA(l) V E 

7 : else 

8: select (extract) first residue(clause) from R (p {(p = h \/ ■ ■ ■ \/ Im } 

9: if (p £ D : E then 

10: TQUs = D\ E» RW TQUs 

11: else 

12: if (p p£e D : E then 

13: append{D , (p) 1 -^ Do 

14: Eq := E 

15: Ro := R 

16: else 

17: 9 = e (identity) 

18: end if 

19: for all i £ [l,m] do 

20: if k9 ^ E then 

21: Di-.= 4> 

22: Ei := E A k9 

23: Ri R A residues{k9) 

24: else 

25: Do nothing 

26: end if 

27: end for 

28: TQUs := \JZoi^i ■ ^ TQUs 

29: end if 

30: end if 

31: end while 



In the previous example we can see how the • symbol works as a separator 
between the residues that have been included in the final query and those that 
are to be resolved. It graphically shows when a TQU is ready to be included in 
QUECA, this occurs when the • reaches the end of R, put in other words, when 
no residues are left to be resolved. 
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4 Properties of QUECA 

In this section we will show that QUECA algorithm is well behaved for an 
interesting syntactical class of ICs. 

Definition 7. (a) A binary integrity constraint (BIC) is a denial of the form 
V (<— A l 2 {x 2 ) A where l\ and I 2 are database literals, and if is a 

formula that only contains built-in predicates. 

(b) A set of BICs, IC, is fact-orientec| if there is a tuple d and a literal name 
L, such that IC [= L{d). 

Usually ICs are not fact-oriented. As a particular case of BICs, we obtain 
unary integrity constraints, which have just one database literal and possibly 
a formula with built-in predicates. In the class of binary contraints we find 
functional dependencies, inclusion dependencies, symmetry constraints, and do- 
main and range constraints. In consequence, we are covering most of the static 
constraints found in traditional relational databases, excluding (existential) ref- 
erential ICs, transitivity constraints, and possibly other constraints that might 
be better expressed as rules or views at the application layer. 

The following results apply to the case of a finite set of BICs. 

Theorem 1. The worst case runtime complexity of Algorithrr^^for residue com- 
putation is 0{n^), where n represents the number of ICs. 



Theorem 2 (Termination). Civen a set of non fact- oriented binary integrity 
constraints, Algorithm^^terminates in a finite number of steps. 

The termination property is based on the fact that by restricting execution 
to BICs only, residues contain one literal name at most, which in the worst case 
generates an infinite sequence of single literals. The infiniteness of this sequence 
is then limited by the condition in line 12 of Algorithm and the fact that we 
only consider range-restricted ICs 1^, conditions which ensure that at a given 
point, pending residues add no new information to the resulting query, thus being 
discarded. Notice that this result extends the termination results presented in 
PH i where semantic termination was only ensured for uniform binary constraints. 

Theorem 3. For non fact-oriented binary ICs, and a literal name L, the worst 
case runtime complexity of Algorithm^ running on L is 0{nk^'^), where n rep- 
resents the number of ICs and k is the maximum number of terms per integrity 
constraint. 

Although this is not an encouraging result, we will see in Sectionjthat this 
process is done at compile-time, so it should not affect the performance from a 
user’s point of view. 

® Fact-oriented integrity constraints can be seen as a special case of tuple-generating 
dependencies, tgd’s [^, in which the body may contain equality. A common fact- 
oriented constraint is of the form true L{a). 
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It is possible to prove that the QUECA algorithm can simulate the iterative 
application of operator T until the point where QUECA stops. At that point we 
obtain a corresponding semantical termination point for T. The main difference 
is that, while T would perform split operations and add residues to the pending 
list (for the whole set of residues) whenever at least one of the residues adds 
new information to the resulting query, QUECA does this on a per-residue basis. 
This eliminates residues one by one, thus obtaining a much more efficient query 
(see the difference between T3(P(u, u)) in Examplejand QUECA{P{u,v)) in 
Example ^3. Having mapped QUECA' s execution to that of T, we may take 
advantage of soundeness and completeness results for T. 

Theorem 4 (Soundness). Let r he a database instance, IC a set of binary 
integrity constraints and Q{x) a literal query, such that r 1= QUECA{Q(t)) . If 
Q is universal or non-universal and domain independent, then t is a consistent 
answer to Q in r, that is, r \=c Q{t). 



Theorem 5 (Completeness). Let r be a database instance and IC a set of 
non fact-oriented binary inteqrity constraints, then for every qround literal l(i), 
ifr\=c l{t), then r N QUECA{t). 

All the results above can be easily extended to queries that are conjunctions 
of literals without existential quantifiers. 

5 Implementation 

To achieve the objectives of this work we need a common framework for data, 
rules, queries and integrity constraints, to be able to perform operations on 
them and elaborate the queries for consistent answers mentioned earlier. Logic 
Programming languages provide this framework and XSB seems an adequate 
candidate. Generally speaking we prefer an LP language because the algorithms 
presented in this article need the ability to perform unifications, substitutions 
and detecting subsumption. Perhaps what makes XSB a better candidate that 
other LP languages is, apart from the Relational DMBS interface. Foreign Lan- 
guage interface and the fact it runs on multiple platforms, its tabling capabilities 
that improve its efficiency over other systems that would, for example, have to 
recalculate the residues every time they are needed by Algorithm J 

Our system consists of a four modules which provide several predicates that 
allow the user direct interaction with the system. Upon initialization, the pro- 
gram connects itself to a database previously defined by the user, executes both 
algorithms presented in this paper and stores their results on XSB’s tables. This 
avoids having to recalculate residues, QUECAs or their equivalent SQL strings, 
thus practically eliminating the relevance of the exponential runtime complexity 
of Algorithm^ 

The integrity constraints of the form Q are read from the file named ics, 
in which they are written with the following syntax: 

<- [ ... denials ... ] . 
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For instance, to include the ICs corresponding to Example^J we would modify 
the file ics to contain: 

<- [p(U,V),~r(U,V)] . 

<- [~p(U,V),r(U,V)] . 

<- [p(U,V),p(U,Z),~(V==Z)] . 

Once initialization is over, the user may query directly the database or re- 
trieve one of the computed residues, QUECAs or SQL strings. For example, by 
executing I ?-queca(p(X,Y) ,Q) . we would obtain: 

Q = and(p(idl , id2) , all (ul , and(r (idl , id2) ,or (and(no(p(idl ,ul) ) , 
no (r (idl ,ul) ) ) , equal ( id2 ,ul) ) ) ) ) 

With this method we can answer any query that is free of disjunctions and 
existential quantifiers. Due to space limitations, further details of the implemen- 
tation are included in an extended version of this paper. 

6 Conclusions 

We have shown an algorithm to obtain consistent answers to queries posed to 
inconsistent databases. This algorithm is proved to be terminating, sound and 
complete for the class of non fact-oriented binary ICs. The termination results 
extends those obtained in 

We also implemented the algorithm on XSB with a program that interfaces 
directly to a given RDBMS. The next steps towards an effective application 
include handling queries and integrity constraints with existential quantifiers. 
Complete elimination of residue redundancy could be addressed as well. 
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Abstract. We consider in this paper an extension of Datalog with mech- 
anisms for non-monotonic and non-deterministic reasoning and a simple 
form of temporal reasoning, which we refer to as Datalog-I— h. First, we 
show how with this logic database language is possible to express prob- 
lems in heterogeneous domains, such as operation research and concur- 
rent programming. Second, we provide a methodology for the verifica- 
tion of Datalog-|--|- programs, based on the declarative semantics, which 
is able to handle both atemporal and temporal properties. 



1 Introduction 

The name DatalogH — |- is used in this paper to refer to Datalog extended with 
mechanisms supporting: 

— non-monotonic reasoning, by means of a form of stratified negation w.r.t. 
the stage arguments, called XY- stratification 

— non-deterministic reasoning, by means of the non-deterministic choice con- 
struct Q. 

— a limited form of temporal reasoning, by means of temporal, or stage, argu- 
ments of relations, ranging over a discrete temporal domain, in the style of 
Datalogis O; 

Datalog-|-+, which is essentially a fragment of CT>C-\—\- 0, and is advocated 
in ^3 Chap. 10], revealed a highly expressive language, with applications in 
diverse areas such as AI planning Q, active databases 33, object databases 
39, semistructured information management and Web restructuring 31 • 

In this paper we study a methodology for the development and the verifi- 
cation of Datalog-|-+ programs. Therefore the goal of this paper is twofold: to 
highlight the expressiveness of Datalog-|-+ programs by providing some realistic 
examples in diverse programming areas such as operative research and concur- 
rent programming, and to provide the first steps toward a methodology for the 
verification of Datalog-|-+ programs. 

Research in verification in logic programming has focussed on Prolog-like, 
top-down languages, and relatively little work has addressed the case of deductive 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 957^^ 2000. 
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databases and Datalog-like languages However, Datalog-like languages have 
a purely declarative reading that makes reasoning about programs simpler than 
the Prolog-like case, and several verification methods developed for Prolog-like 
language can be adopted for Datalog-like languages Q. In these methods, the 
task of proving a given logic program correct reduces to the task of showing that 
certain appropriate models of the programs coincide with the intended meaning 
of the program itself. Clearly, the notion of appropriate model is not defined 
once and for all, but depends on the particular language, and on its use of 
negation. We adhere to this view, and adopt the stable model semantics as the 
starting point of our investigation, as Datalog-I— I- programs are non monotonic 
and employ a rather general form of negation. 

Also, we are interested in using Datalog-|— I- to specify concurrent programs, 
and therefore we need to reason about dynamic properties, such as safety and 
progress. Unlike formalisms such as UNITY Q or other temporal logic ap- 
proaches 13, which use some specialized logic to deal with dynamic properties, 
we show how a set of interesting safety and progress properties can be handled 
within the mentioned model-theoretic approach. In this sense, dynamic prop- 
erties can be formalized and proved as properties of the stable models of the 
program under consideration. 



2 DatalogH — Nondeterministic, Nonmonotonic Datalog 

In this paper, we use the name Datalog-|— I- to refer to the Datalog extended by 
two mechanisms for non-monotonic and non-deterministic reasoning, both based 
on a form of negation. The first mechanism is represented by XY-programs orig- 
inally introduced in 33- The language of such programs is Datalog'^g, which 
admits negation on body atoms and a unary constructor symbol, used to repre- 
sent a temporal argument usually called the stage argument. A general definition 
of XY-programs is the following. A set P of rules defining mutually recursive 
predicates, is an XY-program if it satisfies the following conditions: 

1. each recursive predicate has a distinguished stage argument; 

2. every recursive rule r is either an X-rule or a Y-rule, where: 

— r is an X-rule when the stage argument in every recursive predicates in 
r is the same variable, 

— r is a Y-rule when (i) the head of r has a stage argument J-|- 1, where J 
is a variable, (ii) some goal of r has J as its stage argument, and (iii) the 
remaining recursive goals have either J or J-|- 1 as their stage argument. 

Intuitively, in the rules of XY-programs, an atom p( J, _) denotes the extension 
of relation p at the current stage (present time) J, whereas an atom p( J -I- 1, _) 
denotes the extension of relation p at the next stage (future time) J -I- 1. By 
using a different primed predicate symbol p' in the p{J -I- 1, _) atoms, we obtain 
the so-called primed version of an XY-program. We say that an XY-program 
is XY-stratified if its primed version is a stratified program. Intuitively, if the 
dependency graph of the primed version has no cycles through negated edges. 
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then it is possible to obtain an ordering on the original rules modulo the stage 
arguments. As a consequence, an XY-stratified program is also locally stratified, 
and has therefore a unique perfect model. Such a model can be computed by 
an iterated fixpoint procedure, which uses the ordering imposed by the primed 
version of the program: the extension of relations at stage J is computed, before 
proceeding to stage J + 1. 

Example 1. The following version of the seminaive graph-reachability program, 
discussed in is an example of (XY-stratified) XY-program, which computes 
all nodes of a graph g reachable from a given node a: 

delta(0, a). 

delta(s(l), Y) ^ delta(l, X), g(X, Y), ^all(l, Y). 

all(l,X) ^ delta(l,X). 

all(s(l), X) ^ all(l, X), delta(s(l),_). 

Observe the use of negation, which is not stratified in the usual sense (delta and 
all are mutually recursive), although it is stratified modulo the stage. In the 
outcome of the seminaive program, all(n, b) means that b is a node reachable 
from a in graph g. At each stage i, delta(i, c) means that c is a newly reached 
node, and i is also the length of the shortest path from a to c; using relation 
delta to propagate the search avoids unnecessary recomputations. 

The second mechanism is represented by choice goals, that are used to non- 
deterministically select subsets of answers to queries, which obey a specified 
functional dependences (FD) constraint. 

Example 2 (Spanning Tree). The following program | computes the spanning 
tree starting from the source node a for a graph where an arc from node b to 
node d is represented by the database fact g (b , d) . 

stO : st(root, a). 

stl : st(X, Y) ^ st(_, X), g(X, Y), Y 7 ^ a, choice((Y), (X)). 

Observe that, when an arc st(b,d) is added by the second rule, the choice goal 
ensures that no st(X,d) can later be added with X ^b. The condition X ^ a 
must be added explicitly to prevent it from generating an arc leading back to a 
because there is no choice goal in the first rule to avoid it. 

The semantics of Choice construct is based on the stable model semantics 
of Datalog^ programs, a concept originating from autoepistemic logic, which 
was applied to the study of negation in Horn clause languages in [^. To define 
the notion of a stable model we need to introduce a transformation El which, 
given an interpretation I, maps a Datalog^ program P into a positive Datalog 
program El{P, I): 

H{P,I) = {A-i- Bi, . . ,,Bn\ Bi, . ..,Bn,^Ci, . ..,^Cm G ground{P) 

A {Ci,...,C^}n/ = 0} 
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Next, we define: 

Sp{I) = Th{pj) T w 

Then, M is said to be a stable model of P if Sp{M) = M. In general, 
Datalog^ programs may have zero, one or many stable models. The multiplicity 
of stable models can be exploited to give a declarative account of non determin- 
ism. We can in fact define the stable version of a program P, SV{P), to be the 
program transformation where all the references to the choice atom in a rule 
r : H ^ B, choice{X,Y) are replaced by the atom chosenr{X,Y), and define 
the choseur predicate with the following rules: 

choseur {X,Y) <— i?, ^dif f choicer (X, Y) . 
dif f choicer {X, Y) <— chosen{X, Y'), Y ^ Y' . 

The various stable-models of the transformed program SV (P) thus correspond 
to the choice models of the original program Q. For instance, the various 
stable models of the program of example 2 correspond to the various spanning 
tree for graph g. Choice programs can be efficiently executed by enforcing the 
FD constraints during the bottom-up computation Q. Overall semantics of 
Datalog-|— 1-, efficient implementation and optimizations are presented in Q. 



3 Programming with DatalogH — |- 

Although conceived as a deductive database language, Datalog-I— I- revealed a 
highly expressive language with applications in other domains. The goal of this 
section is to highlight the expressiveness of Datalog-|— I- programs by providing 
some examples in diverse programming areas, ranging from typical procedural 
algorithms to operation research and concurrent programming. 



3.1 Euclid’s Algorithm for the Greatest Common Divisor 



Our first example illustrates a general programming paradigm, where stages 
used to record various steps in the computation, choice is used to non-deter- 
ministically select actions at each step, and rules for the frame axioms or inertia 
axioms are used to establish the content of a new state. This technique provides 
a general programming paradigm that has been applied to many problems, such 
as planning problem | and array ordering problem Q. 

The following program computes according to Euclid’s algorithm, the great- 
est common divisor of a set of integers stored as facts of the form number (X) in 
the database. 



rO : candidate_GCD(0, X) 
rl : aux_GCD(J,X, Y) 

r2 : candidate_GCD(J + 1.X) 
r3 : candidate_GCD(J + 1,Z) 
r4 : GCD(X) 



number (X). 

candidate_GCD(J, X), candidate_GCD(J, Y), 
X > Y,choice((J),(X,Y)). 

candidate_GCD(J, X), ^aux_GCD(J, X, Y). 

aux_GCD(J,X,Y),Z = X - Y. 

candidate_GCD(J, X), ^aux_GCD(J, _). 
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The first rule initializes the staged candidate_GCD predicate: at the beginning 
(stage 0) all integers in the database are candidate to be the greatest common 
divisor. The second rule nondeterministically selects a pair of candidate integers 
with different values. Note the use of choice to ensure that, at each stage, only 
one pair of integers out of all the eligible pairs is selected. The third and the 
fourth rules realize frame axioms: old candidate integers (excluded the greater 
integer of the selected pair) are copied into the set of candidate integers for the 
next stage, while a new value, the difference between the two integers of the 
selected pair, is added. The last rule, according to Euclid’s algorithm, simply 
asserts that when it is no longer possible to select a pair of candidate integers 
with different values, i.e. when all the candidate integers have the same value, 
then greatest common divisor has been found. 

The objective of this example is to show how it is possible to express typical 
procedural algorithms in a declarative way. The program we have written is as 
simple and efficient as its procedural version is. Also, observe that this program 
computes the greatest common divisor for any set of integers, independently of 
its cardinality. 



3.2 The Ford-Fulkerson Method for the Maximum-Flow Problem 

The next program is another example of a typical procedural algorithm in oper- 
ation research, it is harder than the previous one, but as we show, Datalog-I— I- 
is naturally geared to cope with graph algorithms. We first introduce some no- 
tation. 

A flow-network G = (V) E) is a directed graph in which each edge (u, v) G E 
has a nonnegative capacity c(u, v) > 0. If (u, v) ^ E we assume that c(u, v) = 
0. We distinguish two vertex in a flow network: a source s and a sink t. For 
convenience we assume that every vertex lies on some path from the source to 
the sink. Let G = (V, E) be a flow-network (with an implied capacity function 
c). Let s be the source of the network, and let t be the sink. A flow in G is a 
real-valued function f : V x V ^ M. that satisfies the following three properties: 

Capacity Constraint. For all u,v G V, we require f{u,v) < c{u,v). 

Skew Symmetry. For all u,v G V, we require f{u, v) = —f{v, u). 

Flow Conservation. For dl\ u gV — {s, t}, we require /(^> = 0- 

The quantity f{u,v), which can be positive or negative, is called the net flow 
from vertex u to vertex v. 

The Ford-Fulkerson method solves the maximum-flow problem. This method 
is iterative. We start with f(u, u) = 0 for all u,v G V, giving an initial flow of 
value 0. At each iteration, we increase the flow value by finding an augmenting 
path, which we can think of as a path from the source s to the sink t along which 
we can push more flow. We repeat this process until no augmenting path can be 
found; at that moment the flow has reached its maximum value. 

We now show how to realize this algorithm with Datalog-|— 1-. We are given 
a directed graph, describing the flow network, whose arcs are stored as facts in 
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the database. For each edge (x,y) with capacity c we have a fact g(x,y,c) in 
the database. We also have a fact g(y,x,c’) where c' = 0 in the case that does 
not exist the edge (y,x). The main predicate is flow(J,X,Y,F), describing the 
value F of the flow from vertex X to vertex Y at stage J. First of all we need a 
flow initializing rule: 



flow(0,X,Y,0)^g(X,Y,_). 

Then we need a predicate describing the residual capacity network, that is the 
graph on which we search a path from the source to the sink along which we can 
push more flow with respect to the capacity constraint. 

residualjietwork(j, X, Y, C) <— g(X, Y, Cl), f low(j, X, Y, F), 

C = Cl - F1,C> 0. 

To the purpose of finding a path from the source to the sink on this graph we use 
the spanning tree program, but each time a new edge is added to the spanning 
three, its residual capacity is compared to the minimum residual capacity of the 
edges that lie on that path. Therefore, when we reach the sink we already know 
the minimum residual capacity on the augmenting path, that is the maximum 
value of flow we can push along the augmenting path. 

augmenting_path(j, X, Y, C) ^ residualjietwork(j, X, Y, C), 

X = source, choice((j, Y), (X)). 

augmenting_path(j, X, Y, C) v- augmenting 4 )ath(j, _, X, C), 

residualjietwork(j, X, Y, Cl), 

Y yf source, C < Cl, choice((j, Y), (X)). 

augmenting_path(j, X, Y, C) ^ augmenting 4 )ath(j, _, X, Cl), 

residual_network(j, X, Y, C), 

Y yf source, C < Cl, choice((j, Y), (X)). 

In this way we compute a spanning tree starting from the source. However what 
we need is a path from the source to the sink. Therefore we have to spot those 
edges lying on the augmenting path, i.e. the edges on which we push more flow. 
To do this we can go backwards from the sink to the source. 

f low_augmentation(j, X, sink, C) augmenting 4 )ath.(j, X, sink, C). 

f low_augmentation(j, Y, X, C) <— f low_augmentation(j, X,_, C), 

augment ing 4 )ath(j, Y, X, _). 

Finally, we need some rules to update, according to the algorithm, the flow at 
each new stage and a final rule to detect the maximum flow when it is no longer 
possible to find an augmenting path. 
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f low(j + 1, X, Y, F) <— f low(j, X, Y, FI), f low_augmentation(j, X, Y, C), 

F = Fl + C. 

f low(j + 1, X, Y, F) <— f low(j, X, Y, FI), f low_augmentation(j, Y, X, C), 

F = FI - C. 

f low(j + 1, X, Y, F) <— low_augmentation(j, X, Y,_), 

low_augmentation(j, Y, X,_). 

max_flow ^ f low(j, X, Y, F), ^augmenting 4 )ath(j, _, sink, _). 

3.3 The Readers- Writers Problem 

In this last example we show how Datalog-F- 1- is able to specify typical concurrent 
programming problems. We are given a shared resource and some processes. The 
processes have access to the resource for read or write operations. Any number 
of reads can proceed concurrently, but a write cannot be executed concurrently 
with a read or another write. There is no particular priority policy: at each 
stage it is nondeterministically selected whether to give priority to read or write 
operations. A process waiting for the right to execute an operation remains in its 
wait-state until it gets that right and completes its operation. Finally, we assume 
that all reads and writes complete in a stage. For each process we have in the 
database a fact of the form process (X) , where X is the name of the process. 

want_to(want_to_read). action(reading). 

want_to(want_to_write). action(writing). 

pO : next_priority(0,X) <— action(X), choice((), (X)). 

pi : aux_priority(J,X) ^ next_priority(j, _), action(X), choice((J), (X)). 

p2 : next_priority(J + 1, X) ^ aux_priority(j,X). 

sO : state(0, K, X) ^ process(K), want_to(X), choice((K), (X)). 

nO : next_state(j, K, writing) <— state(j, K, want_to_write), 

next_priority(j, writing), 
choice((J), (K)). 

nl : next_state(j, K, writing) ^ state(j, K, want_to_write), 

next_priority(j, reading), 

^state(j, _, want_to_read), 
choice((j), (K)). 

n2 : next_state(j, K, reading) v- state(j, K, want_to_read), 

next_priority(J, reading). 

n3 : next_state(j, K, reading) v- state(j, K, want_to_read), 

next_priority(j, writing), 

^state(j, _, want_to_write). 
state(j, K, Y), action(Y), 
want_to(X), choice((j, K), (X)). 



n4 : next_state(j, K, X) 
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si : state( J + 1, K, X) e- next_state(j, K, X). 

s2 : state( J + 1, K, X) state(j, K, X), want_to(X), 

^next_state(j, K, _). 

The first three rules nondeterministically assign the priority, at each stage, 
to the read or to the write operations. The rule sO nondeterministically selects 
a starting state for each process. When the write operations take priority, the 
rule nO gives the right to reach the resource to a process waiting for a write 
operation. Note the use of choice to model mutual exclusion: only one process, 
nondeterministically chosen out of all the waiting-for-writing processes, will be 
able to write at next stage. When the read operations take priority but there 
are not any processes waiting for reading, the rule nl acts just like the rule nO. 
The rules n2 and n3 correspond respectively to the rule nO and nl but for the 
processes that want to read. Note that in this case we do not need the choice 
because any number of reads can be executed concurrently. 

Another example of Datalog-I— I- program in the concurrent programming 
area is the Alternating Bit Protocol in Q. 



4 Verification of DatalogH — h Programs 

The goal of this section is that of suggesting a methodology for the verification 
of Datalog-|--l- programs. Our methodology is based on the distinction between 
atemporal and temporal predicates. In fact, for temporal predicates we prove 
correctness by showing that their stable models match their intended semantics. 
On the other hand, to show the correctness of temporal predicates we define and 
prove some standard properties based on their temporal structure. 

Definition 3 (X and Y Predicates). LetP be an XY-program, and letp be a 
predicate o/P. We call p an X-predicate if the rules defining p are only X-rules; 
an Y-predicate if at least one rule defining p is a Y-rule. 

We assimilate to X-predicates also the predicates of non-staged programs. Intu- 
itively using X-predicates we can deduce only facts for the present time (actual 
stage), while using Y-predicates we can deduce facts for the future time (next 
stage). It is important to note that all the programs of the previous section 
share a similar structure described in Figure 1 for the Ford-Fulkerson example. 
In fact, Datalog-|— I- programs usually have a single Y-predicate which performs 
stage transition, and many X-predicates which prepare such transition. 



4.1 Properties of the choice Construct 

When choice constructs are used in XY-programs we must pay attention to 
the choice safety constraint, which requests the stage argument to appear in the 
domain of the FD (the right argument of a choice goal) . Moreover we restrict the 
use of choice at the X-rules, as we have done in all the programs of the previous 
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Fig. 1. Structure of the Ford-Fulkerson program 



sections. This syntactic restriction, however, does not affect the expressiveness 
of Datalog++ and makes verification easier. 

Now we define a general choice rule: 

Definition 4 (General choice Rule). We define a general choice as a rule 
with the following structure: 

p(j, a, e) ^ q(J, f3), choice((j, 6), (e)). 

where Greek letters are sets of variables, q(J,/3) stands for the conjunction of 
all the non-choice goals (also the non- staged ones) of the rule, a and S can he 
empty sets, <5 n e = 0, 6,eC/3. 

The stable version of this general choice rule is: 

svO : p(j, a, e) ^ q(j, /3), chosen(j, <5, e). 

svl : chosen(j, (5, e) ^ q(j, /3), ^dif f Choice(j, (5, e). 

sv2 : dif f Choice(j, (5, e) ^ chosen(j, <5, e'), e yf e'. 

where d is derived from e by replacing each ^ S e with a new variable A! . 

Following property clarifies what kind of functional dependency is enforced 
by the choice construct in each stable model. 
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Propositions. Let p(J, a, e) <— q(J, /3), choice((j, (5), (e)) be a general choice 
rule of a program P, and let M be a stable model of the stable version o/P. Then 
for any integer J > 0 and for any a, there’s at most one atom in M ground 
instance o/p(J,o,e). 

Proof. Suppose that for some J > 0 there are in M two atoms p(J, a, el) and 
p(j,a, e2) ground instances of p(J,a, e), with el ^ e2. Since all stable mod- 
els are supported models ^3, then by clause svO, also chosen(j, 6, el) and 
chosen(j, 6, el) are in M. Hence, by clause svl and since Mis supported we have 
that dif f Choice(J, S, el) and dif f Choice(j, S, e2) are not in M. Since el yf e2, 
it follows from clause sv2 that either chosen(j, 6, el) or chosen(j, 6, e2) is not 
in M which is a contradiction. 

□ 



4.2 Verification of X-Predicates 

We are now ready to introduce an overview of the strategy which we follow to 
prove the correctness of X-predicates. 



Informal Specification Natural language 



translation 



Formal Specification Logic formulas 



derivation 



Intended Semantics 



Set of interpretations 



Partial ' 
correctness , 



comparison 



Effective Semantics Set of stable models 



Fig. 2. Our strategy to prove X-predicates partial correctness 



We begin by describing in natural language which role in the computation is 
played by the X-predicate. This description is the informal specification of the 
predicate. The second step consists of translating this description from natural 
language in a set of logic rules, obtaining the formal specification. From this 
formal specification we derive the intended semantics of the predicate. Since 



On Verification in Logic Database Languages 967 



the effective semantics of a Datalog++ program is a set of stable models, then, 
also its intended semantics will be a set of interpretations. Exactly, the set of 
interpretations which satisfy the logic rules of the formal description. 

Definition 6 (Intended Semantics of an X-Predicate). Let p be an X- 

predicate, and let S be a set of logic rules defining the formal specification o/p. 
The intended semantics of p is the set of interpretations that satisfy each rule 
in S. 

IS{p) = {I\I G Bp A (Vr G S.I h r)} 

We can now define partial correctness of an X-predicate. 

Definition 7 (Partial Correctness of an X-Predicate). An X-predicate is 
said to be partially correct with respect to its intended semantics IS{'p) iff, for 
each stable model M o/p, there exists an interpretation I G ISfp) such that M 
C / . 

Example 8 (Partial Correctness of Spanning Tree). Consider the spanning tree 
program of example 2 and assume we wish to prove its correctness. First of all 
we have to give its informal specification in natural language. 

Informal Specification: the st relation is a maximal subset of the g relation. 
Moreover, st is a tree rooted in a. 

Now we have to translate this informal specification in a set of logic formulas. 
To be a tree means: 



st{X,Y) ^ st{_,X)yY = a. (1) 

st{X,Y)^^{st{Z,Y)hZ^X). (2) 

To be rooted in a means: 

st{root,a). (3) 

To be a maximal subset of g means: 

st{X,Y)^g{X,Y)\JY = a. (4) 

{g{X,Y) hst{_,X)) ^ st{_,Y). (5) 



Intended Semantics: IS{st) = {I\I C Bst A / ^ Q, Q, Q, Q, Q } . 
Partial Correctness: Let Mbe a stable model of st. Then 3/ G IS{st) such 
that MCI. 

Proof. Property Q is trivially satisfied by clause stO and by the definition of 
model; B is satisfied by clause stO, by the goal st(_,X) in the body of clause 
stl and since all stable models are supported; B is satisfied by the goal Y yf a 
and, for propositionB by the choice-goal in the body of clause stl; B is satisfied 
by clause stO, by the goal g(X,Y) in the body of clause stl and since all stable 
models are supported; B i® satisfied because if (g(X,Y) A st(_, X)), then each 
non-choice goal in the body of clause stl is satisfied, and then choice has to 
choose. 

□ 
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Note how the translation in logic formulas of the informal specification is 
quite close to the text of the program. This facts hints us a way to exploit 
the declarative features of Datalog++ programming to give a methodology for 
program development. Suppose, in fact, we have not yet written the Spanning 
tree program and we wish to develop such program. First we write the informal 
specification. Then we translate it in logic formulas. At this point the program 
development become immediate. The logic property Q trivially gives us the stO 
clause. The properties Q and Q suggest us the non-choice goal of clause stl. 
Finally, provided that we recognize in ^ a functional dependence, typically 
imposed by the choice construct, we obtain the program as we have written 
before. 

4.3 Safety and Progress Properties for Y-Predicates 

For Y-predicates we do not prove partial correctness by reasoning on models, as 
we have done for X-predicates. We define and prove some standard properties 
following the approach of UNITY, a computational model with associated a 
proof system, introduced by Chandy and Misra in Q. According to Chandy and 
Misra, we distinguish between safety and progress properties. We do not define 
these terms formally. Intuitively safety properties are invariant of the programs, 
i.e. properties which are satisfied at each stage of the computation. On the other 
hand, progress properties regard the temporal development of the computation. 

We start introducing two kind of safety properties, one characterizing Y- 
predicates from a semantics point of view, the other one from a quantitative 
point of view. 

The Meaning properties express, at each stage, the matching of the role 
played by the Y-predicate p in the computation with its declarative reading 
dr(p), i.e. the informal specification. 

Definition 9 (Final Stage). Let p be a Y-predicate of a program P and M a 
stable model o/P. If for each stage J : 0 < J < K exists at least one atom of 
the form p(J,_) in M, while it does not exist for J > K , then we say K to be 
the final_stage o/p and we write K = final_stage(jp). If such a stage does not 
exist then final _stage{p) = -|-oo. 

Definition 10 {Meaning). A Meaning property is the matching of an Y-pre- 
dicate with its declarative reading. Such a property has the following form: 

VJ : 0 < J < final_stage{p),\/a : db{a) . p(J, <5) = dr{p) 

where a and 5 are set of variables such that a C S, and db is a relation in the 
database. 

Such kind of properties can be easily proved by induction on the stages as 
we will show later by providing some examples. 

The HowMany properties constrain the number of atoms of a given form in 
every stable model of the program. 
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Example 11. Recall the program for the readers-writers problem. We would like 
our program to have some desired properties: 

1. each process at each stage is in one, and only one, state, 

2. two or more write operations can not be executed concurrently, 

3. write operations can not be executed concurrently with read operations. 

We can express these three properties in terms of number of occurrences of facts 
of a given form in the stable models: 

1. VJ, VR" : process(K) =ff{X\.state{J, K, X)} = 1 

2. yj ^{K\state{J, K, writing)} < 1 

3. yj #{K, W\state{J, K, writing) A state{J, K, reading)} = 0 

In other words HowMany properties are specified using the count aggregate in 
the stable models or their approximations. 

Definition 12 {HowMany) . Let II{J, k, S, cost) be a logic formula formed only 
by Y-predicates, where J is the stage argument of the Y-predicates, k is the set 
of variables on which we count, 6 is the set of all the other variables, cost are 
he constants. We define HowMany property the following expression: 

yj,K ff{K\n{J,K,S,cost)}<op>n 

where n is a nonnegative integer, and < op >€{=,>,<}. 

We next define two kinds of progress property, the first one for those pro- 
grams which reach a fixed point, the second one for those programs that do not 
terminate (such as the readers-writers problem) . 

Definition 13 {FixedP oint) . Let p be an Y-predicate. We define FixedPoint 
property the following: 

3j < -boo : j = final_stage{~p) . 

A useful strategy for showing that a Y-predicate always reaches its final_stage 
is the following: display a function that strictly decreases at each stage and that 
it’s lower bounded, and map the function to the Y-predicate. 

Note that in each program of the previous section we have just one Y- 
predicate which gives the vertical structure to the program and some X-predicate 
doing the horizontal work. Therefore, if all X-predicates terminate, when we 
prove that the unique Y-predicate has a finite final_stage, we have that no new 
atom can be deduced after the final stage, i.e. the computation has reached a 
fixed point. 

The next kind of properties state that the presence of a given fact in a stable 
model ensures that another fact sooner or later will belong to the approximations 
of stable model. 

Definition 14 (Ensures). Let p and q be Y-predicates of a program P. An 
Ensures property is a statement of the form 

Va, p(J, a) ensures 3l > J : q(l,/3). 

Verification of these kind of properties requires a fairness assumption which is 
not treated here due to lack of space. Examples can be found in Q. 
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4.4 Application of the Methodology 

We now apply the methodology introduced to the GCD program. Verification of 
the Ford-Fulkerson and other programs can be found in Q. 

Example 15 (Properties of the GCD Program). Recall the GCD program. We 
wish to prove the following properties: 

1. Meaning: VJ : 0 < J < /znaLstage(candidate_GCD).candidate_GCD(j, X) = 
“X is a nonnegative integer which if inserted in the initial set of number 
doesn’t change the GCD.” 

2. FixedPoint: 3j < +oo : j = /maLstage(candidate_GCD). 

Proof. We prove, by induction on the stages, the Meaning property: 

Base case (J=0). Trivial. Since only by rule rO we can deduce facts of the 
form candidate_GCD(0,X), then X belongs to the initial set of integers. 
Induction Step. We can deduce facts of the form candidate_GCD(n+l ,X) by 
rules r2 and r3. If candidate_GCD(n+l ,X) is deduced by the rule r2 then by 
induction hypothesis X satisfies the property. If candidatejGCD (n+1 , X) is de- 
duced by the rule r3 then X is the difference between two integers (a,b) such 
that candidatejGCD (n, a) and candidatejGCD(n,b) . Since GCD{a,b) = 
GCD{a — 5, 6) if a > 6, and since X = a - b then X satisfies the property. 



We now prove that candidatejGCD reaches its final stage and thus the pro- 
gram terminates. In fact, at each stage we delete from the set of candidates an 
integer and we add another integer which is less than the previous one. There- 
fore, at each stage the sum total of the candidate integers strictly decreases but 
the sum total is lower bounded. Thus the program terminates. In particular, the 
program terminates when it is no longer possible to find two candidateJntegers 
with differet values. By the Meaning property 1, and since GCD(a, a) = a, then, 
when the program reachs the fixed point we find the GGD of the initial set of 
integers, as stated by rule r4. 



5 Conclusion and Future Work 

We briefly presented in this paper a methodology for developing Datalog-I— I- pro- 
grams and reasoning on their correctness. We believe that Datalog-|— I- is a versa- 
tile programming language which supports verification principles, firmly coated 
in logic. Future research includes a thorough formalization of the verification 
methodology, as well as the development of tools, automatic or semi-automatic, 
which support verification of Datalog-|— I- programs. 
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Abstract. The problem of the relevance and the usefulness of extracted 
association rules is of primary importance because, in the majority of 
cases, real-life databases lead to several thousands association rules with 
high confidence and among which are many redundancies. Using the 
closure of the Galois connection, we define two new bases for association 
rules which union is a generating set for all valid association rules with 
support and confidence. These bases are characterized using frequent 
closed itemsets and their generators; they consist of the non-redundant 
exact and approximate association rules having minimal antecedents and 
maximal consequents, i.e. the most relevant association rules. Algorithms 
for extracting these bases are presented and results of experiments carried 
out on real-life databases show that the proposed bases are useful, and 
that their generation is not time consuming. 



1 Introduction 

The purpose of association rule extraction, introduced in ^B^9> is to discover 
significant relations between binary attributes extracted from databases. An 
example of association rule extracted from a database of supermarket sales is: 
“cereals A sugar — > milk (support 7%, confidence 50%)”. This rule states that 
the customers who buy cereals and sugar also tend to buy milk. The support 
defines the range of the rule, i.e. the proportion of customers who bought the 
three items among all customers, and the confidence defines the precision of the 
rule, i.e. the proportion of customers who bought milk among those who bought 
cereals and sugar. An association rule is considered relevant for decision making 
if it has support and confidence at least equal to some minimal support and 
confidence thresholds, minsupport and minconfidence, defined by the user. 

The problem of relevance and usefulness of the result is related to the number of 
extracted association rules - that is in general very large - and to the presence of 
a huge proportion of redundant rules, i.e. rules conveying the same information, 
among them. Even though the visualization of a relatively significant number 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 972^^ 2000. 
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of rules can be si mplified by the use of visualization tools such as the Rule 
Visualizer system suppressing redundant association rules requires 

other solutions. Moreover, as the redundant association rules represent the ma- 
jority of the extracted rules for several kinds of data, their suppression reduces 
considerably the number of rules to be managed during the visualization. 



Example 1. In order to illustrate the problem of redundant association rules, 
nine association rules extracted from UCI KDD’s archives’s dataset Mush- 
room^ describing the characteristics of 8 416 mushrooms are presented below. 
These nine rules have identical supports and confidences of 51% and 54% re- 
spectively, and the item “free gills” in the antecedent: 

1) free gills — > eatable 6) free gills — > eatable, partial veil, white veil 

2) free gills — > eatable, partial veil 7) free gills, partial veil ^ eatable, white veil 

3) free gills — > eatable, white veil 8) free gills, white veil ^ eatable, partial veil 

4) free gills, white veil ^ eatable 9) free gills, partial veil, white veil — > eatable 

5) free gills, partial veil ^ eatable 



Obviously, given rule 6, rules 1 to 5 and 7 to 9 are redundant, since they do not 
convey any additional information to the user. Rule 6 has minimal antecedent 
and maximal consequent and it is the most informative among these nine rules. 
In order to improve the relevance and the usefulness of extracted rules, only rule 
6 should be extracted and presented to the user. 



Several methods have been proposed in the literature to reduce the number of 
extracted association rules. Generalized association rules are de- 

fined using a taxonomy of the items; they are rules between sets of items that 
belong to different levels of the taxonomy. The use of statistic measures other 
than confidence such as conviction, Pearson’s correlation or test is stud- 
ied in In the use of deviation measures, 

i.e. measures of distance between association rules, defined according to their 
supports and confidences, is proposed. In the use of 

item constraints, that are boolean expressions defined by the user, in order to 
specify the form of the association rules that will be presented to the user is 
proposed. The approach proposed in is to present to the user rules with 

maximal antecedents, called A-maximal rules, that are rules for which the popu- 
lation of objects concerned is reduced when an item is added to the antecedent. 
In we adapt the Duquenne-Guigues basis for global implications 

and the proper basis for partial implications to the asso- 

ciation rules framework. It is demonstrated that these bases are minimal with 
respect to the number of extracted association rules. However, none of these 
methods allows to generate the non-redundant association rules with minimal 
antecedents and maximal consequents which we believe are the most relevant 
and useful from the point of view of the user. 



:vD : / /ivD. ICS .uci . eau/DUD/macnine-rearnine-aataDases/musnroom/ 
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1.1 Contribution 

In the rest of the paper, two kinds of association rules are distinguished: 

— Exact association rules whose confidence is equal to 100%, i.e. which are 
valid for all the objects of the context. These rules are written I => I' . 

— Approximate association rules whose confidence is lower than 100%, i.e. 
which are valid for a proportion of objects of the context equal to their 
confidence. These rules are written I ^ I' . 

The solution proposed in this paper consists in generating bases, or reduced cov- 
ers, for association rules. These bases contain no redundant rule, being thus of 
smaller size. Our goal is to limit the extraction to the most informative associ- 
ation rules from the point of view of the user. 

Using the semantic for the extraction of association rules based on the closure 
of the Galois connection the generic basis for exact association rules 

and the informative basis for approximate association rules are defined. They 
are constructed using the frequent closed itemsets and their generators, and 
they minimize the number of association rules generated while maximizing the 
quantity and the quality of the information conveyed. They allow for: 

1. The generation of only the most informative non-redundant association rules, 
i.e. of the most useful and relevant rules: those having a minimal antecedent 
(left-hand side) and a maximal consequent (right-hand side) . Thus redundant 
rules which represent in certain databases the majority of extracted rules, 
particularly in the case of dense or correlated data for which the total number 
of valid rules is very large, will be pruned. 

2. The presentation to the user of a set of rules covering all the attributes of 
the database, i.e. containing rules where the union of the antecedents (resp. 
consequents) is equal to the unions of the antecedents (resp. consequents) of 
all the association rules valid in the context. This is necessary in order to 
discover rules that are “surprising” to the user, which constitute important 
information that it is necessary to consider 

3. The extraction of a set of rules without any loss of information, i.e. con- 
veying all the information conveyed by the set of all valid association rules. 
It is possible to deduce efficiently, without access to the dataset, all valid 
association rules with their supports and confidences from these bases. 

The union of these two bases thus constitutes a small non-redundant generating 
set for all valid association rules, their supports and their confidences. 

In section H we recall the semantic for association rules based on the Galois 
connection. The new bases we propose and algorithms for generating them are 
defined in section ^ Results of experiments we conducted on real-life datasets 
are presented in sectionH^nd section ^concludes the paper. 
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2 Semantic for Association Rules Based on the Galois 
Connection 

The association rule extraction is performed from a data mining context, that 
is a triplet T> = {0,2,TZ), where O and X are finite sets of objects and items 
respectively, and TZC O xX is a. binary relation. Each couple (o, i) GTZ denotes 
the fact that the object o G O is related to the item i G X. 

Example 2. A data mining context T> constituted of six objects (each one iden- 
tified by its OID) and five items is represented in the tabled This context is 
used as support for the examples in the rest of the paper. 

Table 1. Data mining context X). 



OID 




Items 




1 


A 


C 


D 




2 


B 


C 


E 




3 


A 


B 


C 


E 


4 


B 


E 






5 


A 


B 


C 


E 


6 


B 


C 


E 





is the composition of 



The closure operator 7 of the Galois connection 
the application (j), that associates with O C O the items common to all objects 
o G O, and the application ?/>, that associates with an itemset I C X the objects 
related to all items i G I (the objects “containing” 1). 



Definition 1 (Frequent Itemsets). A set of items I C X is called an item- 
set. The support of an itemset I is the percentage of objects in V containing 1: 
support{l) = |' 0 (/)| / \0\. I is a frequent itemset if support (1) > minsupport. 



Definition 2 (Association Rules). An association rule r is an implication 
between two frequent itemsets 'XX of the form li {I 2 \ ^i) where l\ C h- 
The support and the confidence of r are defined as: supporter) = support{l 2 ) 
and confidence{r) = support{l 2 ) / support{li). 

The closure operator j = (j) o if associates with an itemset I the maximal set 
of items common to all the objects containing /, i.e. the intersection of these 
objects. Using this closure operator, we define the frequent closed itemsets that 
constitute a minimal non-redundant generating set for all frequent itemsets and 
their supports, and thus for all association rules, their supports and their confi- 
dences. This property comes from the facts that the support of a frequent itemset 
is equal to the support of its closure and that the maximal frequent itemsets are 
maximal frequent closed itemsets 

Definition 3 (Frequent Closed Itemsets). A frequent itemset I C X is a 
frequent closed itemset ijf j{l) = 1. The smallest (minimal) closed itemset con- 
taining an itemset I is ^{l), i.e. the closure of 1. 




976 



Yves Bastide et al. 



In order to extract the frequent closed itemsets, the Close 

and the A-Close algorithms perform a breadth-first search for the 

generators of the frequent closed itemsets in a levelwise manner. 

Definition 4 (Generators). An itemset g C 2 is a (minimal) generator of a 
closed itemset I iff 7(g) = I and $g' C I with g' G g such that 7(3^) = 1. A 
generator of cardinality k is called a k-generator. 

2.1 Extracting Frequent Closed Itemsets and their Generators with 
the Close Algorithm 

The Close algorithm is an iterative algorithm for the extraction of all frequent 
closed itemsets. It courses generators of the frequent closed itemsets in a levelwise 
manner. During the kf^ iteration of the algorithm, a set FCCk of candidates 
is considered. Each element of this set consists of three fields: a candidate Re- 
generator, its closure (which is a candidate closed itemset), and their support 
(the supports of the generator and its closure being identical) . At the end of the 
kf^ iteration, the algorithm stores a set FCk containing the frequent fc-generators, 
their closures which are frequent closed itemsets, and their supports. 

The algorithm starts by initializing the set FCCi of the candidate 1-generators 
with the list of the 1-itemsets of the context and then carries out some iterations. 
During each iteration fc: 

1. The closures of all fc-generators and their supports are computed. This com- 
putation is based on the property that the closure of an itemset is equal to 
the intersection of all the objects in the context containing it. The number 
of these objects provides the support of the generator. Only one scan of the 
context is thus necessary to determine the closures and the supports of all 
the fc-generators. 

2. All frequent fc-generators, which support is greater or equal to minsupporf 
their closures and their supports are inserted in the set FCk of frequent 
closed itemsets identified during the iteration fc. 

3. The set of candidate (fc-l-l)-generators (used during the following iteration) 
is constructed, by joining the frequent fc-generators in the set FCk as follows. 

(a) The candidate (fc-l-l)-generators are created by joining the fc-generators 
in FCk that have the same fc— 1 first items. For instance, the 3-generators 
{ABC} and {ABDj will be joined in order to create the candidate 4- 
generator {ABCD}. 

(b) The candidate (fc-l-l)-generators that are known to be either infrequent 
or non-minimal, because one of their subset is either infrequent or non- 
minimal, are then removed. These generators are identified by the ab- 
sence of at least one their subsets of size fc among the frequent fc- 
generators of FCk- 

(c) A third phase removes among the remaining generators those which clo- 
sures were already computed. Such a (fc-l-l)-generator g is easily iden- 
tified since it is included in the closure of a frequent fc-generator g' in 
FCk- g' G g G 7(5') (i.e. it is not a minimal generator). 
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The algorithm stops when no new candidate generator can be created. The A- 
Close algorithm, developed in order to improve the effectiveness of the extraction 
in the case of slightly correlated data, does not compute the closures of the 
candidate generators during the iterations, but during an ultimate scan carried 
out after the end of these iterations. 



Example 3. Figure^^hows the execution of the Close algorithm on the context T> 
for a minimal support threshold of 2/6. The algorithm carries out two iterations, 
and thus two dataset scans. 



FCCi 



Generator Closed Support 
itemset 
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3/6 


{B} 


{BE} 


5/6 
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5/6 
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{C} 


5/6 


{E} 


{BE} 


5/6 



FCC2 FC2 



Scan 


Generator 


Closed 

itemset 


Support 


Suppressing 


Generator 


Closed 

itemset 


Support 


V 


{AB} 


{ABCE} 


2/6 




{AB} 


{ABCE} 


2/6 


^ 


{AE} 


{ABCE} 


2/6 




{AE} 


{ABCE} 


2/6 




{BC} 
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{CE} 


{BCE} 
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{CE} 


{BCE} 
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Fig. 1. Extracting frequent closed itemsets from T> with Close for minsup- 
port = 2/6. 



Experimental results showed that these algorithms are particularly efficient for 
mining association rules from dense or correlated data that represent an impor- 
tant part of real life databases. 

3 Minimal Non-redundant Association Rules 

As pointed out in example^ it is desirable that only the non-redundant associa- 
tion rules with minimal antecedent and maximal consequent, i.e. the most useful 
and relevant rules, are extracted and presented to the user. Such rules are called 
minimal non-redundant association rules. 

Support and confidence indicate the range and the precision of the rule, and thus, 
must be taken into account for characterizing the redundant association rules. In 
previous works concerning the reduction of redundant implication rules (func- 
tional dependancies), such as the definition of the canonical cover 
the notion of non-redundancy considered is related to the inference system using 
Armstrong axioms This notion is not to be confused with the notion of 

non-redundancy we consider here. To our knowledge, such an inference system 
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for association rules, that takes into account supports and confidences of the 
rules, does not exist. The principle of minimal non-redundant association rules 
as defined hereafter is to identify the most informative association rules consid- 
ering the fact that in practice, the user cannot infer all other valid rules from 
the rules extracted while visualizing them. 

An association rule is redundant if it conveys the same information - or less 
general information - than the information conveyed by another rule of the same 
usefulness and the same relevance. An association rule r G if is non-redundant 
and minimal if there is no other association rule r' G if having the same support 
and the same confidence, of which the antecedent is a subset of the antecedent 
of r and the consequent is a superset of the consequent of r. 

Definition 5 (Minimal Non-redundant Association Rules). An associ- 
ation rule r : li ^ I2 is a minimal non-redundant association rule iff there 
does not exist an association rule r' : ^ with support (r) = support (r'), 

confidence(r) = confidence (r'), l[ C li and I2 Q 1 ' 2 - 

Based on this definition, we characterize the generic basis for exact association 
rules and the informative basis for approximate association rules, constituted of 
the minimal non-redundant exact and approximate association rules respectively. 

3.1 Generic Basis for Exact Association Rules 

The exact association rules, of the form r : li {I2 \ h), are rules between 
two frequent itemsets h and I2 whose closures are identical: 7(^1) = 7(^2)- In- 
deed, from 7(^1) = 7(^2) we deduce that li C I2 and support{l{) = support{l2), 
and thus confidence{r) = 1. Since the maximum itemset among these itemsets 
(which have same supports) is the itemset 7(^2), all supersets of li that are sub- 
sets of 7(^2) have the same support, and the rules between two of these itemsets 
are exact rules. 

Let G.y(/2) be the set of generators of the frequent closed itemset 7(^2 )• By 
definition, the minimal itemsets that are supersets of h and are subsets of 7(^2) 
are the generators g G We thus conclude that rules of the form g ^ (7(^2)\ 

g) between generators g G and the frequent closed itemset 7(^2) are the 

rules of minimal antecedents and maximal consequents among the rules between 
the supersets of h and the subsets of 7(^2)- The generalization of this property 
to the set of frequent closed itemsets defines the generic basis consisting of all 
non-redundant exact association rules with minimal antecedents and maximal 
consequents, as characterized in definition^ 

Definition 6 (Generic Basis for Exact Association Rules). Let FG he the 

set of frequent closed itemsets extracted from the context and, for each frequent 
closed itemset f, let denote G f the set of generators of f. The generic basis for 
exact association rules is: 

GB^{r:g^{f\g) \ f € FG A g G Gf A g f}. 

The condition g f ensures that rules of the form g => 0 that are non- 
informative are discarded. The following proposition states that the generic basis 
does not lead to any loss of information. 
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Proposition 1. (i) All valid exact association rules, their supports and their 
confidences ( that are equals to 1 00% ) can he deduced from the rules of the generic 
basis and theirs supports, (ii) The generic basis for exact association rules con- 
tains only minimal non redundant-rules. 

Proof. Let r : li ^ {I2 \ h) he a, valid exact association rule between two fre- 
quent itemsets with li C h. Since confidence{r) = 100% we have support{l\) = 
support{l2). Given the property that the support of an itemset is equal to the sup- 
port of its closure, we deduce that support (I i)) = support{'j{l2)) => 7(^1) = 
7(^2) = /• The itemset / is a frequent closed itemset / G FC and, obviously, 
there exists a rule r' : g => (/ \ 5) € GB such that 5 is a generator of / for 
which g Q l\ and g <Z I2. We show that the rule r and its support can be 
deduced from the rule r' and its support. Since g G h C I2 G f, the rule 
r can be derived from the rule r' . From 7(^1 ) = 7(^2) = f, we deduce that 
support{r) = support{l2) = support{'){l2)) = support(f) = supporter'). □ 



Algorithm for Constructing the Generic Basis 

The pseudo-code of the Gen-GB algorithm for constructing the generic basis for 
exact association rules using the frequent closed itemsets and their generators is 
presented in algorithm 1. Each element of a set FCk consists of three elements: 
generator, closure and support. 



Algorithm 1 Gonstructing the generic basis with Gen-GB. 

Input : sets FCk of fc-groups of frequent fc-generators; 

Output : set GB of exact association rules of the generic basis; 

1) GB^{} 

2) forall set FCk G FC do begin 

3) forall fc-generator g G FCk such that g % jig) do begin 

4) GB ^ GBU {{r ■. g ^ (7(5) \ g), 'y(g). support)}-, 

5) end 

6) end 

7) return GB\ 



The algorithm starts by initializing the set GB with the empty set (step 1). 
Each set FGk of frequent fc-groups is then examined successively (steps 2 to 6). 
For each fc-generator g G FGk of the frequent closed itemset 7(g) for which g is 
different from its closure 7(g) (steps 3 to 5), the rule r : g ^ (liff) \ 5)> whose 
support is equal to the support of g and 7(g), is inserted into GB (step 4). The 
algorithm returns finally the set GB containing all minimal non-redundant exact 
association rules between generators and their closures (step 7). 

Example 4- The generic basis for exact association rules extracted from the con- 
text T> for a minimal support threshold of 2/6 is presented in Tabled It contains 
seven rules whereas fourteen exact association rules are valid on the whole. 

3.2 Informative Basis for Approximate Association Rules 

Each approximate association rule h —>■ {I2 \ W), is a rule between two frequent 
itemsets h and I2 such that the closure of is a subset of the closure of I2'. 
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Table 2. Generic basis for exact association rules extracted from V for minsup- 
port = 2/6. 



Generator 


Closure 


Exact rule 


Support 


{A| 


-JAC] 


A ^ C 




{B} 


{BE} 


B ^ E 


5/6 


{C} 


{C} 






{E} 


{BE} 


E ^ B 


5/6 


{AB} 


{ABCE} 


AB ^ CE 


2/6 


{AE} 


{ABCE} 


AE ^ BC 


2/6 


{BC} 


{BCE} 


BC => E 


4/6 


{CE} 


{BCE} 


CE ^ B 


4/6 



7(^1) C 7(^2)- The non-redundant approximate association rules with minimal 
antecedent li and maximal consequent (I2 \ W) are deduced from this character- 
isation. 

Let /i be the frequent closed itemset which is the closure of and g\ a generator 
of /i such as gi C li C fi. Let /2 be the frequent closed itemset which is the 
closure of I2 and 32 a generator of /2 such as 52 C ^2 C /2. The rule gi => (/2 \5i) 
between the generator gi and the frequent closed itemset /2 is the minimal non- 
redundant rule among the rules between an itemset of the interval [gi, fi] and 
an itemset of the interval [g2, /2]- Indeed, the generator gi is the minimal itemset 
whose closure is fi , which means that the antecedent gi is minimal and that the 
consequent (/2 \ 5i) is maximal since /2 is the maximal itemset of the interval 
[52, /2]- The generalization of this property to the set of all rules between two 
itemsets li and I2 defines the informative basis which thus consists of all the non- 
redundant approximate association rules of minimal antecedents and maximal 
consequents characterized in definition^ 



Definition 7 (Informative Basis for Approximate Association Rules). 

Let FC be the set of frequent closed itemsets and let denote G the set of their 
generators extracted from the context. The informative basis for approximate 
association rules is: 

IB = {r : g ^ (f\g) \ f G FC A 5 S G A 7(5) C /}. 



Proposition 2. (i) All valid approximate association rules, their supports and 
confidences, can be deduced from the rules of the informative basis, their supports 
and theirs confidences, (ii) All rules in the informative basis re minimal non- 
redundant approximate association rules. 

Proof. Let r : li ^ {I2 \ h) he a valid approximate association rule between 
two frequent itemsets with li C I2. Since confidenceir) < 1 we also have 
7(/i) C 7(^2)- For any frequent itemsets l\ and I2, there is a generator gi such that 
5i C /i C 7(/i) = 7(51) and a generator 32 such that g2 C h G 7(^2) = 7(52)- 
Since h C I2, we have l\ C 7(51) C I2 F 7(52) and the rule r' : gi ^ (7(52) \ 5 i) 
belongs to the informative basis IB. We show that the rule r, its support and 
its confidence can be deduced from the rule r' , its support and its confidence. 

The interval [hjh] contains all the supersets of h that are subsets of h. 
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Since gi C C 7(31) C g2 C I2 Q 7(52)) the antecedent and the conse- 

quent of r can be rebuilt starting from the rule r' . Moreover, we have 7(^2) = 
7(32) and thus support{r) = support{l2) = support{j{g2)) = support{r'). Since 
5i C C 7(171), we have support(gi) = support{l\) and we thus deduce that: 
confidence{r) = support{l2) / support{li) = support{j{g2)) / support(gi) = 
confidence{r'). □ 

From the definition of the informative basis we deduce the definition of the tran- 
sitive reduction of the informative basis that is itself a basis for all approximate 
association rules. We note l\ < I2 if the itemset li is an immediate predecessor 
of the itemset I2, i.e. $13 such that li C I3 C h- The transitive rules of the 
informative basis are of the form r '■ g {f \ g) for a frequent closed itemset 
/ and a frequent generator g such that 7(g) C / and j{g) is not an immediate 
predecessor of finFC: j{g) <^f. The transitive reduction of the informative basis 
thus contains the rules with the form r ■. g ^ {f\g) for a frequent closed itemset 
/ and a frequent generator g such as ^{g) < f. 

Definition 8 (Transitive Reduction of the Informative Basis). Let FC 

he the set of frequent closed itemsets and let denote G the set of their generators 
extracted from the context. The transitive reduction of the informative basis for 
approximate association rules is: 

RI = {r : g ^ {f \ g) \ f e FC A 5 G G A 7(5) < /}. 

Obviously, it is possible to deduce all the association rules of the informative 
basis with their supports and their confidences, and thus all the valid approxi- 
mate rules, from the rules of this transitive reduction, their supports and their 
confidences. This reduction makes it possible to decrease the number of approx- 
imate rules extracted by preserving the rules which confidences are the highest 
(since the transitive rules have confidences lower than the non-transitive rules 
by construction) without losing any information. 



Constructing the Transitive Reduction of the Informative Basis 

The pseudo code of the Gen-RI algorithm for constructing the transitive reduc- 
tion of the informative basis for the approximate association rules using the set 
of frequent closed itemsets and their generators is presented in algorithm 2. Each 
element of a set FCk consists of three fields: generator, closure and support. The 
algorithm constructs for each generator g considered a set Succg containing the 
frequent closed itemsets that are immediate successors of the closure of g. 

The algorithm starts by initializing the set RI with the empty set (step 1). Each 
set FCk of frequent fc-groups is then examined successively in the increasing 
order of the values of k (steps 2 to 14). For each fc-generator g G FCk of the 
frequent closed itemset 7(3) (steps 3 to 18), the set SucCg of the successors of 
the closure of j{g) is initialized with the empty set (step 4) and the sets ^ of 
frequent closed j-itemsets that are supersets of 7(5) for 17(5) | < j < /Jare 

® We denote g the size of the longest maximal frequent closed itemsets. 
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constructed (steps 5 to 7). The sets Sj are then considered in the ascending 
order of the values of j (steps 8 to 17). For each itemset / G Sj that is not 
a superset of an immediate successor of 7(g) in Succg (step 10), / is inserted 
in SucCg (step 11) and the confidence of the rule r : g ^ (f \ g) is computed 
(step 12). If the confidence of r is greater or equal to the minimal confidence 
threshold minconfidence, the rule r is inserted in RI (steps 13 to 15). When all 
the generators of size lower than g, have been considered, the algorithm returns 
the set RI (step 20). 



Algorithm 2 Generating the transitive reduction of the informative basis with 
Gen-RI. 



Input : sets FCk of fc-groups of frequent fc-generators; mmcon/idence threshold; 
Output : Transitive reduction of the informative basis RI ; 



1 ) 

2) 

3) 

4) 

5) 

6) 

7) 

8) 
9) 

10) 

11 ) 

12) 

13) 

14) 

15) 

16) 

17) 

18) 

19) 

20) 



RI^U 

for (k ^ k < g-l\ k-\ — h) do begin 

forall fc-generator g £ FCk do begin 
SucCg ^ {}; 

for {j = 17(5)1 ; j < g; j++) do begin 
Sj^{f£FC\ /D7(<?) A i/i=i}; 

end 

for {j = 17(5)1 ; j < g\ j++) do begin 

forall frequent closed itemset / G Sj do begin 
if {$s G SucCg I s C /) then do begin 
SucCg <— SucCg U /; 
r. confidence <— f .support / g. support-, 
if (r. confidence > minconfidence) 

then RI ^ RI U {r : g —> {f \ g) , r. confidence, f .support}-, 

endif 

end 

end 

end 

end 

return RF, 



Example 5. The transitive reduction of the informative basis for approximate 
association rules extracted from the context T> for a minimal support threshold 
of 2/6 and a minimal confidence threshold of 3/6 is presented in Tabled H 
contains seven rules, versus ten rules in the informative basis, whereas thirty six 
approximate association rules are valid on the whole. 



4 Experimental Results 

We used the four following datasets during these experiments: 

— T20I6D100I^ made up of synthetic data built according to the properties 
of sales data, which contains 100,000 objects with an average size of 20 items 
and an average size of the potential maximal frequent itemsets of six items. 
4 

ifCD : / /WWW . armaaen . 1 Dm . com/cs/auesv/ svnaava. nvmj 
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Table 3. Transitive reduction of the informative basis for approximate associa- 
tion rules extracted from T> for minsupport = 2/6 and minconfidence = 3/6. 



Generator 


Closure 


Closed superset 


Approximate rule 


Support 


Confidence 


{Aj 


“Tact 


{ABCE} 


A ^ BCE 


1/6 


2/3 


{B} 


{BE} 


{BCE} 


B ^ CE 


4/6 


4/5 


{B} 


{BE} 


{ABCE} 








{C} 


{C} 


{AC} 


C ^ A 


3/6 


3/5 


{C} 


{C} 


{BCE} 


C ^ BE 


4/6 


4/5 


{C} 


{C} 


{ABCE} 








{E} 


{BE} 


{BCE} 


E ^ BC 


4/6 


4/5 


{E} 


{BE} 


{ABCE} 








{AB} 


{ABCE} 










{AE} 


{ABCE} 










{BC} 


{BCE} 


{ABCE} 


BC ^ AE 


2/6 


2/4 


{CE} 


{BCE} 


{ABCE} 


CE ^ AB 


2/6 


2/4 



— Mushrooms, that consists of 8,416 objects of an average size of 23 attributes 
(23 items by objects and 127 items on the whole) describing characteristics 
of mushrooms. 

— C20D10K and C73D10I^which are samples of the file Public Use Microdata 
Samples containing data of the census of Kansas carried out in 1990. They 
consist of 10,000 objects corresponding to the first 10,000 listed people, each 
object containing 20 attributes (20 items by objects and 386 items on the 
whole) for C20D10K and 73 attributes (73 items by objects and 2,178 items 
on the whole) for C73D10K. 



Execution times (not presented here) of the generation of the bases, as for the 
generation of all valid association rules, are negligible compared to execution 
times of the frequent (closed) itemsets extraction. 

Number of Exact Association Rules Extracted. The total number of 
valid exact association rules and the number of rules in the generic basis are 
presented in Tabled No exact association rule is extracted from T10I4D100K as 
for this support threshold all the frequent itemsets are frequent closed itemsets: 
they all have different supports and are thus themselves their unique generator. 
Consequently, there exists no rule of the form li {I 2 \ h) between two frequent 
itemsets whose closures are identical: 7 (^ 1 ) = 7 (^ 2 ) that are the valid exact 
association rules. 

Table 4. Number of exact association rules extracted. 



Dataset 


Minsupport 


Exact rules 


Generic basis 


T10I4D100K 


05^ 


0 


0 


Mushrooms 


30% 


7,476 


543 


C20D10K 


50% 


2,277 


457 


C73D10K 


90% 


52,035 


1,369 



ivD : / /ivDZ . cc .UKans . eau/DUD/ iDDor/ census/ Dums/DumsauKS . zit 
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For the three other datasets, made up of dense and correlated data, the total 
number of valid exact rules varies from more than 2,000 to more than 52,000, 
which is considerable and makes it difficult to discover interesting relationships. 
The generic basis represents a significant reduction of the number of extracted 
rules (by a factor varying from 12 to 50) and since it does not represent any loss 
of information, it brings a knowledge that is complete, relevant and easily usable 
from the point of view of the user. 

Number of Approximate Association Rules Extracted. The total num- 
ber of valid approximate association rules and the number of rules in the transi- 
tive reduction of the informative basis are presented in TableH The total num- 
ber of valid approximate association rules is for the four datasets very significant 
since it varies of almost 20,000 rules for T20I6D100K to more than 2,000,000 
rules for C73D10K. It is thus essential to reduce the set of extracted rules in 
order to make it usable by the user. For T20I6D100K, this basis represents a 
division by a factor of 5 approximately of the number of extracted approximate 
rules. For Mushrooms, C20D10K, and C73D10K, the total number of valid 
approximate association rules is much more important than for the synthetic 
data since these data are dense and correlated and thus the number of frequent 
itemsets is much higher. As a consequence, it is the same for the number of 
valid approximate rules. The proportion of frequent closed itemsets among the 
frequent itemsets being weak, the reduction of the informative basis for approx- 
imate rules makes it possible to reduce considerably (by a factor varying from 
40 to 500) the number of extracted rules. 

Table 5. Number of approximate association rules extracted. 



Dataset 


Minconfidence 


Approximate 


Informative 


(Minsupport) 




Rules 


basis reduction 


T10I4D100K 


70% 


20,419 


4,004 


(0.5%) 


30% 


22,952 


4,519 


Mushrooms 


70% 


37,671 


1,221 


(30%) 


30% 


71,412 


1,578 


C20D10K 


70% 


89,601 


1,957 


(50%) 


30% 


116,791 


1,957 


C73D10K 


90% 


2,053,896 


5,718 


(90%) 


80% 


2,053,936 


5,718 



Comparing rules in the generic basis and the reduction of the informative basis 
to all valid rules, we checked that these bases do not contain any redundant 
rules. Considering the example presented in the section H concerning the nine 
approximate rules extracted the dataset Mushrooms, only the 6*^ rule is gen- 
erated among these nine rules in the bases. Indeed, the itemsets {free gills} and 
{free gills, eatable, partial veil, white veil} are two frequent closed itemsets of 
which the first is an immediate predecessor of the second and they are the only 
frequent closed itemsets of the interval [0, {free gills, eatable, partial veil, white 
veil}]. Moreover, the frequent closed itemset {free gills} being itself its unique 
generator, the rule 6 belongs to the transitive reduction of the informative basis: 
it is the minimal non-redundant rule among these nine rules. 



Frequent Closed Itemsets 985 



5 Conclusion 



Using the frequent closed itemsets and their generators extracted by the algo- 
rithms Close or A-Close, we define the generic basis for exact association rules 
and the transitive reduction of the informative basis for approximate association 
rules. The union of these bases provides a non-redundant generating set for all 
the valid association rules, their supports and their confidences. It contains the 
minimal non-redundant association rules (of minimal antecedent and maximal 
consequent) and does not represent any loss of information: from the point of 
view of the user, these rules are the most useful and the most relevant associa- 
tion rules. All the information conveyed by the set of valid association rules is 
also conveyed by the union of these two bases. Two algorithms for generating 
the generic basis and the transitive reduction of the informative basis using the 
frequent closed itemsets and their generators, are also presented. These bases 
are also of strong interest for: 



— The visualization of the extracted rules since the reduced number of rules in 
these bases, as well as the distinction of the exact and the approximate rules, 
facilitate the presentation of the rules to the user. Moreover, the absence 
of redundant rules in the bases and the generation of the minimal non- 
redundant rules are of significant interest from the point of view of the user 



— The identification of the minimal non-redundant association rules among the 
set of valid association rules extracted, using Definition^ It is thus possible 
to extend an existing implementation for extracting association rules or to 
integrate this method in the visualization system in order to present the 
minimal non-redundant association rules to the user. 

— The data analysis and the formal concept analysis since they do not represent 
any loss of information compared to the set of valid implication rules and are 
constituted of the most useful and relevant rules. Definitionjof the minimal 
non-redundant rules being also valid within the framework of global and 
partial implication rules between binary sets of attributes, definitions | of 
the generic basis and^of the informative basis are also valid for the global 
and partial implication rules respectively. 



Moreover, we think that this approach is complementary with approaches for se- 
lecting association rules to be vizualised, such as templates and item constraints, 
that help the user managing the result. 

As pointed out in section^ up to now, there does not exist any inference system 
with completeness and soundness properties, for inferring association rules that 
takes into account supports and confidences of the rules. We think that the 
definition of such an inference system, equivalent to the Armstrong axioms for 
implications, constitutes an interesting perspective of future work. 
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Abstract. Database reformulation is the process of rewriting the data 
and rules of a deductive database in a functionally equivalent manner. 
We focus on the problem of automatically reformulating a database in a 
way that reduces query processing time while satisfying strong storage 
space constraints. 

In previous work we have investigated database reformulation for the case 
of unary databases. In this paper we extend this work to arbitrary arity, 
while concentrating on databases with conjunctive rules. The main result 
of the paper is that the database reformulation problem is decidable for 
conjunctive databases. 



1 Introduction 

In the life cycle of a database system, there are recurring problems whose solu- 
tion involves transformations of the database schema and/or queries defined on 
the schema. Prominent examples are database design, data model translation, 
schema (de)composition, view materialization, and multidatabase integration. 
Interestingly, nearly all these problems can be regarded as aspects of the same 
problem in a theoretical framework that we proceed to describe. 

Consider an abstract database transformation problem. Suppose the input to 
the problem comprises the schema and rules of a deductive database and a set of 
elementary queries which, together with some algebra, forms a query language 
on the database. Suppose the objective of database transformation is to build 
an “optimal” structure of the database with respect to the requirements and 
constraints that are also provided in the input. 

Generally, the transformations of the given database schema and rules need 
to be performed in such a way that the resulting database satisfies three condi- 
tions. First, it should be possible to extract from the transformed database, by 
means of the input query language, exactly the same information as from the 
original database. Second, the result should satisfy the input requirements, such 
as minimizing query processing costs. Finally, the result should satisfy the input 
constraints; one pervasive constraint is a guarantee of a (low) upper bound on 
the disk space for storing the transformed database. Notice that since the input 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 987^^^2000- 
@ Springer-Verlag Berlin Heidelberg 2000 
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does not include a specific database instance, all three conditions must hold for 
all instances of the input database and of the transformed database. 

We call this problem database reformulation and consider logic-based ap- 
proaches to its solution; a formal definition of the problem is the first contribu- 
tion of this paper. Database reformulation is the process of rewriting the data 
and rules of a deductive database in a functionally equivalent manner: it takes 
as input the schema and rules of a database and a characterization of a query 
language, and produces as output new schema and rules, as well as a rewriting of 
(all elementary queries of) the query language in terms of the schema and rules. 
Notice that database reformulation, unlike query optimization, rewrites multiple 
rules, thus amortizing over many queries. By specifying various input require- 
ments and constraints, the database reformulation problem translates into any 
of the database schema/query transformation problems mentioned above. 

We focus on database reformulations whose input requirement is to mini- 
mize the computational costs of processing the given elementary queries, under 
strong storage space constraints that guarantee no more than linear increase in 
database size. In this formulation, the database reformulation framework is most 
suitable for dealing with the problems of view materialization and multidatabase 
integration. 

This paper treats the base case where all rules in the reformulation input are 
conjunctive. We show that for such inputs, the database reformulation problem, 
in the narrow sense described above, is decidable: we describe an algorithm which 
outputs a solution if there exists at least one satisfactory reformulation of the 
input. This result is the second contribution of this paper. In previous work 
we have proposed a solution to the reformulation problem for unary databases; 
notice that the solution described in this paper works for deductive databases 
that contain relations of arbitrary arity. Our long-term objective is to extend 
research in database reformulation to deductive databases whose queries and 
views are formulated in progressively more general standard query languages 
(datalog and its extensions), as well as to databases with integrity constraints. 

In this extended abstract, all proofs have been omitted. The proof of the 
main result and additional examples can be found in the appendix. 



2 Preliminaries and Terminology 

Our representation of the domain includes a set of relations; the set of attributes 
for a relation is called a relation schema. A database schema, for a given database 
D, is a collection of relation schemas for all stored relations in D. 

A function-free Horn rule is an expression of the form 

p(A) :-pi(T), ... , p„(Z), (1) 

where p and p\, ... , are relation names, and X, Y, ... , Z are tuples of 
variables and constants such that any variable appearing in X appears also in 

y U - U 
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A conjunctive query (view) is a single non-recursive Horn rule. A conjunctive 
query (view) relation is the relation defined by a conjunctive query (view). 

Given a query q, a query q' is called a rewriting of q in terms of a set V of 
view relations if q and q' are equivalent and q' contains only literals of V, i.e., 
q' is defined in terms of V. If a query relation q\> is defined in terms of a set 
V, and if TZv is a set of definitions of view relations in V, an expansion q-jz^ of 
qv, in terms of TZv, is a query obtained by replacing, in the body of qv, every 
occurrence of a view literal Vi {vi e V) by its body in TZ\>, with suitable variable 
renamings. 

In this paper we use the notion of a substitution, and in this respect generally 
follow the terminology of The substitutions we consider are of the form 
{ <— t\, , Vn <— tn } where all Vi’s are distinct variables, and each ti is 

either a variable from among vi, V2, ... , Vn or a, constant. 

A containment mapping | from a query qi to a query q2 is a mapping from 
the variables of q\ into the variables of q2, such that every literal in the body of 
qiis mapped to a literal in q2, and the head of qiis mapped into the head of 
q2. If both qi and q2 are conjunctive and neither contains built-in predicates, the 
existence of a containment mapping from q\ to q2 is a necessary and sufficient 
condition for qito contain 52; this result is called the eontainment mapping 
theorem. 

A conjunctive query q' is a minimal equivalent to a conjunctive query q if it 
has as few subgoals as any query equivalent to q Both minimization and 
equivalence of conjunctive queries are shown to be NP-complete in 



3 Concept of Database Reformulation 

This section gives a definition and a formal specification of the database reformu- 
lation problem for the general case where rules are not necessarily conjunctive. 

Database reformulation is the process of rewriting the data and rules of a 
deductive database in a functionally equivalent manner; we use the word “re- 
formulation” both for the process and for its output. We focus on the problem 
of automatically reformulating a database in a way that reduces the processing 
time for a prespecified set of queries while satisfying strong storage space con- 
straints. The prespecified set of queries is the set of elementary queries in the 
input query language; see the Introduction for details. 

Let us describe the input and the output of the database reformulation pro- 
cess. Consider a set V of relation names. Let S consist of schemas for some rela- 
tion names in V; S is the input database schema. Let TZs be a set of definitions, 
in terms of S, for some relations whose names are in V; TZs is the set of rules in 
the input. Let Qbe a set of names of all elementary query relations in the input, 
such that Q Q V and that TZs contains definitions of all relations in Q. 

Now, let V consist of schemas for some relation names in V; V is the output 
database schema, i.e., the set of schemes of new stored relations which are ma- 
terialized in the process of database reformulation. Finally, let TZ\> be a set of 
views defined in terms of V; TZ\> is the set of rules in the output. 
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Definition 1. For a given triple (5,7^5, Q), a triple {V,TZv, Q) is a reformula- 
tion of {S, TZs, Q) if for each query relation in Q with a definition qs in TZs, F-v 
contains a rewriting of qs ■ 

Let Ds be an arbitrary database with schema 5; let Dy be a database that 
consists of the tables for all and only those (materialized, starting from Ds) 
view relations in V that are used to define Q. For a fixed database schema S 
and for a fixed set of definitions of view relations in V in terms of S, consider all 
possible databases Ds and all corresponding databases Dy, with sizes (in bytes) 
l-D^jand | Dy | respectively. 

Definition 2. A reformulation (V,7^y,Q)o/ an input {S,TZs,Q)is linearly 
bounded with parameter t, where t is a positive constant, if for all pairs {Ds, Dy) 
the storage space |Dy| taken up by Dy is no more than linear in both \Ds\and t: 

\Dy\ < t * \Ds\. (2) 

One example of a linear bound is the no-growth bound] there, t = 1. The 
no-growth bound may be too restrictive for some applications. 



4 Views with Bounded Definition Length 

Our objective is to automate the database reformulation process for as general 
query languages as possible; in other words, we strive to design reformulation 
algorithms. To that end, it is first necessary to understand, for each class of 
query languages, whether the potentially infinite, for each input, search space 
of reformulations can be transformed in such a way that it becomes finite but 
still contains valuable reformulations. One way of making the search space of 
reformulations more tractable is to restrict the number of view relations that 
are used to generate rewritings of the input queries. 

In this paper we focus on reformulating, in terms of conjunctive views, de- 
ductive databases where all rules are conjunctive; in the remainder of the paper 
we will denote conjunctive queries (views) simply by “queries” (“views”). In 
the conjunctive case, one might be able to restrict the number of views under 
consideration by setting an upper bound on the number of subgoals in views. 
Suppose we could show that in any “good” rewriting of an arbitrary conjunctive 
input, all participating view relations can be defined by conjunctions of up to a 
fixed number of subgoals. If this hypothesis were true, the problem of finding all 
“good” reformulations of the given input would be reduced to the clearly feasible 
problem of enumerating and combining all “short” views, thereby yielding an 
enumeration procedure. Notice that we do not use the number of subgoals as a 
cost measure for executing the query. 

Consider a database schema S, a set V of view relations, and a set TZy of 
definitions of relations in V in terms of S. Consider a query qs in terms of S and 
a query qy in terms of V, with the corresponding expansion q-jz^ in terms of TZy . 
For each view literal Vi in the body of qy let us denote by the body of Vi in 
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q-R.^. Suppose there is a containment mapping from to qs', such a mapping is 
called noniterleaving if no two r^s in q-R^ map into the same subset of the body 
of qs, and if the mapping preserves head variables of all the views involved. 

Theorem 1 (Restricted: New Definitions with Fewer Subgoals). If qs 

is minimal, qs and q\> are equivalent, and there is a noninterleaving containment 
mapping from q-R^ to qs, then there exists a set TZ'-^ of (alternative) definitions 
of the view relations in V, such that each definition in TZ\; has no more subgoals 
than qs- 

Informally, the theorem states that for each view used to define qv, there 
exists a “short” definition of the view that has no more subgoals than the original 
query qs', thus, in the setting of the theorem, one can apply the enumeration 
procedure described above to generate all views that can be used in any rewriting 
of the input query. 

Unfortunately, the result stated in Theorem | holds in an extremely limited 
setting and thus is not very useful. It would be desirable to make a similar claim 
for a more general case. Suppose we could show that if the queries qs and gy 
are equivalent then there exists a set 7?.y of (alternative) definitions of the view 
relations in V, such that each definition in 7?.y has no more subgoals than qs- 
Notice that this formulation is similar to that of Theorem J except that we no 
longer require that qs be minimal or that there exist a noninterleaving mapping 
from qR,^to qs- 

This conjecture, however desirable, is not true: removing the noninterleaving 
mapping requirement invalidates the claim. Consider a counterexample. 

Example 1- Consider a database schema S that consists of one binary relation 
schema s, and consider a query qs'- 

qs{X, Y) ■- - s{X, Y), s{Y, X)', (3) 

for a graphic depiction of qs, see Figure J 

Consider a set V of two view relations v\ and V 2 with the following definitions: 

v,{X, Y) ■- - s{X, T); (4) 

V 2 {Y, X) : - s(Y, X), s(X, Z^), s(Zi, Z 2 ), ... , s(Zk-i, Zu)', (5) 

let these definitions of vi and of V 2 form a set TZv', for a graphic depiction of the 
views see FigureO 



qs 




Y 



Fig. 1. Graphic depiction of the query for Example^ 
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Fig. 2. Graphic depiction of the views for Example^ 



It is easy to show that the query 

qv{X, Y) : - vi{X, F), V2(Y, X) (6) 

is equivalent to qs- At the same time, it is not possible to construct a nonin- 
terleaving containment mapping from q-ji^ (the expansion of (/yin terms of V) to 

qs- 

The number of subgoals of V2 can be made arbitrarily large by varying the 
parameter k; it is clear that neither vi nor V2 is redundant in qy, and therefore 
no upper bound — one that could be related to the length of qs — can be 
established on the number of subgoals in the definition of V2 ■ 

This example allows us to formulate 

Theorem 2 (General: New Definitions with Fewer Snbgoals). It is 

not true for all conjunctive queries qs and all their rewritings q\> that each view 
used in q\> has an alternative (equivalent) definition which has no more subgoals 
than qs- 

The failure of the conjecture formulated above makes one wonder whether it 
is possible at all to generalize the claim of Theorem J Fortunately, the answer 
is yes: a much more general result is described in the next section. 

5 Shorter Views Contained in Longer Views 

The main result of the previous section is that it is not possible to rewrite views 
in an arbitrary formulation of a query, in such a way that each view has no more 
subgoals than the query itself. However, in this section we show that it is possible 
to “reformulate” the conjunctive views in an arbitrary rewriting of an arbitrary 
conjunctive query. This reformulation process outputs views that, although not 
necessarily equivalent to the original views, constitute an equivalent rewriting 
of the query and, at the same time, have each no more subgoals than the query 
itself. Moreover, we show that if, in addition, the input query is linearly bounded 
with some parameter t (see Definitionjin Section^ then the reformulated query 
is also linearly bounded with the same parameter t. 
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Example 2 . Recall S, qs, V = { rii, r;2 }, E.\/, and q\> introduced in Example^ 
we choose k = 2 for V2 which will thus be defined as follows: 

V2{Y, X) : - s(r, X), s{X, Zi), s(Zi, Z2). (7) 

We define a new view relation v[ {v'2) by applying a substitution to the body 
of vi (v2)- For v[, consider the trivial substitution applied to the only subgoal 
s(X, Y) of vi: 

v[{X, Y) : - s(X, Y). (8) 

For V2, consider a substitution { X ^ X, Y ^ Y, Zi ^ Y, Z2 ^ X } 
applied to the body of V2- 

v'2(Y, X) : - s(r, X), s(X, r). (9) 

Notice that v'2 is not equivalent to V2 ■ 

Now the query gy' : 

qv'{X, Y) : - v[(X, F), y'(F, X) (10) 

is equivalent to both qs and qv, since the expansion qn^,of qv is isomorphic to 
the query qs (after removing duplicate subgoals). It is easy to see that when 
{ v'l^ } is the schema of the reformulated database (i.e., when both and 
v'2 are materialized), the query of interest is computed faster than in databases 
with schema S, as well as in databases with schema V. 



Table 1. Stored relation s and view relations V2 and v'2 in Example H 




Consider a database instance D with schema S. Suppose the data in the table 
for s, in that database instance D, is as in TableH TableH^lso shows the result 
of materializing view relations V2 and v'2 (both vi and v'l are the same as s). 
Notice that the size of the table for each y' is no larger than the size of the table 
for its corresponding vp, this is also true for any other database instance with 
schema S, as will be explained shortly. Thus, if a reformulation that uses the 
rewriting qy is linearly bounded with some parameter t, then the reformulation 
that uses the rewriting q\;> is also guaranteed to be linearly bounded with the 
same parameter t. 

Notice that v'l is not needed to compute qv > , and thus the reformulation 
that contains only v'2, in addition to improved computation time, satisfies the 
no-growth bound compared to the original (input) database schema. 
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In formulating our main result and the reformulation algorithm, we will use 
the notion of a unifiee of a query: 

Definition 3. Given a query q, a unifiee of q is a query q' such that the body 
of q' is the result of applying some substitution to some subset of the body of q. 

Consider, as usual, a database schema S and a set V of view relations defined 
in terms of S. Consider a query qs defined in terms of S and a query qy defined 
in terms of V. In this setting, the following main result holds. 

Theorem 3 (Main Result). If qs and qv are equivalent then, for each view 
literal Vi in qv, there is a (not necessarily equivalent) view relation v[ which is 
a unifiee of qs, and a query qv obtained by replacing, in qv, each Vi with its 
corresponding v^, is equivalent to qv; 

in addition, if both Vi and v[ are materialized in any database with schema S , 
then the size of the table for v[ is no larger than the size of the table for its Vi . 

Informally, the theorem states that for any rewriting qv of a query qs we 
can always find an alternative rewriting qv with two special properties. First, 
qv' is composed entirely of views with no more subgoals each than in qs- The 
second property is that in qv, each v[ is contained in its corresponding Vi (this 
becomes clear from the proof of the Theorem — see the appendix); therefore, 
when the view relations in both rewritings are materialized, the tables for the 
view relations that define qv always “fit in” the space required to store the 
tables for the view relations that define qv- 

Consider again Example H By the main result, the table for each v[ is no 
larger than the table for its corresponding Vi in any database instance with 
schema S. 

Notice that the theorem is true independently of whether the input query qs 
is minimized. 

6 A Database Reformulation Algorithm 

In this section we describe a database reformulation algorithm for deductive 
databases where all rules are conjunctive. The algorithm is based on the re- 
sult described in the previous section: for each space-satisfactory rewriting of a 
given query there exists another space-satisfactory rewriting, defined in terms 
of “short” views only, i.e., of those views that have no more subgoals than the 
query itself. Thus, the idea of the algorithm is, for each input query, to examine 
all “short” views (obviously there is only a finite number of them) and to con- 
struct rewritings of the query by combining such views. The successful rewritings 
then undergo a storage space check to decide whether they belong to a space- 
satisfactory reformulation. If such rewritings cannot be found by the algorithm, 
then, by our results, no rewritings of the query exist. 

The reformulation algorithm takes as input a database schema S, a set TZs 
of view definitions in terms of S, a set Q of elementary query relations with defi- 
nitions in TZs, and the value of parameter t for the linear bound. For each query 
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relation in Q with definition qs in TZs , the algorithm generates a set of rewrit- 
ings of gsby, first, producing all unifiees of qs (see Definitionflin Section^ as 
views and combining the views in conjunctive definitions in all possible ways, 
and, second, by testing the resulting conjunctions for equivalence with qs- After 
all such rewritings of all input queries have been built, the algorithm generates 
candidate reformulations as all combinations where each candidate reformula- 
tion contains one rewriting per input query. Only those candidate reformulation 
that are linearly bounded for the given value of t, belong in the output of the 
algorithm. 

Theorem 4. For a given input (5, TZs: Q) o,nd for a given positive number t, the 
reformulation algorithm outputs only those reformulations {V ,Ti\i , Q) that are 
linearly bounded with parameter t, and their TZv contain only definitions with no 
more subgoals in each than the number of subgoals in the longest query in TZs- 

The longest query in TZs is the query with the most subgoals. This theorem 
is true by construction of the algorithm. 

Theorem 5. If for some input and for some positive number t, the output of 
the reformulation algorithm is empty then no reformulation of the input in terms 
of conjunctive views is linearly bounded with parameter t. 

This result follows immediately from Theorem^in Section^ 

The reformulation algorithm presented in this section is proof that the data- 
base reformulation problem is decidable for conjunctive databases. Notice that 
the algorithm is, in all probability, too expensive to be used to actually generate 
reformulations. To see why, it suffices to notice that one of the steps of the algo- 
rithm involves testing pairs of conjunctive queries for equivalence, i.e., solving a 
known NP-complete problem. 



7 Related Work 



Database schema evolution is an integral part of database design, data model 
translation, schema (de)composition, and multidatabase integration; fundamen- 
tal to these problems is the notion of equivalence between database schemata. 

The first definition of schema equivalence was proposed in schema equiv- 
alence was studied in ^|^9. Later, relative information capacity was introduced 
in as a fundamental theoretical concept which encompasses schema equiv- 
alence and dominance. Other work on relative information capacity includes 
Tutorial ^ | surveys a number of frameworks — relative information 
capacity among others — for dealing with the issue of semantic heterogeneity 
arising in database integration. 

In practical database systems, database design frequently uses normaliza- 
tion, first introduced in 33 described in detail in 33- Papers QQ survey 
methods and issues in multidatabase integration. 

Query transformation is another aspect of database transformation tasks; 
query rewriting methods complement schema transformation methods in that 
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they are applied to databases that are already operational. Query rewriting is 
important for query optimization, especially in deductive databases where 
queries can be complex and the amount of data accessed can be overwhelm- 
ing. is a survey on implementation techniques and implemented projects in 
deductive databases. 

There is an extensive body of work on theoretical aspects of query rewriting. 
For an overview of query rewriting methods in datalog and its extensions see 
In addition, applications such as data warehousing and multidatabase 
integration have promoted the study of views in databases. The paper is 
a survey of containment and rewriting/ optimization of queries using views. Q 
discusses the complexity of answering queries using materialized views and con- 
tains references to major results in the areas of query containment and view 
materialization. Papers describe approaches to view materializa- 
tion. treat the problem of using available materialized views for 

query evaluation. Nearly all results described in the literature concern rewriting 
of single queries; notice that the database reformulation approach we propose 
involves simultaneous rewriting of sets of queries. 

Transformations of database schemas and queries can be considered together 
as reformulations of logical theories. provides a theoretical foundation for 
theory reformulations, and contain work on general transformations of 

logical theories. 

Descriptions of basic methods used in this paper can be found, e.g., in 



8 Conclusions and Future Work 

The first contribution of this paper is that it introduces the notion of database 
reformulation which is the process of rewriting the data and rules of a deductive 
database in a functionally equivalent manner. We focus on the problem of auto- 
matically reformulating a database in a way that reduces query processing time 
while satisfying strong storage space constraints. 

The second contribution of this paper is a proof that it is decidable to re- 
formulate, using conjunctive views, deductive databases where all rules are con- 
junctive, in the presence of strong storage space constraints. We have shown that 
for any space-satisfactory rewriting of a conjunctive query there is a rewriting 
which is also space-satisfactory and is composed entirely of views that have no 
more subgoals than the original query. We have described a reformulation algo- 
rithm which returns space-satisfactory query rewritings composed of views that 
have no more subgoals than the longest query in the input. Notice that all the 
results automatically hold for select-project-join (SPJ) queries in SQL. 

There are several directions of future research in database reformulation. A 
pressing research problem is the issue of update complexity in the reformulated 
database. On a more long-term scale, it is desirable to develop criteria for com- 
paring different outputs produced by the reformulation algorithm, as well as 
criteria for choosing the optimal output among the potentially multiple answers. 
Another challenge is to examine possible interactions between views chosen in 
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support of different queries and to understand how such interactions might influ- 
ence the quality of a reformulation, in particular its storage space requirements. 
We also plan to study the complexity of the reformulation problem. Finally, our 
long-term objective is to extend research in database reformulation to deductive 
databases whose queries and views are formulated in progressively more general 
standard query languages, for example include disjunction or negation, as well 
as to databases with integrity constraints. 
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A Some Examples and Proofs 

A.l A Recursive Reformulation Example 

Here is an example which illustrates the power of database reformulation for a 

deductive database with recursive rules. 
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Example 3. Consider the ’’founding fathers” problem invented by Devika Sub- 
ramanian There is just one stored relation in this case: the father relation, 
where father{X, Y) means that X is the father of Y. In addition, there are two 
views defined as shown below. The (male) ancestor relation holds of two people 
X and y if X is the father of Y or if there is a third person V who is a child 
of X and an ancestor of Y. The samefamily relation holds of two people if they 
have a common (male) ancestor. 



ancestor(X, Y) : — father(X, Y)- 


(11) 


ancestor(X, Y) : 


— father(X, U), ancestor(V, Y); 


(12) 


samefamily(Y, Z) 


: — ancestor (X, U), ancestor (X, Z). 


(13) 



With the definitions above, determining whether two people are in the same 
family involves computing all of their ancestors and intersecting the two sets, a 
fairly expensive operation. 

To improve the query processing time, we could materialize the samefam- 
ily relation. However, the table for that relation, in a database with schema 
{ father }, would take up storage space that is, in the worst case, quadratic in 
the number of people in the database. For large databases, such materialization 
is impractical. 

On the other hand, it is possible to get the same performance gain without 
any space growth whatsoever. The definitions below show how. We say that a 
person X is the founding father (founder) of the family of person T if X is an 
ancestor of Y and there is no person W such that W is the father of X (—' stands 
for negation) . The samefamily relation can then be defined in terms of this new 
founder relation: two people are in the same family if and only if they have the 
same founding father. 

hasancestors(X) : — father(W, X); (14) 

founder(X, Y) : — ancestor(X, Y), ^ hasancestors(X)] (15) 

samefamilyiY, Z) : — founder(X, T), founder(X, Z). (16) 

Using the definitions above, we can materialize the founder relation; further- 
more, if we are interested only in the samefamily query we can also dematerialize 
the father relation. With such a reformulation we get the same performance im- 
provement for our target query as if we did materialize the samefamily relation 
itself. However, the amount of space required for the reformulated database is 
the same as that required for the input database; in other words, this reformu- 
lation satisfies the no-growth bound. This reformulation is so good because we 
have succeeded in defining an equivalence relation (samefamily) by choosing a 
single representative (founder) from each equivalence class. 
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A. 2 An Example of Conjunctive Reformulation 

Below is a very simple example of database reformulation for a conjunctive 
deductive database. 

Example 4- Suppose in some database there are two stored relations: parent and 
gender (either male or female) . Suppose the only elementary query of interest is 
grandparent — imagine that we only plan to ask queries about grandfathers or 
grandmothers. The grandparent relation can be defined in terms of the parent 
relation in an obvious way as follows: 

grandparent (A, Y) : — parent (A, Z), parent {Z, Y). (17) 

Once we materialize the grandparent relation, we can dematerialize the parent 
relation since we are not interested in querying on that relation anyway. As a 
result, the new database contains only relevant information (relations gender 
and grandparent), the processing costs for the queries of interest are minimized, 
and the reformulation is linearly bounded with t = 2. 

A. 3 Proof of Theoremflin SectionQ 

To prove the theorem, we need the notion of a self-map. 

Definition 4. A containment mapping on a conjunctive query is called a self- 
map if it maps the query into itself. 

Consider an arbitrary conjunctive query q; consider another query q such 
that there exist two containment mappings Mi : q q and M 2 : q — > 

q, where both Mi and M 2 preserve head variables of the queries. Consider a 
composition M of the two mappings; M : q ^ q. Notice that M is a self-map 
by construction. 

Then it is easy to show that each such q has the following property: 

Lemma 1 . q is equivalent to its image q' under M : 

q = q'. (18) 

We proceed to prove the main result which is formulated as Theorem Jin 
Section J 

Proof (Theorem^^. Let TZv be the set of definitions of view relations in V in 
terms of S , and let q-riv be the (unique and equivalent) expansion of q\> in terms 
of TZy. By transitivity of equivalence, qn.^ is equivalent to qs- 

From the containment mapping theorem, the equivalence of qn.^ and of qg 
means that there is a containment mapping M-jis '■ qiZv 95 and there is a 
containment mapping Mg-jz : qg — > qv-v^ where both mappings preserve head 
variables of the queries. 
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Consider a composition M of M-jzs with Msn- 

M : quv 97?, V (19) 

By construction, M is a self-map that satisfies the conditions of LemmaJ there- 
fore, by that lemma, the image of q-jz^ under M is equivalent to q-jiv'- 

q-Rv = M{<lnv)- ( 20 ) 

Consider an arbitrary view literal Vi in q\> and the body of the definition 
of in q-jz^. Consider the image r' of rounder M; r' is a subset of the body 
of M{q-jZv)- Notice that by construction of M, r' defines some (at least one 
— depending on the choice of head variables) unifiee of qs (see Definition^ in 
Section 

Let us take r' as the body of a definition of some view relation u', such that 
the head variables of v'^ are images, under M, of the head variables of Vi (in r^). 

After we have built a new relation u' based on each Vi used in the definition 
qv, M{qTZv) 1*® viewed as an expansion of some conjunctive query qv, where 

— U 11 is easy to show that qv exists and is equivalent to AI{q-jz^)-, 
therefore, from transitivity of equivalence, qv> is equivalent to both q\> and to qs- 

Consider an arbitary view literal Vi in the body of qy and its counterpart 
in the body of q\n. Notice that is, in fact, constructed as a unifiee of Vi-, 
not of qs, although v[ is also a unifiee of qshy properties of the mapping M. 
Also, by the containment mapping theorem, v[ is contained in vf, if M does not 
preserve head variables of some Vi, we assume that w' has the same number of 
head variables as Vi, only some head variables of v[ may be unified with each 
other. Thus we have that in any database instance with schema S, if both Vi 
and v'l are materialized, then the table for r;' takes up at most as much storage 
space as the table for its corresponding Vi- 
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Abstract. This paper proposes an integration between Geographical 
Information System (GIS) technology and constraint logic programming 
in order to supply the user with a declarative language that supports 
and improves GIS analysis. We present the language MuTACLP, where 
spatio-temporal and thematic information can be represented in a uni- 
form way, and the features of constraint logic programming, such as 
recursion and constraint handling, can be exploited to perform sophis- 
ticated spatio-temporal reasoning. This unifying language seems also 
promising to address the key problem of interoperability among different 
GISs. 
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1 Introduction 

The manipulation of complex data of very large size, such as spatial and tem- 
poral information, and often of very different nature, has become one of the 
challenge of todays research Many applications, such as geographic 

information systems (GISs), geometric modeling systems (GAD), and temporal 
databases, need the ability of storing and manipulating geometric and temporal 
data. Actually, space and time are closely interconnected much information 
which is referenced to space is also referenced to time. Traditional databases 
are not able to manage these complex data at a high level of abstraction. Spa- 
tial and temporal data differ from conventional data in particular for the fact 
that the domains are interpreted and that they often model infinite objects. To 
fill the gap, many spatial databases and temporal databases have been defined 
(e.g., However, the problem of dealing with correlated spatial 

and temporal data has been addressed only recently. The existing models are 
not completely satisfactory, especially because they do not provide an explicit 
and flexible reasoning mechanism, whereas spatio-temporal information requires 
it much more than ordinary data. 

In we defined a language, called MuTAGLP, where temporal and spatial 
information can be represented and handled, and, at the same time, knowledge 
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can be separated into different theories and combined by means of meta-level 
composition operations. In particular, the pieces of temporal information are ex- 
pressed as temporal annotations which say at what time(s) the formula to which 
they are attached is valid. On the other hand, spatial data are represented by us- 
ing constraints in the style of the constraint databases approaches 
The facilities to handle time offered by the language allow one to easily establish 
spatio-temporal correlations, for instance time- varying areas, or, more generally, 
moving objects, supporting either discrete or continuous changes. 

In this paper, we want to show how MuTACLP can be exploited to integrate 
GIS technology and constraint logic programming, in order to provide the user 
with a declarative language which supports and improves GIS analysis at least 
at the specification level. In fact, one of the frequently stated problems for GISs 
is that these systems have a complex functionality which is not accessible to non 
expert end-users. Today GIS user interfaces are not easy to use and require much 
time to get used to them . Thus a user often knows what she/he wants, 

but does not know how to obtain it from the GIS. Moreover, the current GIS 
analysis approaches are not general and reusable. In fact the analysis is typically 
based on complex procedural algorithms, and data are built and structured for 
the specific application. We claim that a declarative approach is a better solution 
for solving this kind of problems at least at the specification level. 



In the literature we can find several attempts to exploit the deductive capa- 
bilities of logic to reason on geographic data {J. Some approaches go towards 
the use of artificial intelligence techniques (expert systems), while other ap- 
proaches express spatial data in an object-oriented style, and add a deductive 
component to infer knowledge from the spatial objects Our proposal, based 
on MuTAGLP, relies on the translation of the spatial data stored in a GIS into 
a logical representation. In this way, all the previously discussed capabilities of 
MuTAGLP can be used to reason on the data contained in a GIS. Having a multi- 
theory setting is very useful, because often knowledge employed in GIS analysis 
is fragmented into different sources. For instance, one can get environmental 
restrictions from the local municipality, the general laws from the government, 
and the best place criteria from the planner. By employing the program com- 
position operations, we can express complex queries on a combination of such 
analysis criteria. Remarkably, spatial data can be related to temporal informa- 
tion, a great advantage with respect to the current GIS technology where time 
is almost completely ignored, although recognized as an essential component of 
geographical information Furthermore, being based on a uniform repre- 

sentation of data in a common model our approach favors the interoperability 
among different GISs which is nowadays very difficult to attain 



The paper is organized as follows. Section ^introduces Temporal Annotated 
Gonstraint Logic Programming (TAGLP) which is the formalism we adopt to 
describe programs, whereas Section Q introduces our multi-theory framework, 
MuTAGLP. In SectionH after presenting the logical representation of GIS data, 
we show how the classical set-theoretic operations on spatial objects (union, in- 
tersection, etc.) can be defined in MuTAGLP, and we discuss a logical reconstruc- 
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tion of GIS layers. In Section^an example is given to focus on how MuTACLP 
can support GIS analysis. Finally, Section ^ draws some conclusions. 

2 Temporal Annotated Constraint Logic Programming 

Temporal Annotated Gonstraint Logic Programming (TAGLP) is a constraint 
logic programming language where formulae can be annotated with temporal 
labels and where temporal constraints express relations between these labels. In 
TAGLP, the choice of the temporal ontology is free. In this paper, we consider the 
subset of TAGLP where time points are totally ordered, and sets of time points 
are convex and non-empty. Moreover only atomic formulae can be annotated 
and clauses are free of negation. For a more detailed treatment of TAGLP we 
refer the reader to With an abuse of notation, in the rest of the paper we 
call TAGLP such a subset of the full language. 

Time can be discrete or dense. Time points are totally ordered by the relation 
<. We denote by D the set of time points, equipped with the usual operations 
(such as -I-, — ). We assume that the time-line is left-bounded by 0 and open to 
the future, with the symbol oo used to denote a time point that is later than 
any other. A time period is an interval [r, s] with 0<r<s<oo,r, sGD that 
represents the convex, non-empty set of time points {t | r < t < s}. Thus the 
interval [0, oo] denotes the whole time line. 

An annotated formula is of the form A a where A is an atomic formula and 
a an annotation. In TAGLP there are three kinds of annotations based on time 
points and time periods. Let t be a time point and let J = [r, s] be a time period. 
Then 

(at) The annotated formula AaXt means that A holds at time point t. 

(th) The annotated formula A th J means that A holds throughout, i.e., at every 
time point in the time period J . The definition of a th-annotated formula in 
terms of at is: 

AthJ Vt (t G J — > A at t). 

(in) The annotated formula Ain J means that A holds at some time point (s) - 
but we do not know exactly which - in the time period J . The definition of 
an in-annotated formula in terms of at is: 

AinJ (t G J A A at t). 

The in temporal annotation accounts for indefinite temporal information. 

The set of annotations is endowed with a partial order relation C which turns 
it into a lattice. Given two annotations a and j3, the intuition is that a G /3 if 
a is “less informative” than ft in the sense that for all formulae A, Aft => A a. 
More precisely, in addition to Modus Ponens, TAGLP has two further inference 
rules: the rule (G) and the rule (U). 

Ao Af^^ 7 = «U/3 
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The rule (G) states that if a formula holds with some annotation, then it also 
holds with all annotations that are smaller according to the lattice ordering. The 
rule (U) says that if a formula holds with some annotation and the same formula 
holds with another annotation then it holds with the least upper bound of the 
two annotations. 

Now, we define the constraint theory for temporal annotations. We recall that 
a constraint theory is a non-empty, consistent first order theory that axiomatizes 
the meaning of the constraints. First of all, our constraint theory includes an 
axiomatization of the total order relation < on time points D. Then it contains 
the following axioms defining the partial order on temporal annotations. 

(atth) att = th[t,t] 

(at in) atf=in[t,t] 

(th C) th [si , S2] E th [ri , f 2 ] ri < si , Si < S2 , S2 < r 2 

(in □) in[ri,T2] E in[si,S2] ^ ri < si, Si < S2, S2 < r2 

The first two axioms state that th I and in I are equivalent to at t when the 

time period I consists of a single time point fjNext, if a formula holds at every 

point of a time period, then it holds at every point in all sub-periods of that 
period ((th E) axiom). On the other hand, if a formula holds at some points of 
a time period then it holds at some points in all periods that include this period 
((in E) axiom). A consequence of the above axioms is 

(inth E) in [si, S2] E th [ri, r2] Si < T2, ri < S2, Si < S2, ri < r2 

i.e., an atom annotated by in holds in any time period that overlaps with a time 
period where the atom holds throughout. 

Now we axiomatize the least upper bound U of temporal annotations over 
time points and time periods. For technical reasons related to the properties 
of th and in annotations (see ^]) we restrict ourselves to compute the least 
upper bound between th annotations with overlapping time periods that do not 
include one another: 

(thU) th [si, S2] U th [ri, T2] = th [si, T2] Si < ri, ri < S2, S2 < T2 

We can now define the clausal fragment of TACLP that can be used as an 
efficient temporal programming language. 

Definition 1 . A TACLP clause is of the form: 

A oi ^ Cl , . . . , Cji , oi , . . . , ^ E 0 ) 

where A is an atom (not a constraint), a and at are (optional) temporal annota- 
tions, the Cj ’s are constraints and the Bi ’s are atomic formulae. The constraints 
Cj cannot be annotated. A TACLP program is a finite set of TACLP clauses. 

^ Especially in dense time, one may disallow singleton periods and drop the two ax- 
ioms. This restriction has no effects on the results we are presenting. 
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3 Multi-theory Temporal Annotated Constraint Logic 
Programming 

In this section we present Multi-theory Temporal Annotated Constraint Logic 
Programming (MuTACLP), as introduced in a framework where temporal 
information can be represented and handled, and, at the same time, knowledge 
can be separated and combined by means of meta-level composition operations. 
As we will see in the following the use of constraints allows one to represent 
naturally also spatial and spatio-temporal data. 

MuTACLP enriches TACLP with high-level mechanisms for structuring pro- 
grams and for combining separate temporal knowledge bases. In the style of Q 
we provide two operators to combine programs: union U and intersection C. 
These operations determine a language of program expressions, that may be 
constructed by starting from a set of plain programs, which are TACLP pro- 
grams, and by repeatedly applying the composition operators. Formally, the 
language of program expressions Exp is defined by the following abstract syntax: 

Exp ::= Pname \ Exp U Exp \ Exp H Exp 

where Pname is the syntactic category of names of plain programs. 

In order to be able to compose programs we add to the constraint theory 
defined in the previous section the axiomatization of the greatest lower bound □ 
of two annotations, which is essential in the definition of the intersection operator 
over program expressions. 

(thn) th [si, S2] n th [ri, T2] = th [^1,^2] ^ Si < S2, ri < r^, t\ = max{si,r{\, 

t2 = min{s2,r2}, ti < t2 

(thn') th [si, S2] n th [ri, T2] = in [^2, ti] Si < S2, ri < r2, ti = max{si,ri}, 

t2 = min{s2,r2}, t2 < h 

(thinn) th [si, S2] n in [ri, r2] = in [ri, r2] Si < r2, ri < S2, Si < S2, ri < r2 

(thinn') th [si, S2] n in [ri, r2] = in [s2, r2] Si < S2, S2 < ri, ri < r2 

(thinn") th [si, S2] n in [ri, r2] = in [ri, si] ri < r2, ^2 < Si, Si < S2 

(inn) in [si, S2] n in [ri, r2] = in [^1,^2] Si < S2, ri < r2, ti = mOT{si, ri}, 

t2 = maa;{s2, r2} 



Example 1 . At 10pm Tom was found dead in his house. The only hint is that 
the answering machine recorded some messages from 7pm up to 8pm. At a first 
glance, the doctor said Tom was dead for one to two hours. The detective made 
a further assumption: Tom did not answer the telephone because he was already 
dead. 

We collect all these hints and assumptions into three programs. Hints, Doc- 
tor and Detective, in order not to mix facts with simple hypotheses that 
might change during the investigations. 

Hints: found at 10pm. ans-maehine th [7pm, 8pm]. 

Doctor: deod in [T— 2:00, T— 1:00] <— found aXT 

Detective: dead in [Ti , T2] <— ans-maehine th \Ti , T2] 
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If we combine the hypotheses of the doctor and those of the detective we can 
extend the period of time in which Tom possibly died. The program expression 
Doctor n Detective behaves as 

dead ±B. [ 81 , 82 ] ^ in [T - 2:00, T - 1:00] □ in[ri,T 2 ] = in[S'i,S' 2 ], 
found at T, 

ans-machine th \T\ , T 2 \ 

The constraint in [T— 2:00, T— 1:00] □ in [Ti, T 2 ] = in[5i,S'2] builds the annota- 
tion in [^i, S' 2 ] in which Tom possibly died, and by using axiom (infl) we know 
that the resulting interval is = min{T —2-.QQ , Ti} and 82 = max{T—l\Q{), T 2 }. 
In fact, according to the semantics, which is formally presented in the next sec- 
tion, a consequence of the program expression Hints U (Doctor n Detective) 
is just dead ±n[7pm, 9pm] since the annotation in [7pm, 9pm] is the greatest 
lower bound of in [8pm, 9pm] and in [7pm, 8pm] . 

We next give a first example of how spatial information can be modeled in 
MuTACLP. In particular we can express spatial relations which are parametric 
with respect to time, such as moving points or evolving regions. 

Example 2. We want to model the area flooded by the water tide, assuming that 
the front end of the tide is a linear function of time. We can establish such a 
spatio-temporal correlation as follows 

floodedarea{X , T) at T ^ 1 < P, F < 10, 3 < A, A < 10, F > A -k 8 - T 



3.1 Semantics of MuTACLP 

In this section we define the operational (top-down) semantics of the language 
MuTACLP by means of a meta-interpreter. Without loss of generality, we assume 
all atoms to be annotated with th or in labels. In fact at t annotations can be 
replaced with th [t, t] by exploiting the (at th) axiom. Moreover, each atom which 
is not annotated in the object level program is intended to be true throughout 
the whole temporal domain, and thus can be annotated by th [0, 00 ]. 

The meta-interpreter is obtained by extending the well-known vanilla meta- 
interpreter for logic programs in order to deal with the annotations and to give 
meaning to the composition operations. Compositions of programs are realized 
by combining separate programs at the meta-level, without actually building a 
new program. The reading of the resulting meta-interpreter is straightforward 
and, most importantly, the meta-logical definition shows that the multi-theory 
framework can be expressed from inside constraint logic programming itself. 

Following Bowen and Kowalski Q, we employ the two-argument predicate 
demo to represent provability. Namely, demo{£, G) means that the formula G is 
provable in the program expression £. 

Meta-interpreter. The meta-interpreter is defined by the following clauses. 
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demo{£, empty). 

demo{£, (i?i, B2)) ^ demo{£, i?i), demo{£, B2) 

demo{£, Ath[Ti,T2\) ^ Si < Ti,Ti < T2,T2 < S2, 
clause{£, A th [Si, S'2], B), demo{£, B) 

demo{£, A th [Ti, Ts]) ^ < Ti, Ti < S2, S2 < T2, 

clause{£, A th S'2], B), demo{£, B), 
demo {£, A th [S2 , T2] ) 
demo{£, A in [Ti, T2]) ^ Ti < S2, Si < T2,Ti < T2, 
clause{£, A th [Si, S2], B), demo{£, B) 

demo{£, A in [Ti, T2]) ^ Ti < Si, S2 < I2, 
clause{£, A in [Si, S2], -B), demo{£, B) 
demo{£,C) <— constraint{C) , C 
clause{£i U £2, Aa,B) <— clause{£i, Aa, B) 
clause{£i U £2, Aa,B) <— clause{£2, A a, B) 
clause{£i n £2, A7, (Bi, B2)) ^ clause{£i, Aa, Bi), clause{£2, Afd, B2), 

a n /3 = 7 

A clause A a <— B of a plain program P is represented at the meta-level by 



( 1 ) 

(2) 

( 3 ) 

( 4 ) 

( 5 ) 

(6) 

( 7 ) 

(8) 
( 9 ) 

(10) 



clause{P, Aa, B) <— Si < S2 ( 11 ) 

where a = th [Si , S2] or a = in [Si , S2] . 

Observe that the meta-interpreter implements not only Modus Ponens but 
also rule (C) and rule (U). Clauses Q, Q and Q implement the inference rule 
(C): the atomic goal to be solved is required to be labelled with an annota- 
tion which is smaller than the one labelling the head of the clause used in the 
resolution step according to axioms (th C), (inth C) and (in C), respectively. 
Rule (U) is implemented by clause 0 . According to the discussion in Section H 
it is applicable only to th annotations with overlapping time periods which do 
not include one another. The constraints on temporal variables ensure that the 
time period [^1,^2] is a new time period different from [si,S2] and [32,^2] and 
their subintervals. Clause Q manages constraints by passing them directly to 
the constraint solver. 

As far as the meta-level definition of the union and intersection operations 
is concerned, clauses Q and Q simply state that a clause A a <— B belongs to 
the union of two program expressions £1 and £2, if it belongs either to £1 or to 
£2. On the other hand, a clause Aa ^ B, belonging to the intersection of two 
program expressions £1 and £2, is built by taking an instance of clause in each 
program expression £1 and £2, such that the head atoms of the two clauses are 
unifiable. Let such instances of clauses be cli and cl2- Then B is the conjunction 
of the bodies of di and ch and A is the unified atom labelled with the greatest 
lower bound of the annotations of the heads of di and c/2. 

As shown in it is also possible to provide MuTACLP with a fixpoint 
(bottom-up) semantics, based on an immediate consequence operator, and to 
prove the soundness and completeness of the meta-interpreter with respect to 
the fixpoint semantics. 
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4 Declarative GIS Analysis in MuTACLP 

Adding a declarative programming layer on top of Geographical Information Sys- 
tems can permit a better use of them, essentially because a declarative approach 
is much closer to the natural ways of expressing analysis rules than a procedu- 
ral approach. First of all, since (constraint) logic programming is essentially a 
rule-based system, it is possible to build GIS applications with an expert system 
flavor. Moreover, the multi-theory framework, that provides tools for combining 
different knowledge components, coded in different programs, seems particularly 
suited to handle the naturally fragmented knowledge used in GIS analysis. 

The approach described in Q represents a first step for providing the user 
with a declarative language for GIS analysis. It basically relies on the (enriched) 
language of program expressions and on the introduction of built-in atoms which 
can be used to invoke GIS functions. However, this approach still presents some 
limits such as the inability of directly manipulating the representation of spatial 
data and the lack of a uniform representation of data. We propose a possible 
different solution which overcomes these problems. In our proposal the built- 
in predicates are replaced with an explicit representation of the GIS spatial 
data in MuTAGLP. The main advantage is that we have a declarative language 
where spatio-temporal and thematic information can be represented in a uni- 
form way and we can exploit the features of constraint logic programming, such 
as recursion and constraint handling to perform sophisticated spatio-temporal 
reasoning. Moreover, the use of a unifying language is also promising to support 
the interoperability among different GISs, which is a topic for future work. 

We focus our attention on 2-dimensional spatial objects. 



4.1 A Logical Representation of GIS Spatial Data 

We propose an automatic translation of the spatial data stored in a GIS into 
MuTAGLP programs, assuming that spatial data are represented according to 
the Spaghetti Model. Observe that this assumption is reasonable because such 
a model is very popular and there are also GIS functions that convert data from 
the Raster Model into the Spaghetti Model and vice versa. Under this hypothesis 
the translation process consists of two steps: 

Step 1. A spatial object is triangulated, and each triangle is represented by a 
unit clause containing an identifier for the triangle and its three vertexes; 
Step 2. By using the implicit representation of a triangle, determined in step 1, 
i.e., its vertexes, we build a constraint which explicitly defines the set of 
points belonging to it. A spatial object is then denoted by an expression 
which represents the union of the triangles which compose the object. 

Step 1. In the Spaghetti model, a GIS object is uniquely determined by an 
identifier, and it has some thematic attributes and a spatial component consist- 
ing of a list of points modeling its contour. In the following, we focus on the 
translation of the spatial component of the object because thematic attributes 



1010 Paolo Mancarella et al. 



do not require any particular treatment, and they can be represented by them- 
selves. By using a standard algorithm to triangulate an object we obtain a set 
of triangles which approximate it. We suppose that if the algorithm returns a 
triangle with three distinct vertexes, then such points are not all collinear. Now 
we can define a set of clauses providing the logical representation of the object 
in the 2 -Spaghetti Model. 

Definition 2 (2-Spaghetti Model). An object identified by objid and decom- 
posed into n triangles, with identifiers tidi and vertexes {x\, y\), (a;^, yl), {x\, y\), 
for i = 1, . . . ,n, is represented by the following unit clauses: 

— nJri(objId, n). 

- tri{objId, i, tIdi, xj, yj, a;^, y\,x\, y\). for i = I, . . . ,n. 

The first clause states that the object objid is composed by n triangles while 
the predicate tri defines the triangles composing the object. A tri clause states 
that the triangle tidi is the triangle of the object objid and its vertexes are 
x\,y\, x\, y\,x\, y\. The identifier tidi is a global (unique) identifier. 

Indeed this representation of spatial objects is an intermediate step to obtain 
a representation based on linear constraints. The second kind of representation 
has the advantage of giving an explicit characterization of the points which be- 
long to an object (e.g. a polygon is explicitly the infinite set of points it contains 
versus the implicit definition by means of the sequence of border points). There- 
fore, it allows us to manipulate spatial objects through standard set operations, 
such as union, intersection, difference etc. 

Step 2. As objects are composed by triangles, we first describe how we can ob- 
tain a constraint from the 2 -Spaghetti representation of a triangle. We consider 
a non-degenerate triangle; the translation of points and line segments (degener- 
ate triangles) is similar and it is omitted for space limitation (see for the 
complete translation). The idea, also exploited by Chomicki and Revesz | and 
by Grumbach et al. is that a triangle, which is the intersection of three 
half-planes, can be defined as the conjunction of the inequalities defining each 
half-plane. The predicate side expresses the constraint for a half-plane. 

side{X, Y, Al, Ml, A2, 1^2, A3, Y3) ^ {Y3 - Ai)(A2 - Ai) > {Y2 - Ai)(A3 - Ai), 

{Y - Ai)(A 2 - Al) > {Y2 - Ai)(A - Al) 
side{X, Y, Al, Al, A2, A2, A3, A3) ^ (A3 - Ai)(A 2 - Ai) < (A2 - Ai)(A 3 - Ai), 

(A - Ai)(A 2 - Al) < (A2 - Ai)(A - Al) 

The constraint in the clause body is satisfied by the points (A, A) which are 
above (or below) the line crossing the points (Ai,Ai) and (A2,A2) and which 
are in the same half-plane of (A3, A3). 

In order to find the points belonging to a non-degenerate triangle we simply 
intersect the three half-planes delimited by the lines crossing each couple of the 
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triangle vertexes and including the third one. 

tri_con{TrId, X, Y) ^ Trid, Xi,Yi,X2, ^2, ^3, 

distinct{Xi,Yi, X2,Y2, X3, Y3), 
side{X, Y, Xi,Yi,X2, Y2, X3, Y3), 
side{X, Y, X2, Y2,X3, Y3, Xi,Yi), 
side{X, Y, X3, Y3, Xi,Yi,X2,Y2) 

where distinct is a predicate that checks that the vertexes are all distinct. The 
resolution of the atom tri_con{TrId, X^Y) provides the constraint representing 
all the points of the triangle TrId. 

Now we can model a spatial object inside our logical framework: an object 
can be seen as the union of its triangles. 

obj{ObjId, SpExp) ^ nJri{ObjId, N),join{ObjId, N — 1 , SpExp) 
join{ObjId, 0, Trid) ^ tri{0bjld, 0, Trid, _) 

join{ObjId, J, SpExp 0 Trid) ^ tri{0bjld, J, Trid, _), 

join{ObjId, J — 1 , SpExp) 

The expression SpExp {SpExp stands for bpatial Expression) is a symbolic rep- 
resentation of the object and a means to recover the constraint associated with 
each triangle composing the object. The intended meaning of 0 is set-theoretic 
union and it will be defined formally in the next section. 

4.2 Operators on Spatial Objects 

In order to manipulate spatial objects we provide the ordinary set-theoretic 
operations: union 0 , intersection 0 , difference \ and complement “. Through 
these operations we build expressions whose basic components are the triangle 
identifiers. Formally the set of spatial expressions is defined as follows: 

SpExp ::= Trid \ 0 | SpExp 0 SpExp \ SpExp 0 SpExp \ SpExp \ SpExp \ SpExp~ 

where Trid is the syntactic category of triangle identifiers and 0 denotes an 
empty area. 

The meaning of such operations is expressed by a set of clauses defining the 
predicate belong which states when a point belongs to a spatial expression. 

belong{X,Y, Trid) <— tri_con{TrId, X,Y) 
belong{X, Y, SpExpi 0 SpExp2) ^ belong{X, Y, SpExpi) 
belong{X, Y, SpExpi 0 SpExp2) ^ belong{X, Y, SpExp2) 

belong{X, Y, SpExpi 0 SpExp2) ^ belong{X, Y, SpExpi), belong{X, Y, SpExp2) 
belong{X, Y, SpExpi \ SpExp2) ^ belong{X, Y, SpExpi), belong{X, Y, SpExpi^) 
belong{X, Y, SpExp~) ^ complement {X, Y, SpExp) 
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The first clause asserts that a point (x, y) belongs to a triangle trid if it satisfies 
the constraint representing the triangle (i.e., if tri_con{trId,x,y) is provable). 
The definitions of union, intersection and difference are straightforward since 
they exactly reflect the meaning of the corresponding mathematical operations. 
The definition of the complement operation is based on the predicate comple- 
ment. To define it, first we provide the representation of the complement of a 
triangle and then, by exploiting De Morgan laws, we easily obtain a set of clauses 
for the predicate complement. The complement of a non-degenerate triangle is 
the union of three half-planes which are the complements of the half-planes deter- 
mined by the predicate side. We refer the reader to for a complete definition 
of such a predicate. It is worth noting that there is no clause for the empty area 
0 because no point belongs to it. 

4.3 Creation of GIS Layers 

In a GIS the objects of interest often consist of collections of a quite large number 
of disjoint areas enjoying a common property, e.g. characterized by the presence 
of water or where a particular kind of tree grows or with a special kind of ground 
etc. Such areas form a so-called layer. To allow a user to obtain directly these 
kinds of information, we provide the system with a mechanism (layer) that, given 
a certain property, returns a spatial expression representing the corresponding 
layer. 

To specify that an object Obid enjoys a property Prop, we use a unit clause 
of the form hasProp(OhId, Prop). In order to collect the objects with the same 
property we define the clause 

objWithProp(Prop, ListObId) ^ set_of(ObId, hasProp(ObId, Prop), ListObId) 

where set_of is the Prolog meta-predicate provided to work on sets. In this case, 
it is used to compute the list of distinct object identifiers which satisfy the 
goal hasProp(ObId, Prop), that is the list of identifiers of objects which enjoy 
property Prop. 

A layer is then represented by a spatial expression, obtained by solving the 
predicate layer 

layer(Prop, SpExp) ^ objWithProp(Prop, L), extraet(L, SpExp) 
extract(W, 0). 

extract([0bld], SpExp) ^ obj(ObId, SpExp) 
extract([ObId\L], SpExp © SpE) ^ obj(ObId, SpE), extract(L, SpExp) 

A layer for the property Prop is denoted by a spatial expression which is the 
union of the spatial expressions associated with the objects satisfying Prop. If 
no object enjoys the property then the empty area, 0, is returned. 

It is worth noticing that many definitions, given in this subsection and in the 
previous ones, are not domain dependent: only n_tri, tri and has Prop are used 
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to represent specific spatial data. Thus we can collect most definitions, provided 
to handle spatial objects, into a program, called SpaceMod, which will be com- 
bined with the specific theories in all the spatial analyses. 

Finally, since the aim of this paper is to improve the GIS analysis ability, the 
translation process described above does not address the problem of obtaining 
an efficient representation of objects. To increase the efficiency of our implemen- 
tation we could use the algorithms proposed in that directly transform a 
point-based representation into its equivalent constraint representation, but this 
is left as future work. 

5 An Example 

In this section we present an application that highlights how analysis criteria 
can be naturally described in MuTACLP. The application problem we address 
consists in the analysis of a geographic area, which can be formulated as follows. 

Find all the zones in a given region that provide a favorable habitat for 
hares. These animals live in woods, near sources of water, and they eat 
vegetables, such as lettuce, wild cabbage and turnip. The main predators 
of hares are foxes, wolves and raptorial birds like eagles. Thus a favorable 
habitat will be an area rich of water where it is easy to find vegetables 
and possibly without predators. 

The above description is very general and it refers to the usual behavior of a 
hare during the year. We can describe the favorable habitat for a hare as follows 

Hare-Hab 

habitat {hares , SpE^ ® SpE2) th [fan, dec] <— layer {water , SpE^), 

layer {vegetable, SpE2) 

predator {hares , {SpEi © SpE2) © SpEg) th [jan, dec] ^ layer{fox, SpEt ), 

lay er {wolf , b'pAg), 
layer {eagle, SpEs) 

favArea{hares , X , Y) th[ri,T2] ^ habitat{hares, SpEi) th[Ti,T2], 

predator {hares , SpE2) th [Ti, T2], 
belong {X , Y, SpEi \ SpE2) 

The clause for habitat states that a zone where hares can live is the intersection 
of the layer of water and of the layer of vegetables and this holds throughout the 
year. Since foxes, wolves and eagles are predators of the hare during the entire 
year we annotate the head of the clause defining predator with th[jan, dec]. 
Then a favorable habitat for hares in a certain period [Ti,r2] is computed by 
removing from the habitat areas in \T\ , T2\ , pieces of land where the predators 
of hares can be found during that time period. 

FigureOgives a possible concrete description of the region of interest showing 
the presence of water, where vegetables grow and the areas where foxes, wolves 
and eagles live. 

The program Reg gives the logical description of the region. 
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Fig. 1. Favorable habitat 
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hasProp{obl , eagle). 
hasProp{ob3 , water). 
hasProp{ob5 , water). 



hasProp{ob2 , vegetable), 
has Prop {ob4, fox) . 
hasProp{ob6 , wolf). 



In our region there are two areas rich of water whereas the layers for vegetables 
and for the different kinds of predators consist of a single area. To compute the 
water layer we ask the system 

demofREG U SpaceMod, layer { water , SpE)) 

and the answer is SpE = obS 0 ob5. Now to know the favorable habitat in 
March, we ask the following query 

demo ( Hare- Hab U (Reg U SpaceMod), favArea{hares,X, F) th [mar, mar]) 

The computed favorable habitat, which is painted in grey in Figure^ is provided 
by the system returning two solutions to the previous query: 



Indeed we can improve the analysis on the behavior of the hare taking into 
account how it varies during the year. Let us assume that 

during Spring hares like eating corn and in Autumn they feed on also 
with oil-seeds rich in moisture. 

Thus their favorable areas in the cited seasons are more specific: the areas where 
hares prefer staying should contain respectively corn or oil-seeds, too. 

To reflect this more complex behavior of hares we can restrict the program 
Hare-Hab by using the intersection operation. We define two programs Spring 
and Autumn which refine the definition of the favArea predicate. 
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Spring 

habitat {hares, SpE) th.[apr, jun]. 

predator {hares , SpE) th [apr, jun] . 

favArea{hares, X , Y) th [apr,jun] <— layer{corn, SpE), belong {X , Y, SpE) 
Autumn 

habitat {hares , SpE) th [oct, dec]. 

predator {hares , SpE) th [oct, dec]. 

favArea{hares, X , Y) th [oct, dec] <— layer {oil- seed, SpE), belong {X , Y , SpE) 

Spring and Autumn restrict the temporal validity of the definition of habitat 
and predator. Thus, when these programs are intersected with a program which 
contains clauses defining such predicates, those rules holding from April to June 
or from October to December, respectively, are selected. Moreover, Spring and 
Autumn add a further constraint both on the temporal validity of favArea and 
on how a favorable zone is computed, i.e., from April to June (resp. from October 
to December) also corn (resp. oil-seeds) is required to grow in such an area. 

The program expression that captures the season-dependent knowledge is 

(Hare-Hab n (Spring U Autumn)) u 
(Hare-HabIJ. [jan,mar] U Hare-HabJJ. [jul,sep]) 

where the operator fj. (see ^3) is ^ derived operator which allows one to restrict 
the temporal validity of a set of clauses to a time interval. 

6 Conclusions 

In this paper we have shown how MuTACLP can be used on top of GISs in 
order to provide users with a more friendly interface for GIS analysis. Although 
more work is needed to improve the support for spatial data, the examples in 
the paper highlight that we are already able to perform interesting spatial and 
spatio-temporal analyses, mainly thanks to the deductive power supplied by the 
underlying constraint logic programming. By means of recursive predicates we 
can express the transitive closure of relations, an ability not provided by the 
traditional approaches in the database field. This ability is very important, for 
instance, to perform network analysis (see e.g. ^3 where it is used to search for 
connections between objects). More generally, our approach allows one not only 
to represent data as in constraint databases but also to express rules, an extra 
feature which makes the difference if we want to use the language as specification 
and/or analysis language. All these features suggest also the possibility of using 
MuTACLP in the construction of a software layer, the layer of mediators ^3i 
which allows for the semantic integration of different data sources, and in par- 
ticular for the semantic interoperability of spatio-temporal knowledge bases, like 
different geographical information systems. 

An interesting direction for future research regards the investigation of some 
important spatial properties, such as metric properties and topological relations 
between objects, which, at the moment, are not considered in our framework. 

Acknowledgments: We thank Paolo Baldan for his useful comments. 
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Abstract. Queries commonly perform much better if they manage to 
avoid duplicate elimination operations in their execution plans. In this 
paper, we report on a technique that provides a necessary and sufficient 
condition for removing such operators from object relational conjunctive 
queries under the standard duplicate semantics. The condition is fully 
captured as a membership problem in a dialect of description logic called 
CFD, which is capable of expressing a number of common constraints 
implicit in object relational database schemas. We also present a PTIME 
algorithm for arbitrary membership problems in CFD. 



1 Introduction 

The paper presents a combination of two techniques to provide a very powerful 
tool for reasoning about duplicate semantics of conjunctive object relational 
queries, in particular about elimination operations and situations in which these 
operations can be completely removed. The query language studied in the paper 
contains many other practical query languages, in particular the conjunctive 
fragments of SQL92 ^3^1 ^md OQL 

The first technique provides a characterization of situations in which queries 
can be mowed out of the scope of a duplicate elimination operator: it defines a 
sufficient and necessary condition in terms of deducing a uniqueness eonstraint 
in an abstraction of the query. Unlike many other approaches, we show that our 
technique completely characterizes these situations: in the cases the appropriate 
condition does not hold, we know that the duplicate elimination operator may 
not be removed. 

The second technique is complementary to the first: it defines a dialect of 
description logic called CFD that 

— captures usual schema declarations, including the “decidable” part of the 
SQL lEF (integrity enhancement feature) declarations, and 

— has an efficient inference mechanism that runs in PTIME both in the size of 
the schema and the query. 

In addition to the usual integrity constraints, CFD can capture many other 
schema declarations, e.g., inheritance constraints, path functions, etc. 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 1017^^^2000. 

@ Springer-Verlag Berlin Heidelberg 2000 
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Fig. 1. University Database Schema. 



Example 1. We illustrate the approach with an object relational schema for a 
hypothetical university application illustrated in Figure^ In particular, consider 
a request to “find the unique names of students taking some course taught at 
the same time as some other course numbered :P2 with an instructor in the 
department named :PV' . In SQL-like syntax, the query can be formulated as: 

select distinct S.Name as Name 

from STUDENT as S, TAKES as T, COURSE as C 

where S = T.S and C.Time = T.C.Time and 

C. Inst . In. Name = :P1 and C.Num = :P2 

The results of this paper enable an efficient rewriting of the query to an equiva- 
lent formulation that does not involve any use of a duplicate elimination opera- 
tion (the removal of the distinct keyword in this case): 

select S.Name as Name 

from STUDENT as S, TAKES as T, COURSE as C 
where S = T.S and C.Time = T.C.Time and 

C. Inst . In. Name = :P1 and C.Num = :P2 

This goal is achieved by describing the integrity constraints that hold in the 
database schema (Figure^ and then applying a rewriting rule (Example^J. 



1.1 Related Work 

Description logics have long been recognized as a valuable tool for conceptual 
modeling and for the specification of database schemas PQ. More recently, they 
have found applications in query optimization, in particular for issues relating 
to deciding view relevance Q. However, so far as we are aware, such logics have 
not yet been used to reason about duplicate elimination in query plans. 
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Conversely, many proposals have utilized functional dependencies and for- 
eign key constraints to optimize queries, e.g., for predicate movement as a 
supplement to Magic Set optimization for bag semantics ^3, for optimization of 
joins and semi-joins ^3, or for decorelation of complex queries and other 
more general integrity constraints to optimize queries 

This paper links the efforts seeking efficient decision procedures for dialects 
of description logics with actual techniques used for optimizing queries. The 
link between these two techniques is non-trivial: conjunctive query subsumption 
is NP-hard for set semantics and TTf-hard for bag semantics Q, in general. 
However, using our approach we reduce questions about equivalence of particular 
queries related by common forms of rewrites to subsumption constraints in a 
dialect of description logic that has an efficient (PTIME) decision procedure. 

Both the decision procedure and logic are refinements of earlier versions Q. 
In this paper the variety of uniqueness constraints is generalized to include path 
functional dependencies and the presented decision procedure itself incor- 

porates an optimization for membership tests that involve uniqueness constraints 
that satisfy a symmetry property. 

The rest of the paper is organized as follows: Section^defines CFD along with an 
object relational query language used in the rest of the paper. Section^presents 
the first result: a complete rewriting rule for duplication elimination removal 
from conjunctive object relational queries with respect to their duplicate seman- 
tics. Section H presents a complete inference procedure for deducing arbitrary 
subsumption constraints in CFD. All development is illustrated step-by-step us- 
ing a running example. The paper concludes with some summary comments and 
suggestion for several directions of further research. 



2 Definitions 

This section provides all necessary definitions needed to present the results of the 
paper. The definitions are followed by examples that illustrate how the individual 
concepts are used. 



2.1 Description Logics and Database Schemas 

We begin by defining CFD, a dialect of a description logic that incorporates a 
constructor for capturing uniqueness constraints. CFD is short for “Classic/FD”, 
the name of an earlier version first defined in Q in which a simpler form of 
uniqueness construct is added to an earlier dialect called CLASSIC Q. CFD has 
enough expressiveness to capture object relational database schemas including 
a variety of integrity constraints (cf. Example^ . 

Definition 2 (Description Logic CFD). Let C denote primitive concepts 
and A primitive attributes. The concept descriptions are defined by the following 
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PERSON < (Name : STRING) , 

PERSON (Name -> Id) 

STUDENT < PERSON 

PROF < PERSON, (In: DEPT) 

TAKES < (S : STUDENT) , 

(C: COURSE), 

(Mark: INT) , 

TAKES (S, C -> Id), 
TAKES (S, C.Time -> C) 



DEPT < (Name : STRING) , 

(Head: PROF), 

DEPT (Name -> Id), 

DEPT (Head -> Id) 

COURSE < (Num: INT) , 

(Room: INT) , 

(Time: INT), 

(Inst: PROF), 

(In: DEPT), 

COURSE (Num, In -> Id), 
COURSE(Room, Time -> Id) , 
COURSE (Inst. In -> In) 



Fig. 2. University Database Schema in CFD. 



grammar: 



D :: ANY 

I c 

I (Pf : D) 

I Pf) 

I Pfi = Pf2 
I A, £>2 



{all objects) 

{superclass construct) 

{typing construct) 
{uniqueness construct; n> 1) 
{equational construct) 

( conjunction construct) 



where the attribute descriptions Pf are of the form Id (identity) or ^.Pf (path 
composition). The concept descriptions are used to formulate subsumption con- 
straints of the form C < D. 

Intuitively, the descriptions describe sets of objects (object id’s), the attributes 
(or paths) describe the relationships between objects, and subsumption con- 
straints restrict valid instances of the database. 

Example 3. The University database schema from Figurejis captured using 
CFD in Figure H The constraints introduce primitive classes PERSON, STUDENT, 
PROF, COURSE, DEPT, TAKES, INT (for integers), and STRING (for strings), and 
assert that PERSONS have Names (strings), that STUDENTS and PROFs are PERSONS 
(inheritance constraints); that Name is a key of PERSON (because it determines 
Id — the object id of the person object), and so on. For readability we omit the 
trailing Id in attribute descriptions in our examples. 

The semantics of CFD is defined with respect to a possibly infinite collection 
of entities Dom and a function (.)^. We call the pair / = (Dom, (.)^) an in- 
terpretation or a database (these are synonymous in our approach). The second 
component, (.)^, maps subsumption constraints to truth values, concept descrip- 
tions to subsets of Dom, and attribute descriptions to total functions over Dom. 
There are no further conditions on the interpretation of primitive concepts and 
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attributes. The interpretation of the remaining constructs is constrained as fol- 
lows: 

Definition 4 (Semantics of CFD). Let Cc C Dom be a set for each primitive 
concept C, and Ta '■ Dom — > Dom a function on Dom for each attribute A. Then 

{ANYY = Dom 

{cy = Cc 

(Pf : DY = {v : {PfYv e {DY} 

(c(Pfi, . . . , Pf„ ^ Pf))^ = {v.yw€ {cY- 

(Pfi)^i; = (Pfi)^w ^ (Pf)^z; = (Pf)^w} 

(Pfi = Pf2)" ={t^:(Pfi)"t^=(Pf2 )M 

{Di,D2Y ={DiYd{D2Y 

The meanings of the attribute descriptions Id and ^.Pf are defined as Xx.x and 
\x .{P^Y A x), respectively. The meaning of a subsumption constraint C < D 
is defined as {CY C {DY ■ 

A database schema S' is a set of subsumption constraints in CDF. We say that 
a database I satisfies schema S, written / ^ S, if all subsumption constraints 
in S are true with respect to (.)^. 

Similarly, given subsumption constraint C < D, we write S ^ C < D to 
express the condition that C < D is a, logical consequence of S, that is / ^ S 
implies I \= C < D for all databases I. 

To run in PTIME, the decision procedure presented in Section^requires two 
restrictions on the set S. First, only regular path functional dependencies are 
allowed in S. Description C(Pfi, . . . , Pf„ ^ Pf) is regular if Pf (with the possible 
exception of the last primitive attribute) is a prefix of Pf^ for some 1 < i < n 
^ 3 . Second, S may not contain equational constraints. We say that S is regular 
and equation-free when it satisfies these conditions. It is easy to verify that the 
schema in FigureHis regular and equation- free. 

Relational Databases and Schemas. We have defined databases as pairs of a 
domain Dom and an interpretation function (.)^. However, it is easy to see 
that standard SQL table/attribute declarations map to simple subsumption con- 
straints and the databases that satisfy these constraints are equivalent to SQL 
databases. Consider the declaration 

CREATE TABLE PERSON (Name char (100)) 

saying that we have a table PERSON with a single attribute NAME. This is equiva- 
lently captured by the subsumption constraint PERSON < (Name: STRING); the 
function associated with the attribute Name, given a person object, returns a 
string. The SQL lEF (Integrity Enhancement Feature) also allows declaration of 
integrity constraints that must hold on the schema. In this paper we consider the 
entity integrity and the referential integrity constraints (the domain constraints 
are captured as abov^. 



^ With the exception of general CHECK constraints. 
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The entity integrity (key) constraints are captured in CFD using the unique- 
ness construct. To declare that Name as a key of the PERSON table we say 
PERSON < PERSON (Name -> Id) where Id is essentially a reference to the ob- 
ject identifier of person (presumed to be unique for each object in the class). 

The referential integrity constraints in our approach are more limited than 
in SQL. However, such a restriction is necessary as SQL’s referential integrity 
constraints allow general embedded inclusion dependencies and thus reasoning 
becomes undecidable We restrict the referential integrity to unary foreign 
key constraints (i.e., the target of the dependency must be a key — in our case 
the object identifier — which reduces to attribute declarations in our model). This 
restriction leads to efficiently decidable theory (cf. section J while capturing a 
large class of practical schema declarations in SQL. 

2.2 Conjunctive Object Relational Queries 

We define the core syntax of the conjunctive fragment of object relational queries 
by the following grammar: 

Definition 5 (Object Relational Conjunctive Queries). 



In addition we assume standard syntactic safety conditions to be satisfied by the 
queried 

Note that the only apriori interpreted operation in the language is equality. All 
other classes of objects, including built-in classes (relations) are modeled using 
primitive concepts. Therefore, we have primitive concepts that model all the 
usual built-in relations, e.g., LESS for linear order, PLUS for addition, etc. 

It is easy to see that the language captures all conjunctive queries under 
duplicate semantics. All other common constructs can be translated to queries 
formulated in the above fragment and are considered to be mere syntactic sugar. 
In particular: 

Q where E and E' . . . = from Q, E, E', . . . 

Q where exists Q' = from Q, (elim select VQ'), for V parameters of Q' 
select distinct VQ = elim select VQ 

The formal semantics of queries is defined with respect to a database / as follows: 



^ For our results to hold we can even allow infinite bags as long as every tuple is 
duplicated only finitely many times. 



Q :: C &s A 

I A.Pfi = B.Pf2 
I select Ai, . . . , A„ Q 
I elim Q 

I fromQi,...,Qfc 



{Primitive class) 
{Equational constraint) 
(Projection) 

(Duplicate elimination) 
(Natural join) 
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Definition 6 (Semantics of Queries). We define the semantic function |.] 
that maps queries to functions from databases / to bags of tuples as follows: 

[C as 

lA.Ph = B.PhjI=UA -.v,B -.w) :v,w e Dorn, (Pfi)^(u) = (Pf 2 )^(w)^ 
[select Ai,...,An Q\I = {|(2li : u@y4i, . ...An - v@An) : v G lQ\Il 
|elimQ]/= {v: v G [Q]/} 

[from Qi,..., Qkjl = IQijl IX ■ ■ ■ ixi IQkjl 

where {|(Ai : denotes a bag of tuples and denotes the value associated 

with Ai in the tuple u; we require the attribute labels Ai to be the same for each 
tuple in the bag and for each individual tuple to form a set. 

SQL Queries. As in the case of SQL tables mapping directly to primitive con- 
cepts, conjunctive queries in SQL (the SELECT-FROM-WHERE blocks) map directly 
to our object relational query language. The semantics of SQL maps immedi- 
ately to the semantics presented in Definition^ The only difference is that, for 
base tables, SQL retrieves values of all declared attributes in addition to the “tu- 
ple id” , and thus in equality constraints the already retrieved values are simply 
compared. (Recall that all path functions in SQL are of the form A.B where A 
is a tuple variable and B an attribute.) 

From this point of view, it is interesting to observe that for SQL queries tuple 
identifiers are never used during query evaluation and therefore do not have to 
be stored in the database or manipulated by the queries. This approach is similar 
to introducing virtual attributes (record ids) 

3 Reasoning abont Duplicate Elimination Operators 

This section presents the first result: a technique that allows us to remove sub- 
queries (base classes) from the scope of a duplicate elimination operator. The 
condition of the rewrite rule presents a complete characterization of the situa- 
tions in which the rewrite is valid. 

To simplify the exposition, we first show that every object relational con- 
junctive query can be written in a normal form: 

Lemma 7 (Normal Form). Let Q be an arbitrary object relational conjunc- 
tive query. Then there is an equivalent query with the form 

select V 

from Cl as Ai , . . . , Cm as Am, (elim 

select W 

from Cm.\-i as Am.\-i, ■ . ■ , C^ as A^, R) 

where i? is a list of equalities of the form A^.Pfi = Aj.Pf2, and V and W sets 
of attribute names that appear in the signatures of the respective subqueries. 
Also, we assume that R references A^-i-i, ■ ■ ■ , A„ and all attributes in W. 
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Proof. By induction on the structure of Q using standard equivalence rules. 

The normal form yields a set of subsumption constraints in CFD as follows: 

Definition 8. Let Q be an object relational conjunctive query in normal form 
and Cq a distinguished concept name. We define a set of subsumption constraints 

= {Cq < (^1 : Cl), ...,CQ<{Ar,-. C„),Cq < R} 

The constraints Sq mimic the semantics of Q within the description logic. This 
way, we reduce reasoning about the query Q to reasoning about subsumption 
constraints in CFD. The ability to reason in CFD allows us to formulate the 
main result of this section: 

Theorem 9 (Duplicate Elimination Reduction). Let S' be a database 
schema. Then for all databases / such that / H > 5 ' the query 

Q : select V 

from C\ as A \, . . . , Cm as Am, (elim 
select W 

from Cm+i as Am.\-i 5 ■ ■ ■ 5 as If) 
is semantically equivalent to 
Q' : select V 

from C\ as , ... , Cm+i as Am+i , (elim 
select W U {Am+i} 
from Cm.\-2 as Am.{-2^ ■ ■ ■ 5 C^ as R) 

if and only if S U Sq \= Cq < Cq{A UW^ Am+i) where A = {Ai , . . . , Am}- 
Proof, (sketch) 

Assume that SU Sq ^ Cq < Cq{A\JW — > Am+i). Then there must be an 
interpretation / such that v,w Q {CqY and TaYv) = ^Ai{w) for Aj S A U W, 
but where Y addition, v and w satisfy all equational 

constraints in R. Therefore, using the definition of semantics for the outer from 
clauses of Q and Q' we have 

— a single tuple (A^ : TaYv)) for Q, but 

— at least the two tuples (A^ : TAi{v),Am+i : RAm+i{C)) 

and (Ai : TAi{w),Am+i ■ J^A„^+^{w)) for Q'; 

This fact is preserved by the final duplicate-preserving projection and thus we 
have igi/^ igi/. 

“4=”: Conversely, \Q\I Y \Q'\I is only possible if, similarly to the previous case, 
the interpretation of g’s outer from contains a single tuple while the interpre- 
tation of Q' contains two tuples that differ only in the value of A^+i . However, 
these two tuples can be used to define an interpretation / with exactly two ob- 
jects in {CqY that agree on all attributes in A U IF but disagree on Am+\. As 
these two objects also satisfy all the other subsumption constraints in Sq we 
have S' U 5 q ^ Cq < Cq{A U VF — > Am+i). n 
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The theorem states a sufficient and necessary condition needed to move a con- 
junct {Cm+i as Am+i) from the scope of the duplicate elimination operator 
(elim) into the outer from clause (and vice versa). Let us illustrate this on the 
query from our introductory Example J 

Example 10. First, the original query from ExampleHis transformed to the 
normal form (after replacing syntactic sugar): 

select :P1, :P2, Name 
from elim ( 

select :P1, :P2, Name 

from STUDENT as S, TAKES as T, COURSE as C, 

S = T.S, C.Time = T.C.Time, C. Inst . In. Name = :P1, 
C.Num = :P2, Name = S.Name ) 

Note that parameters :P1 and :P2 are converted to “result” attributes on the 
normalized query (using the standard observation that there is no difference 
between these). The query schema Sq is defined as follows: 

CQ < (S: STUDENT), (T: TAKES), (C: COURSE), 

(PI: STRING), (P2: INT) , (Name: STRING), 

S = T.S, C.Time = T.C.Time, C. Inst . In. Name = :P1, 

C.Num = :P2, Name = S.Name 

Now we use our rewriting rule from Theorem^to “move” the reference to COURSE 
out of the scope of the elim operator. The necessary condition is S' U Sq (= 
CQ < CQ (Name , : PI , : P2 -> C); (which is true as we shall see in Section H- 
Therefore the query is equivalent to 

select :P1, :P2, Name 
from COURSE as C, elim ( 

select C, :P1, :P2, Name 
from STUDENT as S, TAKES as T 

S = T.S, C.Time = T.C.Time, C. Inst . In. Name = :P1, 
C.Num = :P2, Name = S.Name ) 

A sequence of two additional applications of the duplicate elimination rewrite 
(that check for S U Sq \= CQ < CQ(Name, :P1, :P2,C -> T) to move the 
TAKES as T subquery and S U Sq ^ CQ < CQ(Name, :P1, :P2,C,T -> S) for 
STUDENT as S) results in the following query: 

select :P1, :P2, Name 

from COURSE as C, TAKES as T, STUDENT as S, elim ( 
select C, T, S, :P1, :P2, Name 

from S = T.S, C.Time = T.C.Time, C. Inst . In. Name = :P1, 
C.Num = :P2, Name = S.Name ) 

Note that the set of subsumption constraints Sq is the same for each of the three 
steps. In Section^we see that the decision procedure can take advantage of this 
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fact and reuse internal data structures to answer the second and third subsump- 
tion questions. Using standard simplification that commutes equalities with the 
duplicate elimination operation we obtain the query we desired in Example J 

The rewriting rule (Theorem^ can be integrated with existing query optimizers 
in two ways: 

1 . By “moving” an atomic query out of the scope of the elim operator 
(distinct and EXISTS in SQL), we expand the search space of a join- 
ordering optimizer. If we manage to move all class references out of the 
scope of the elim operator (as in Example we can completely remove 
the duplicate elimination operation from the query. 

2. Conversely, we can move atomic subqueries into the scope of the elim oper- 
ator. This is especially important in cases where the moved class reference 
does not contribute values to tuples in the result of the query. In this case the 
duplicate elimination operation can be replaced with a single index lookup 
(similarly to processing an EXISTS clause in SQL). 

4 A Decision Procedure for CFD 

Our overall algorithm works with description graphs, first introduced in | and 
modified in | to enable reasoning about simpler forms of uniqueness constraints 
that resembled (possibly asymmetric) functional dependencies. The algorithm 
presented here also incorporates an optimization that avoids copying entire 
description graphs when deducing subsumption by symmetric uniqueness con- 
straints, a property always satisfied when reasoning about duplicate elimination 
on queries. 

Definition 11. A description graph G is a triple {N, E, n) consisting of a set 
N of nodes, a bag E of directed edges labeled with either primitive attribute 
names or Id, and a distinguished node n G N. Each node n' G N has three 
labels: a finite set DS(n') of concept descriptions, a finite set PF(n') of attribute 
descriptions, and a finite set Fired(n') of subsumption constraints that have 
already “fired” on n' . (Unless specified otherwise, we will assume that each of 
the three labels is initially empty for any newly created node.) Elements in E 
are written as triples (ni. A, 712) where n\ and 712 are nodes and A is either Id 
or a primitive attribute name. 

Intuitively, a description graph may be viewed as a partial database in which 
nodes correspond to hypothetical or prototypical objects that belong to descrip- 
tions in their DS labels, while edges correspond to (some of) their attribute 
values. Given a database schema S and subsumption constraint C < D, the de- 
cision procedure constructs this partial database by first creating an initial graph 
with a single node containing C in its DS label and then invoking a chase-like 
procedure EXP to create a normalized form for the graph that makes explicit 
additional constraints that are implicit in S. This normalized form represents a 
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pattern that must always match the structure of any C object. The final step 
of the decision procedure calls a boolean function SUBSUMES to verify that the 
graph has the properties required by D. 

A formal specification of these two procedures is given in the Appendix^J 
Full proofs of the following theorems are given in 

Theorem 12 (Soundness and Completeness). Let 5 be a regular equation- 
free database schema and Ci < D\ and < D 2 arbitrary subsumption con- 
straints for which C\ does not occur in S. Then 

S-UjCi <L»i} <T>2 



if and only if 

SUBSUMES(D2,EXP(G,S'U{C'i <Di}),S'U{Gi < Di}, G 2 , true) 

where description graph G has the form ({n}, {}, n) in which DS(n) = {C 2 } and 
PF(n) = Fired(n) = {}. 

One of the desirable properties of our decision procedure is the fact that it is 
incremental; description graphs constructed by earlier invocations of EXP can 
be reused when the procedure is invoked on a sequence of similar membership 
problems. For example, a sequence of problems of the form S \= C < Di can 
always reuse the graph constructed by the first call to EXP, a circumstance that 
happens with our example of duplicate elimination (Example^J . Further ways 
of reusing the work are also possible and are explored in more detail in 

Example 13. Figure ^illustrates the description graph produced by an invo- 
cation of SUBSUMES of the form 

SUBSUMES(CQ(Najne, :P1, :P2 -> C) , EXP(({n}, {}, n), S'), S', CQ, true) 

where DS(n) = {CQ} and S consists of the constraints in Figure H together 
with query schema Sq. Note that only DS labels for nodes are indicated. The 
nodes are numbered according to the order in which updates E12, E13, Ell 
of EXP add Id to their PF labels. Since in particular the graph “ACCEPTS” 
attribute description C (note the dashed arc outgoing from the distinguished 
node), SUBSUMES returns true, thus enabling the first rewrite in Example^J 

Theorem 14 (Complexity). Let S be a regular equation- free database schema 
with size k, and let Ci < D\ and C 2 < D 2 denote arbitrary subsumption con- 
straints of total size m for which C\ does not occur in S. Then there is an 
implementation of EXP and SUBSUMES such that an invocation of the form 

SUBSUMES(D2,EXP(G,S'U{Gi <Gi}),S'U{Gi < Gi}, G 2 , true) 

terminates in 0{mk) time if C 2 < D 2 has the form G < G(Pfi, . . . , Pf„ ^ Pf), 
in 0{fm?k) time otherwise (/is the number of uniqueness constructs in G 2 ). 
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Fig. 3. A description graph for query schema Sq. 



Note that both Theorem^Jand^Jonly hold for cases in which database schemas 
are both regular and equation-free. It is well-known that the membership prob- 
lem becomes undecidable if equations are allowed in a database schema. If the 
regularity property is relaxed, the membership problem for CFD becomes DEX- 
PTIME complete Moreover, regular uniqueness constraints encompass the 
majority of practical situations (in particular, all of classical functional depen- 
dencies and primary keys). 

5 Conclusion 

The following list summarizes the contributions of the paper. 

1. We have defined CFD, a description logic dialect sufficiently expressive to 
describe object relational database schemas and a wide class of integrity 
constraints on such schemas. 

2. We have devised a rewriting rule for object relational conjunctive queries 
that completely characterizes situations in which a duplicate elimination 
operator can be removed from the query. We have shown that a necessary 
and sufficient condition maps to a question in CFD. 

3. We presented an efficient (linear both in size of the schema and the query) 
procedure that answers the above question. 

In addition we have presented a decision procedure for subsumption checking in 
CFD and discussed the impact of various restrictions we imposed on database 
schema (or lack of thereof) on the complexity of CFD’s decision procedure. 

Future work includes several possible directions (presented as conjectures here). 
Theorem Q can be straightforwardly modified to handle aggregates in object 
relational queries (the elim operator can be viewed as a degenerate case of the 
group-by operator). The same theorem can also be easily adapted to handle 
rewrites that perform various kinds of order optimization, and to discovering 
interesting orders of tables The addition of disjunction to CFD and/or the 
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query language still leads to a decidable theory, and query rewrites similar to 
the one presented in this paper are then possible. Moreover, we conjecture that 
there is a subset of database schemas with amenable computational properties 
(that includes a limited use of disjunction to capture wider classes of schemas 
than CFD). 
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A EXP and SUBSUMES 

A specification of procedure EXP and function SUBSUMES are given below in a 
production system style presumed by the full proofs of Theorems^Jand^Jthat 
can be found in Q. The actual implementation of these procedures is event 
driven, and makes use of indices on a given database schema. 

Procedure EXP(G, S) 

Input: description graph G = {N,E, n); set of subsumption constraints S. 
Exhaustively apply the following updates to G in the order presented. 

El. If e = (n'. Id, n') € E, then E~E- {e}. 

E2. If e = in'. Id, n) € E, then E :=E-{e}U {{n. Id, n') J 

E3. If e = (ni. Id, ri 2 ) G E, then 

(a) DS(ni) DS(ni) U DS(ri 2 ). 

(b) PF(m) — PF(ni)UPF(ri 2 ). 

(c) Fired(ni) Fired(ni) U Fired(ri 2 ). 

(d) For each e' = (n'. A, n^) G E do E ~ E — {e'} U {{n' , A, ni)}. 

(e) For each e' = (ri 2 . A, n') G E do E := E — {e'} U {(ui. A, n')}. 

(f) E~E- {e}; N ■.= N - {ri 2 }. 

E4. If ei = (m, A, U 2 ), C 2 = {ni,A, ns) G E, 

then E \= E — { 02 } U {(u 2 . Id, ns)}. 

E5. Ifn' gN s.t. D ^ {Di,...,D„) G DS(n'), 
then DS(n') := DS(n') - {D} U {Di, . . . , D„}. 

Recall that n is the distinguished node in G 



3 
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E6. If ni, «2 € N s.t. D = (yl.Pf : D') G DS(ni) 
and (n-i_,A,n 2 ) G E, then 

(a) DS(ni) — DS(ni) - {D}. 

(b) DS(« 2 ) — DS(ri 2 ) U {(Pf : D')}. 

E7. Un' G N s.t. D = (A.Pf : D') G DS(n') 

and D' contains an equational constraint, 
then invoke FIND(n',yl.Id,G). 

E8. lin' GN s.t. D = (Id : D') G DS(n'), 
then DS(n') := DS(n') - {D} U {D'}. 

E9. Un' G N s.t. D = (Pfi = Pf 2 ) € DS(n')> then 

(a) DS(n') — DS(n') - {D}. 

(b) Add (FIND(n', Pfi, G), Id, FIND(n', Pf 2 , G)) to E. 

ElO. If ni,n 2 G N s.t.: 

(1) m 7^ ri2, 

(2) there D = G(Pfi, . . . , Pf^ ^ Pf) e DS(m), 

(3) G € DS(ri 2 ), 

(4) for each 1 < i < m : AGREES(ni, Pfi,ri 2 ,G), and 

(5) ^AGREES(m,Pf,n 2 ,G), 

then add (FIND(ni, Pf, G), Id, FIND(ri 2 , Pf, G)) to E. 

Ell. lin' gN s.t. {C <D)gS- Fired(n') and G e DS(n'), then 

(a) Fired(n') := Fired(n') U {G < D}. 

(b) DS(n') DS(n')U{D}. 

E12. Ifn' GN s.t. Pfi = A.Pf 2 G PF(n'), then 

(a) PF(n') PF(n') - {Pfi}. 

(b) PF(FIND(n', A.Id,G)) := {Pf 2 }. 

E13. lin' GN s.t.: 

(1) C G DS(n'), 

(2) G(Pfi,...,PU ^ Pf) G DS(n'), 

(3) for each 1 <i <ra \ AGGEPTS(n', PL, G), and 

(4) ^AGGEPTS(n',Pf,G), 
then PF(n') := PF(n') U {Pf}. 

E14. If (ni. A, U 2 ) G E s.t. Id G PF(ni) and Id ^ PF(« 2 ), 
then PF(« 2 ) := PF(« 2 ) U {Id}. 

function SUBSUMES(D, G, S, G, T): Boolean 

Input: concept description D\ description graph G = {N,E,n)\ set of subsumption 
constraints S, primitive concept G and Boolean T. 

Branch to the relevant case depending on the form of D. 

Case G: Return G G DS(n). 

Case (Di, ...,D m ) • 

Return true iff SUBSUMES(Di, G, S', G, T) for all 1 < f < m. 

Case (Id : D')-. Return SUBSUMES(D', G, S,G,T). 

Case (A.Pf : D'). 

Return SUBSUMES((Pf : D'), EXP((Ai, E, FIND(n, A.Id, G)), S), S, G, false). 
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Case Pfi = Pf 2 : 

(a) FIND(n, Pfi,G), FIND(n, Pfj, G). 

(b) EXP(G,S'). 

(c) Return FIND(n, Pfi , G) = FIND(n, Pf 2 ,G). 

Case G(Pfi, Pfm Pf) where T: 

(a) For each n' € N : PF(n') := {}. 

(b) PF(n) := {Pfi,...,Pf^}. 

(c) Invoke EXP{{N,E,n),S). 

(d) Return ACCEPTS(n, Pf,G). 

Case G'(Pfi, . Pf) where C ^ C or 

(a) Create a copy G' = {N' , E' ,n') of G. 

(b) Add a new node n to N' and a new edge (n, A, n') to E' . 

(c) Add (B : G') to DS(n). 

(d) For each 1 < i < m: add {A.PU = B.PU) to DS(n). 

(e) Invoke EXP(G',S). 

(f) Return FIND(n, A.Pf, G') = FIND(n, R.Pf, G'). 

Case ANY : Return true. 



function FIND(n, Pf, G) : node 

Input: description graph G = (N,E, n")\ node n(z N\ attribute description Pf. 
Returns the node at the end of the path Pf from a node n in G, potentially creating 
any missing nodes and edges to ensure such a path exists. 

function AGREES(rii , Pf, ri 2 , G): Boolean 

Input: description graph G= {N,E,n)\ nodes ni,n 2 € N\ attribute description Pf. 
Returns true if there is a node n' € G such that n' is reachable from both ni and U 2 
by the same prefix of Pf. 

function ACCEPTS(ni, Pf, G): Boolean 

Input: description graph G = (N,E, n)\ node ni € N\ attribute description Pf. 
Returns true if Id occurs in the PF label of any node on the Pf path starting from 
node ni in G. 
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Abstract. We present the design of a file system whose organization 
is based on Concept Analysis “a la Wille-Ganter” . The aim is to com- 
bine querying and navigation facilities in one formalism. The file system 
is supposed to offer a standard interface but the interpretation of com- 
mon notions like directories is new. The contents of a file system is in- 
terpreted as a Formal Context, directories as Formal Concepts, and the 
sub-directory relation as Formal Concepts inclusion. We present an orga- 
nization that allows for an efficient implementation of such a Conceptual 
File System. 



1 Introduction: Querying vs. Navigation 

Information retrieval includes representation, storage, organization, and access 
to information. Two information retrieval methods are widely adopted and ap- 
plied. 

The first method is hierarchical classification, which is frequently found in 
computer tools: e.g., file systems, bookmarks, or menus. In this model, searches 
are done by navigating in a classification structure that is built and maintained 
manually. Navigating implies notions of place, being in a place, and going in 
another place. A notion of neighborhood helps specifying the “other place” rel- 
atively to the place one is currently in. Many applications require that a place 
is a place to read from as well as a place to write on. Sometimes, navigation 
is deemed to be rigid, but this is because it is based on a rigid neighborhood 
relation: e.g., a tree-like hierarchy. But even a tree can be made more flexible by 
adding links: e.g., a UNIX-like file system. However, using links opens the door 
to the problem of dangling links. 

The second method is boolean querying, often found in information servers 
such as search engines on the Web (e.g., AltaVista). In this model, searches 
are done with queries, generally expressed in a kind of propositional logic. A 
recognized difficulty of this model is the necessity of having a good knowledge 
of the terminology used in the information system, and of having a precise idea 
of what is searched for. 

Then, which search model should be prefered: navigation or querying? In 
fact, it depends on situations, and it is sometimes needed to use both of them 
in the same search. Hybrid systems combining hierarchical classification and 
boolean querying have been proposed in the domain of file systems (FS): e.g., 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 1033^^^2000. 

@ Springer-Verlag Berlin Heidelberg 2000 
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— SFS (Semantic File System, extends the hierarchical model of usual 

FSs with virtual directories that correspond to queries. These queries concern 
file properties that are automatically extracted by transducers, and are expressed 
with valued attributes. So, two organization and storage methods coexist: the 
standard hierarchy that gives a name to files and virtual directories that enable 
associative searches on intrinsic file properties. Unfortunately, these two methods 
cannot be used together in general. In particular, virtual directories are not 
places to write into. 

— HAG (Hierarchy And Content, also uses queries to build directories 

based on file contents, but these directories are integrated in the hierarchy. This 
enables to combine hierarchy and content in searches. Users are always allowed 
to move a file in a directory even if it does not satisfy the query associated to 
the directory, which results in consistency problems. 

The drawback of these hybrid systems is their lack of consistency. Indeed, 
they have two search models that are not tightly connected, which makes it 
difficult to switch from one model to the other, and to combine both in the same 
search. We propose a scheme in which queries are really places to read from and 
to write into. The scheme is flexible in the sense that the neighborhood relation 
can be very dense. It incurs no inconsistency or dangling links problem, because 
the neighborhood relation is managed automatically. Finally, it supports both 
querying and navigation, and arbitrary combinations of both. 



2 Logical Concept Analysis 



Formal Concept Analysis (FCA has received attention for its appli- 

cation in many domains such as representing the modular structure of soft- 
ware^^^^3, navigating in software documentation software engineer- 

ing ^^^Jand several applications in Social Sciences. The interest of FCA as 
a navigation tool in general has also been recognized 

Originally, FCA is elaborated using a Formal Context that is any relation 
between a set of objects and a set of attributes. The variety of application do- 
mains brings the need for more sophisticated formal contexts than the mere 
presence/ absence of attributes. For instance, many application domains use nu- 
merical values (e.g., lengths, prices, ages), and the need to express negation and 
disjunction is often felt. Several enrichments to the attribute structure have been 
proposed: e.g., many valued attributes and first-order terms 

However, not a single extended FCA framework covers all the concrete domains, 
and can pretend covering all the concrete domains to come. We use an exten- 
sion of FCA that allows for fully abstracting from the object description lan- 
guage In the rest of this article, we will refer to both the original 

form of concept analysis, and to its extended form as Logical Concept Analy- 
sis (LCA). 
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2.1 Logical Context and Galois Connection 

Definition 1 (Context). A logical formal context is a triple {0,C,i) where: 

— O is a finite set of objects, 

— (£; is a lattice of formulas, whose supremum is V, and whose infimum 
is A; L denotes a logic whose deduction relation is \=, and whose disjunctive 
and conjunctive operations are respectively V and A, 

— i is a mapping from O to C that associates to each object a formula that 
describes it. 

If f\=g and g\=f, f and g are called logically equivalent; we will consider 
them as different representations of the same equivalence class, and in fact we 
will consider that elements of C are the equivalence classes. Given a formal 
context, one can form a Galois connection between sets of objects (extents) and 
formulas (intents) with two applications a and r. 

Definition 2. Let (O, C, i) be a logical context, 

(T : 2° ^ cr(0) := W i{o) and t : C ^ 2^^ , r{f) := {o G 0\i{o)^f} 

^ oGO 

Example. The following formal context, K^x, will illustrate the rest of our de- 
velopment on LGA and Gonceptual File Systems. It is deliberately small and 
simple as it is aimed at illustrating theoretic notions. It uses propositional logic. 
We define context Kex by (Oex,'P,iex), where Oex = {x,y,z}, and where map- 
ping iex is defined as {(a; a), (y b),{z<-^ cA (a V 6))}. 

2.2 Logical Concepts 

In this section, we present how formal concepts can be extracted from logical 
contexts. 

Definition 3 (Concept). In a context {O, C, i), a concept is a pair c = (O, /) 
where O C O, and f G L, such that a{0)=f and r(/) = O. 

The set of objects O is the concept extent (ext{c)), whereas formula f is its 
intent (int(c)). 

The set of all concepts that can be built in a context (O, C, i) is denoted by 
C{0,C,i), and is partially ordered by <° defined as follows. 

Definition 4. (Oi, /i) (O 2 , f 2 ) Oi C O 2 

This order is compatible with order on intents. 

Proposition 1. (Oi,/i) <"= {O 2 , f 2 ) (/ih/ 2 ) 

DefinitionsHandBlead to the following fundamental theorem. 

Theorem 1. Let (O, C, i) be a context, and let J be a set of indices. The ordered 
set {C{0,L,i)',<‘^) is a finite lattice, whose supremum (least upper bound) and 
infimum (greatest lower bound) operations are as follows: 

V V /j) A (fl Oj,cr{T{/\fj))) 
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Example. FigureJ(a) represents the Hasse diagram of the concept lattice of 
context Kf-x (introduced in Example^J . Concepts are represented by a number 
and a box containing their extent on the left, and their intent on the right. The 
higher concepts are placed in the diagram the greater they are for order <°. 
It can be observed that the concept lattice is not isomorphic to the power-set 
lattice of objects (2®; C). E.g., the set of objects {x,y} is not the extent of a 
concept, because r(cr({a;, y})) = r(a V 5) = {x, y, z\. 




concept I extent I intent I object I concept formula 



(a) 



(b) 



Fig. 1. The concept lattice of context Kex, and its labelling. 

2.3 Labelling of Concept Lattices 

It is possible to label concept lattices with objects and formulas, but in the 
information system context we are mainly interested in labelling concepts with 
formulas; formulas are a means for retrieving objects. 

Definitions. Let y ■. C ^ C{0, C,i), y{f) := a{T{f))) 

Images of mapping y are indeed concepts from Definition ^ of concepts, 
and from properties of applications a and r. The next lemma gives interesting 
properties of the labelling of concept lattices. 

Lemma 1. Let {O, £, i) be a eontext, and o € O, f & C, c G C{0, £, i). 

(1) c <'^ y(/) int{c)\=f (2) is surjective 
(3) y(mt(c)) =“ c (j) mt(y(/))j=/. 

LemmaH(l) shows that y(/) is the greatest concept whose intent logically 
entails /; and Lemma H(2) establishes that every concept is labelled at least 
by one formula. Regarding relation between concept intents and concept labels, 
LemmaH(3) shows that every concept is labelled by its intent; and LemmaH(4) 
adds that every formula labelling a concept is logically entailed by the concept 
intent. 
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Example. Figure J(b) represents the same concept lattice as Figure J(a), but 
it does not associate the same information to concepts. The number of each 
concept is reused in its box so as to identify it; objects are placed on the left of 
their labelled concept, and formulas are placed on the right of the concept they 
label. For instance, concept 1 is labelled by formula a (i.e., p,{a) 1). In this 

example, we restrict labelling to disjunctive formulas, but every formula labels 
some context. Note that non-equivalent formulas may label identical concepts: 
e.g., both formulas a V 6 and a V 6 V c label concept 6. Similarly, both formulas c 
and c A (a V h) label concept 2 whose extent is z. This shows that an object 
can be designated by a formula that is much simpler than its description in the 
formal context. 

Concept lattices support both search models. For navigation, concepts are con- 
sidered as directories or classes (extent of the concept), and links are realized by 
generalization/specialization relations between concepts. For querying, concepts 
are designated/ accessed by a query using the labelling function and their ex- 
tents form the answer. Because concepts serve at the same time as directories 
and as queries, it is possible to combine both search models in a flexible way. 
Another advantage is that concept lattices can be automatically built from a 
context. Therefore, there is no need for a manual maintenance of the informa- 
tion systems. Then, concept lattices appear to be an interesting alternative to 
usual methods for information retrieving. 

3 Informal Specification of a Conceptual Shell 

We present a Conceptual File System (CFS) through the use of a Conceptual 
Shell (CS). Data constitute a formal context K — {O, £, z), where i is the map- 
ping that associates to every object a logical description of its properties and 
features. CS commands are those of the UNIX shell, reinterpreted in the LCA 
framework as follows: files become objects, paths become logical formulas, direc- 
tories become concepts or contextualized formulas, the root becomes concept T'^ 
or formula T, and the working directory becomes a working concept. For the 
rest, commands have essentially the same effects as in a classical shell. 

If the Conceptual Shell is instantiated with a logic whose formulas are ex- 
pressed as conjunctions of names and if the conjunction operator is noted /, 
then formulas can be typed in exactly like classical paths. This Conceptual Shell 
could be used in the same way as a classical shell but the user would notice that 
the ordering of names in paths does not matter, that he/she could access a file 
without giving its whole path, and that answers of Is command are larger than 
expected (offering more navigation paths). 

Before specifying CS commands, we introduce terms used in the sequel. Let / 
be a formula: 

— the concept of f is the concept associated to / by the labelling mapping p, 
(see Definition^, i.e., p{f), 

— the extent of f is in fact the extent of the concept of /; it is also the set of 
objects whose description satisfies /, 
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— the object of f is the object, if it exists, whose description is contextually 
equivalent to / (it is supposed to be unique to avoid access ambiguities); / serves 
as a contextualized description of this object; an object can thus have several 
contextualized descriptions (several access paths in a way), and its description 
is always the most precise of them. Concretely, it is possible to access an object 
using a formula that is simpler than the actual description of the object in the 
Formal Context. This can be viewed as implicit completion based on the context. 

The following commands are used for navigating and querying in a formal 
context. 

working directory: It is replaced by a stack of formulas corresponding to the 

navigation history. The top of this stack serves as the working query, which 
is noted wq. 

pwd: Displays the working query wq. 

cd . .: Pops the navigation history, unless it contains only one element. This 

command enables to go back in navigation, and replaces the move to the 
parent directory that is no more possible as the navigation structure is not a 
tree (this command is in fact similar to command “Back” in Web browsers) . 
cd to: Let us note Ifto) the combination (essentially a conjunction) of to 

with wq. This command pushes Ifto) in the navigation history, and “moves” 
into the concept of l{to). The composition I leaves open the possibility of a 
notation that distinguishes relative formulas, which are combined with wq 
(e.g., wq := wqAto), and absolute formulas, which are not combined with wq 
(e.g., wq := to). This implements the “going into some place” part of navi- 
gation. 

Is /: First, displays the object of /(/), if one exists, and second, displays a list 

of formulas (preferably simple ones), called increments, that enable to refine 
query l{f) while avoiding to lead to the empty query lA, and ensuring that 
every element of the extent of l{f) is reachable only using increments given 
by command Is (completeness condition). This implements the “looking into 
a place” part of navigation. 

Is -r /: Displays each element of the extent of l{f). This implements query- 

ing. 

The following commands are used for updating a formal context. They can 
be used anywhere in conjunction with querying or navigating. 

mkf ile / c: Creates a new object with contents c and with description /(/). 

rm /: Remove the object of /(/), if it exists, 

rm -r /: Remove all elements of the extent of l{f). 

cp from to: Copies the object of l{from), if it exists, by copying its con- 

tents and by “transposing” its description from l{from) to l(to), i.e., by 
“substracting” l{from) and then by “adding” l{to) (see Section for a 
discussion on the exact meaning of “adding” and “substracting” ) . 
cp -r from to: Copies each element of the extent of l(from) by copying its 

contents and by transposing its description from l(from) to Ifto). 
mv from to: Move the object of l{from), if it exists, by transposing its de- 

scription from l(from) to l{to) (identity and contents are kept unchanged). 
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mv -r from to: Move each element of the extent of l{from) by transposing 

its description from l{from) to Ifto) (identity and contents of objects are 

kept unchanged). 

Command cd is simple and is essentially useful for handling the working 
query. Command Is deserves more explications. With option -r the result is the 
one that querying systems give to a query: the list of all objects that satisfy the 
query. Without this option, command Is enables navigation, i.e., searching of 
objects by successive refinements of the working query: an increment x enables 
to refine the working query wq by wqKx. 

But a badly chosen refinement wqKx could return as many answers as the 
previous query (not enough refinement) or no answer at all (too much refine- 
ment). So as to avoid these extremes, we must impose the following condition 
on every increment x for a given working query wq (let us recall that r(/) de- 
notes the extent of query /): 0 £ T{wqAx) ^ r{wq). It can be proved that this 
condition is equivalent to _L° <° fi{wq) A° fi{x) <° fi{wq). 

This informal specification shows the relevance of concept lattices to char- 
acterize navigation. Moreover, it shows the necessity of these concept lattices 
because the above condition is not expressible only within logic £. The difficulty 
is then to find a finite set of increments Inc that satisfies this condition and that 
is complete; i.e., such that for every working query wq and for every object o 
of the working extent, it exists an increment x in Inc that strictly restricts the 
working extent while keeping o in the new one. This completeness condition en- 
sures that every object is reachable, only using increments to refine queries. As 
the conceptual navigation is similar to the classical one (a finite set of increments 
is used in both cases, increments being formulas in the first case and names in 
the second case), many facilities offered by classical shells can be applied to our 
conceptual shell: e.g., name completion, graphical user interface. 

In commands resulting in a modification of the context (mkf ile, rm, cp, mv) 
the concept lattice is implicitly updated (i.e., formal concepts are used as places 
one can write into). However, the principle of CS is to provide access to objects 
by their properties and not through a fixed organization structure, whatever it 
is. The concept lattice makes no exception: it is interesting for designing and 
implementing CS, but users need neither know it, nor visualize it explicitly. 

4 Formal Specification of a Conceptual Shell 

In Section^ a Conceptual Shell (CS) was presented through its general princi- 
ples, but was not defined in a precise way. This section aims at giving commands 
of CS a formal definition based on logic and concept analysis. We begin by de- 
scribing and defining a set of elementary operations with which CS commands 
are eventually defined. 

4.1 Logical Operations 

In CS, objects are described by formulas taken in a logic £. The same formulas 
are used to express queries (in place of paths) . The main logical operation is to 
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compare two formulas in order to know if an object description satisfies a query, 
i.e., if the object is an answer to the query. The operation that achieves this com- 
parison is the deduction relation It establishes a specialization/generalization 
order on formulas. 

In the presentation of CS (cf. Section^, we talked about “adding” or “sub- 
stracting” a formula to an object description (in commands cp and mv) . “Adding” 
a formula / to an object description i(o) must be understood as making this ob- 
ject satisfies this formula while keeping its previous properties. Formally, this 
means that, if we note the “adding” operation by -I-, the following condition 
has to be true: i(o) -I- fl=i(o) and i(o) + fl=f. The most general formula that 
satisfies both i(o) and / is i{o)Af. Then, the “adding” operation is well matched 
by the conjunction operation A of logic C. 

“Substracting” a formula / to an object description z(o) consists in generaliz- 
ing it, which can be understood as the removal of some properties of the object. 
Formally, if we note the “substracting” operation by — , we have i{o)\=i{o) — f. 
Furthermore, “substraction” is combined with “addition” to “transpose” an ob- 
ject from a concept to another: i'{o) := (i(o) — from) +to, where from de- 
notes the source of the transposition, and to denotes the target. When such 
an operation is done on an object, we know from the meaning of CS com- 
mands that i{o)\=from (i.e., o is an answer to query from). So, in the case 
where source and target of the transposition are both denoted by formula /, 
the object description must be kept unchanged, which is formally expressed by 
*(o)(=/ (*(o) ~ /) + / = *(o)- Relative complementation is a logical opera- 

tion that satisfies the two conditions above, and is then a good realization of the 
“substracting” operation. Relative complement is a weak form of implication, 
and is defined as follows. 

Definition 1. The relative complement is an internal binary operation on C 
that is noted A=, and is defined for all f,g £ C by fA=g = max{x G C\xAg\=f}. 

As max denotes the greatest element of its argument, not every logic is 
equiped with a relative complement. Yet, as soon as a logic is equiped with an im- 
plication (e.g., the propositional logic), it is equiped with a relative complement, 
as the later is a weak form of the former. 

To summarize, a logic has to be equiped at least with three operations so as 
to be used in the frame of CS: deduction relation and conjunction A. Relative 
complement A= is necessary for moving and copying objects by “transposition” . 



4.2 Context Operations 

A formal context stores a set of objects O and their descriptions. We consider 
that every object o has a contents c(o), and an extrinsic description ie(o) ex- 
pressed in a logic Cg. From this basic information, we now have to build the map- 
ping i that describes each object. LCA is based on this mapping. First, intrinsic 
descriptions of objects A(o), expressed in a logic Ci, are automatically extracted 
from the contents of objects through an abstraction function a: A(o) := a(c(o)). 
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Then, the whole description of an object is the mere product of its extrinsic and 
intrinsic decriptions: z(o) := (ie(o), ii{o)). The logic C used in LCA framework is 
therefore the product logic of Le and More precisely, £ is defined as follows: 

■“ X C,i (/e, /i) [=(5ej 9i) fe ^ 

(/e, fi) op {ge, 9i) ■■= {fe OPe 9e, fi OPi 9i), for op in {V, A, <=}. 

Moreover, we have the elementary operations new_o and deljD that respec- 
tively return a new object and remove a given object, and extr that returns the 
extrinsic part of a formula. 

4.3 Querying and Navigation Operations 

Section J introduced notions of extent of a query and object of a query. They 
correspond to the elementary operations performing querying. The extent of 
a query q is noted r{q) and returns all objects whose description satisfies q. 
Operation r is the same as in the Galois connection of LCA (cf. Definition J. 

The object of a query q is noted t{q) and is the object whose description is 
contextually equivalent to q (i.e., has the same extent): 

t{q) = o £ O, such that r(z(o)) = r{q). 

If there is no such object the query is said empty {r{q) = 0), and if there are 
several such objects the query is said ambiguous. 

Navigation is performed by command Is. It returns a set of increments^ 
which enable to refine the working query while keeping it non-empty. As already 
seen in previous section, an increment a; of a query q has to satisfy 
0 £ T{qKx) £ T{q). 

As £ is a too wide search space, we consider a finite subset A of £ in which in- 
crements are selected. The content of X is not strictly determined but it should 
contain simple formulas (according to the terminology), some often used formu- 
las, and more generally, all formulas that users expect to see in Is responses. X 
can be finite because terminology and used formulas are. Furthermore, we keep 
only greatest increments as they correspond to smallest refinement steps. Then, 
we can now define the set of increments of a query q by 

Inc{q) := \{x G X\$ <^T{qAx) <^T{q)}], 
where \E~\ denotes the set of greatest elements of E according to the order \=. 

Because of these seemingly arbitrary selections among possible increments, 
we can wonder about the completeness of Inc{q). If navigation is seen as a way 
for finding an object by refining the working query with a sequence of increments, 
the completeness can be formally expressed by 

Vq G £ : Vo G T{q) : o ^ t{q) => 3a; G Inc{q) : o G T{qAx), 
which means in English: for all working query q and for all object o of its extent, 
if o is not yet the object of q then it exists an increment that enables to strictly 
restrict the working extent while keeping o in it. As extents are finite and each 
increment strictly restricts the working extent, it follows that every navigation 
terminates and every object can be retrieved through navigation alone (i.e., 
querying is useful, but not necessary). 

We proved that Inc is complete for all contexts if and only if every object 
description is equivalent to the conjunction of some elements of X. 
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This characterization leaves some flexibility in the choice of X, because it can 
be made larger than necessary. This flexibility enables to adjust X in order to 
make the navigation more progressive and natural. 

4.4 Interface Operations 

A few elementary operations are defined here to specify interface aspects of CS. 
For managing the history, we use a stack of queries initialized with one element, 
the root query T, and equiped with three operations: push, pop, and wq that 
returns the last pushed query. Beside, we have a function I that combines a for- 
mula from a command argument and the history, and a side-effect operation out 
that performs displays. 

All elementary operations being defined, CS commands are formally specified 
in the following table (querying and navigation operations, r, t, and Inc, are 
underlined for visibility). Wherever t is used, if it is not defined, the command 
is aborted and a message warns the user that its query is ambiguous or empty. 



CS command 


semantics 


pwd 


out{wq{)) 


cd . . 


pop{) 


cd to 


push{l{to)) 


Is / 


out{t(l{f)))-, out{Inc{l{f))) 


Is -r / 


OUt{T{l{f))) 


mkfile / c 


0 := newjy{)\ c(o) := c; ie(o) := extr{l{f)) 


rm / 


deLo{t{l{f))) 


rm -r / 


forall o G ziKf)) do deljo{o) 


mv from to 


0 ’■= t{Kf^om))-, ie{o) ■.= {ie{o)<=extr{l{from)))Kextr{l{to)) 


mv -r from to 


forall o G Z.(l{from)) do ie(o) := {ie{o)4=extr{l{from)))Aextr{l{to)) 


cp from to 


o := t{l{from))\ o' := new^oQ-, c(o') := c(o); 

ie{o') := {ie{o)4=extr{l{from)))Kextr(l{to)) 


cp -r from to 


forall o G Il(Z(/rom)) do { o' := new^oQ; c(o') := c(o); 
ie(o') := {ie{o)4=extr{l{from)))Aextr{l{to)) } 



5 Algorithms and Complexity 

In this section, we present a possible design for data structures and algorithms 
that implement the elementary operations defined in Section^ We also discuss 
about the complexity of these algorithms. 

5.1 Data Structures 

Contents and extrinsic descriptions, which are the basic information of a con- 
text, are stored in arrays indexed by object identifiers. Intrinsic descriptions are 
extracted from contents by an abstraction function a. As this abstraction can 
be costly, it is important to cache its results to avoid to redo it at each access 
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(there are well known problems of coherence between contents and intrinsic de- 
scriptions, but we do not want to focus on them here) . The whole description of 
an object is then easily composed from its extrinsic and intrinsic ones. 

A basic principle in CS is to access objects (and achieve some operations on 
them) through formulas. Elementary operations r and t, the most often used 
ones, consist in finding one or several objects from a formula. There are two 
extreme solutions for implementing these operations. The first one consists in 
having no structure at all, and computing these operations, according to their 
definition, from scratch every time they are used. For T{q) (the extent of q), this 
amounts to computing i(o)\^q for every object o of the system, which must be 
avoided. The second one consists in representing the whole concept lattice. How- 
ever, even if concept lattices are finite, their size increases with the richness of 
the logic used in descriptions and the number of objects, and it quickly becomes 
unacceptable (exponential in the worst case). Happily, such a representation is 
not necessary. 

The solution we propose consists in representing only a subdia- 
gram {F, ^) of the Hasse diagram (i.e., a subgraph that is anti-reflexive 
and anti-transitive) of the (possibly infinite) formula lattice (£; ^), 
where F contains T (the root), i{0) (all object descriptions), and a 
set X of increments (see elementary operation Inc in Section ^3. 

Why use a diagram of formulas rather than a diagram of concepts? Firstly, 
what is interesting in concepts is their extents (recall that we aim at identifying 
objects with formulas), and not their intents which can be too complicated to be 
exploitable. Nevertheless, any formula that labels a concept by ^ is a consistent 
representation of it. Moreover, the extent of every concept is related to each 
formula labelling it by the application r, which can be defined without using 
the notion of concept (V/ € £ : ext{fi{f)) = r(/)): so, the diagram of formulas 
is sufficient for retrieving all information relative to extents, and therefore to 
concepts. Secondly, the diagram of formulas is easier to use than the concept 
lattice because command parameters are formulas, and not concepts, and easier 
to maintain because it is stable (it is defined by the logic £, and more precisely 
by h)> whereas the concept lattice evolves according to the context (i.e., every 
time an object is created, updated or removed). Why choose a subdiagram that 
is anti-reflexive and anti-transitive? This avoids redundancies and lighten the 
structure. Furthermore, relation ^ can easily be retrieved from ^ (by reflexive 
and transitive closure). Why F must contain T, i{0), and X? T is the root of 
the diagram and is used as an entry point for diagram traversals. Diagram nodes 
that are labelled by object descriptions are used to attach corresponding objects 
on them. X is used by Inc in command Is. Each node in F can be seen as a view 
that records the answers to a query, and (F, -<) is then a kind of view hierarchy 
that organizes and facilitates access to information. 

Example. Assuming objects of context ATea, (cf. Example^3 have been created 
in the order x, z, y, Figure^ draws the diagram of formulas before and after 
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y is created. Formulas represented in these diagrams are object descriptions 
(labelled by the object) or increments which are parts of these descriptions, seen 
as conjunctions. Circles gather formulas that have the same extent, i.e, that label 
the same concept. In other words, each circle matches a concept in FigureJ(b). 
Not all concepts are represented in diagrams, which is a good point considering 
that there can be an exponential number of concepts in some contexts. 





Fig. 2. Hasse diagrams of formulas for Kex with (a) O = {x, z}, and (b) O = 
{x,z,y}. 

5.2 Algorithms for Operations r, t, and Inc 

We express operations r, t, and Inc using elementary accesses to the Hasse 
diagram of formulas: Inf, Inf*, Sup, Sup*, obj. The first two are defined for 
all / G F by 

Infif) := {g G F\g -< /} Inf*{f) := {g G F\gH}. 

Sup and Sup* are defined dually, and obj{f) is the object that is attached to / 
(it exists only if / is an object description). From definitions given in Section^ 
we get the following equalities for every f G F: 

- r(/) = {o G 0\3g G Inf*{f) : obj{g) = o}, 

- t{f) = obj{max^{g G Inf*{f)\obj{g) is defined}), 

- Inc{f) = [{a; G A|0 < |r(/) nr(a;)| < |r(/)|}]. 

These equalities show that algorithms for r, t, and Inc consist in traversing 
the set Inf* of some nodes of the diagram of formulas, while performing simple 
operations (e.g. collect an object, test and set some marks). These algorithms are 
independant from C because logical operations are not used here. More precisely, 
all useful consequences of the deduction relation, )=, are cached in the diagram. 

Example. In the diagram of FigureH(b), the following results can be computed 
with the above algorithms: 

r(a V 5) = {a;, y, z} t{a V b) is undefined Inc{a V 5) = {a, b, c} 

t(c) = {z} t\c) = z Incfc) = {}. 
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We see that a V 5 is an ambiguous query because t{a V b) is undefined 
and r(a V b) is not empty; whereas c identifies the object z, and has an empty 
set of increments because r(c) is a singleton. 

5.3 Algorithms for Locating and Inserting Formulas in the Diagram 

Some formulas need to be located and inserted in the diagram of formulas F: 
descriptions of new objects, new increments, and arguments of r, t and Inc. 
Thus, we need an algorithm that takes a formula as an argument, inserts it as 
a node in F, and returns this node. If a formula / is already in F (modulo =), 
it is not inserted as a new node, but the existing node is returned. Inserting 
a formula f in F consists in computing Inf{f) and Sup{f). We designed an 
algorithm insert based on traversals of (F, and comparisons between formulas 
with \= that achieves these computations (by lack of place, we do not detail it 
here) . 

Even if we tried to minimize the use of whose complexity depends on the 
chosen logic, algorithm insert remains costly and we avoid it as often as possible. 
Firstly, we observe that in practice the working query is built incrementally as a 
conjunction of increments. Indeed, the usual navigation paradigm is to alternate 
commands Is and cd. Even if a query is used instead of an increment given 
by Is, this query can be inserted as a new increment and then conjuncted to 
the working query. Secondly, algorithms for r, t and Inc traverse only Inf* and 
not Sup*; and practice shows that they are the most often applied to the working 
query: in other cases (e.g. Is -r f), the command can be decomposed so that 
it becomes the case (e.g., cd f ; Is -r . ; cd . .). 

These observations lead us to introduce a special node wq for representing 
the working query. This node is special in the sense that only Inf(wq) is de- 
fined {Sup{wq) and obj{wq) are not), and the formula of wq is a conjunction 
of increments (elements of A). The advantage of this is that we have an algo- 
rithm refine that refines the working query to wqAx from wq and the node 
of an increment x by traversing Inf*{wq) and Inf*{x) without any call to 
Moreover, if x is already in F in the same syntactic form, it could be located 
in F in constant time, using a hashtable for example. 

Example. From Figure^ we can see the effect of adding the object y whose 
description is 6, and the effect of refining the working query with formula a V c 
that leads to insert a V c in the diagram of formulas (in dotted lines on the 
figure) . 

5.4 Discussion about Complexity 

In this section, we evaluate the complexity of the algorithms presented above ac- 
cording to the number of objects n and the complexity of which we note O(^). 
We begin by stating some reasonable assumptions. First, we assume that each 
object description is the conjunction of a set of formulas whose elements be- 
long to the set of increments X, and whose average size is a constant k. This 



1046 Sebastien Ferre and Olivier Ridoux 



assumption is rather natural and easily satisfied. Second, we assume that F is 
somewhat homogeneous, i.e., every increment x has a number of subformulas 
in F proportionnal to the size of its extent: i.e., the ratio does not 

depend on x. 

From these assumptions, it comes that the average complexity of r, t 
and refine is fc(l + j^), and that the average complexity of Inc is k(n + |X|), 
where |^| is the number of increments. 

A good compromise is to give X a size proportional to n. So doing, the 
average complexity of r, t and refine is constant, and the one of Inc is 
linear in n. 

For algorithm insert, the worst case complexity is nO{\=), which is unavoid- 
able in some situations: for instance, the insertion of a new increment x, that is 
incomparable to existing ones, leads to compare x with all object descriptions. 

The best average complexity of insert, theoretically speaking, 
is (In n)O(^). This optimal complexity is realized under the conditions 
that, in the diagram of formulas, the height (the greatest path length) 
is in (Inn), and the size of Inf is bound. 

To put a concrete form on these conditions, let us observe that if F is structured 
as a tree, it satisfies all conditions we put on the diagram of formulas. 

To conclude, although the structure and the management of the diagram of 
formulas must be further specified to precise how to satisfy the above conditions, 
we already know that it is possible to implement the CS at a reasonable cost. 
Moreover, this is valid for any decidable logic and without any restriction to the 
model presented in section H 

6 Conclusion and Further Works 

We have presented the design of a file system shell in which the designation of 
objects is made by using formulas via Concept Analysis. In this design, conven- 
tional notions such as files and directories are matched by the notions of objects 
and concepts. The reference to an arbitrary logic may seem to challenge the 
practicalness of the design, but we have shown that the actual usage of a theo- 
rem prover for taking into account the logic is very limited. In fact, deductions 
can be “cached” in a partially ordered diagram of formulas that does no depend 
on the formal context. Thus, it needs not be updated when the Formal Context 
changes. Explicitely managing an evolving Concept Lattice is costly, and we have 
shown how to avoid it. Only an approximation of the Concept Lattice is actually 
represented. 

This design has been implemented as a high-level generic Conceptual Shell 
prototype (CS) in which a theorem prover can be plugged in, and as a lower 
level File System prototype (RFS for relational file system) in which a simple 
logic (a logic of sets of attributes) is wired in a file system. The prototypes 
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have been tested with different applications: a Vietnamese cookbook (e.g., cd 
f ish_sauce/pineapple) as an example of a small-size consumer oriented ap- 
plication, the management of home directories as an example of a medium-size 
professional application (we used CS with up to 5000 objects), and a personal 
organizer. 

Further works on the short and medium term is to develop the algorithmic 
aspects of CFS, improve the navigation facilities, and develop a graphical user 
interface. Long term further works is to implement it at the level of a file system. 
This is necessary because not all accesses to objects are done via a shell; many 
more are done via system commands. So, one must offer the CFS service at this 
level. 
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Abstract. In this paper a semantic approach for the specification and 
the management of databases with evolving schemata is introduced. It 
is shown how a general object-oriented model for schema versioning and 
evolution can be formalized; how the semantics of schema change opera- 
tions can be defined; how interesting reasoning tasks can be supported, 
based on an encoding in description logics. 

1 Introduction 

The problems of schema evolution aird versioniirg arose in the context of long- 
lived database applications, where stored data were considered worth surviving 
chairges in the database schema Q. Accordiirg to a widely accepted terminol- 
ogy ^ database supports schema evolution if it permits modificatioirs of the 
schema without the loss of extant data; iir addition, it supports schema version- 
ing if it allows the querying of all data through user-definable version interfaces. 
For the sake of brevity, schema evolution can be considered as a special case 
of schema versioning where only the current schema version is retained. With 
schema versioning, different schemata can be identified and selected by means of 
a suitable “coordinate system” : symbolic labels are often used in design systems 
to this purpose, whereas proper time values are the elective choice for temporal 
applications 

In this paper, we present and discuss a formal approach, for the specification 
and management of schema versioning in a very general object-oriented data 
model. The adoption of an object-oriented data model is the most common 
choice in the literature concerning schema evolution, though schema versioning 
in relatioiral databases has also been studied deeply. The approach is based 
oir: 



— the definition of an exteirded object-oriented model supporting evolviirg 
schemata (equipped with all the usually adopted schema chairges) for which 
a semantics is provided; 

— the formulation of interesting reasoning tasks, in order to support the design 
and the management of an evolving schema; 
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— an encoding, which has been proved correct, as inclusion dependencies in a 
suitable Description Logic, which can then be used to solve the tasks defined 
for the schema versioning. 

Within such a framework, the main problems connected with schema version- 
ing support will be formally characterised, both from a logical and computational 
viewpoint, leading to the following enhancements. 

~ The complexity of schema changes becomes potentially unlimited: in addi- 
tion to the classical schema change primitives (a well-known comprehensive 
taxonomy can be found in ^), our approach enables the definition of com- 
plex and articulated schema changes. 

— We define different notions of consistency, related to the existence of a legal 
database for the global schema or for a single schema version, or related to 
the consistency of single classes within a consistent schema (version) . Classi- 
fication tasks we define include the discovery of implicit inclusion/inheritance 
relationships between classes (Q). Decidability and complexity results are 
available for the above mentioned tasks in our framework; tools based on 
Description Logics can be used for solving these tasks. 

— The process of schema transformation can be formally checked. The pro- 
vided semantics of the various schema change operations makes it possible 
to reduce the correctness proof of complex sequences of schema changes to 
solvable reasoning tasks. 

However, our semantic approach has not thoroughly addressed the so-called 
change propagation problem yet, which concerns the effects of schema changes 
on the underlying data instances. In general, change propagation can be ac- 
complished by populating the new schema version with the results of queries 
involving extant data connected to previous schema versions. In Section ^ our 
proposal will be reviewed in the light of previous approaches involving query 
languages (e.g. and directions for future developments will also be 

sketched. 

The paper is organised as follows. After a survey of the current status of the 
field, Sectionjfirst introduces the object-oriented model for evolving schemata, 
and then formally defines the relevant reasoning problems supporting the design 
and the management of an evolving schema. Section Q introduces a provably 
correct encoding of the model into a Description Logic, so that theoretical, com- 
putational and practical results can be proved. A critical discussion (Sec. Q 
about the proposed approach precedes the conclusions (Sec.^. 

2 Related Work 

The problems of schema evolution and schema versioning support have been dif- 
fusively studied in relational and object-oriented database papers: Q provides 
an excellent survey on the main issues concerned. The introduction of schema 
change facilities in a system involves the solution of two fundamental problems: 
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the semantics of change, which refers to the effects of the change on the schema 
itself, and the change propagation, which refers to the effects on the underlying 
data instances. The former problem involves the checking and maintenance of 
schema consistency after changes, whereas the latter involves the consistency of 
extant data with the modified schema. 

In the object-oriented field, two main approaches were followed to ensure 
consistency in pursuing the “semantics of change” problem. The first approach 
is based on the adoption of invariants and rules, and has been used, for instance, 
in the ORION | and O2 systems. The second approach, which was pro- 
posed in is based on the introduction of axioms. In the former approach, 
the invariants define the consistency of a schema, and definite rules must be 
followed to maintain the invariants satisfied after each schema change. In the 
latter approach, a sound and complete set of axioms (provided with an infer- 
ence mechanism) formalises the dynamic schema evolution, which is the actual 
management of schema changes in a system in operation. The compliance of 
the available primitive schema changes with the axioms automatically ensures 
schema consistency, without need for explicit checking, as incorrect schema ver- 
sions cannot actually be generated. 

For the “change propagation” problem, several solutions have been proposed 
and implemented in real systems In most cases, simple default mech- 

anisms can be used or user-supplied conversion functions must be defined for 
non-trivial extant object updates. A notable exception is Q, where a formal 
notion of logical consistency of the global approach is devised and proved decid- 
able, in the context of a simple object-oriented data model. This work is different 
from the previous solutions in that there is no automatic reorganisation of the 
data after the schema update, but only a consistency check of the resulting 
database. 

As far as complex schema changes are concerned, considered sequences of 
schema change primitives to make up high-level useful changes, solving the prop- 
agation to objects problem with simple schema integration techniques. However, 
with this approach, the consistency of the resulting database is not guaranteed 
nor checked. In Q, high-level primitives are defined as well-ordered sets of prim- 
itive schema changes. Consistency of the resulting schema is ensured by the use 
of invariants’ preserving elementary steps and by ad-hoc constraints imposed on 
their application order. In other words, consistency preservation is dependent 
on an accurate design of high-level schema changes and, thus, still relies on the 
designer’s skills. 

3 An Object-Oriented Data Model for Evolving Schemata 

The object-oriented model we propose allows for the representation of multiple 
schema versions. It is based on an expressive version of the “snapshot” - i.e., 
single-schema - object-oriented model introduced by Q and further extended 
and elaborated in its relationships with Description Logics by in this paper 
we borrow the notation from The language embodies the features of the static 
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parts of UML/OMT and ODMG and, therefore, it does not take into account 
those aspects related to the definition of methods. 

The definition of an evolving schema S is based on a set of class and attribute 
names (C5 and respectively) and includes a partially ordered set of schema 
versions. The initial schema version of S contains a set of class definitions having 
one of the following forms: 

Class C is- a Ci, ... ,Ch disjoint Ch+i^ ■ ■ ■ ,Cfc type-is T. 

View-class C is-a Ci, ... ,Ch disjoint Ch+i, ■ ■ ■ ,Cfc type-is T. 

A class definition introduces just necessary conditions regarding the type of the 
class - this is the standard case in object-oriented data models - while views 
are defined by means of both necessary and sufficient conditions. The symbol T 
denotes a type expression built according to the following syntax: 

T^C I 

Union Ti, ... ,Tk End | (union type) 

Set-of [m,n] T \ (set type) 

Record Ai'.Ti, ... ,Ak'.Tk End . (record type) 

where C G Cs, Ai G A5, and [m,n] denotes an optional cardinality constraint. 

A schema version in S is defined by the application of a sequence of schema 
changes to a preceding schema version. The schema change taxonomy is built by 
combining the model elements which are subject to change with the elementary 
modifications, add, drop and change, they undergo. In this paper only a basic 
set of elementary schema change operators will be introduced; it includes the 
standard ones found in the literature (e.g., Q); however, it is not difficult to 
consider the complete set of operators with respect to the constructs of the data 
model. 



M Add-attribute C, A, T End | 

Drop-attribute C, A End | 

Change-attr-name C, A, A’ End | 

Change-attr-type C, A, T' End | 

Add-class C, T End | 

Drop-class C End | 

Change-class-name C, C” End | 

Change-class-type C, T' End | 

Add-is-a C, C^d | 

Drop-is-a C, C’ End . 

In this paper, we omit the definition of a schema version coordinate mech- 
anism and simply reference distinct schema versions by means of different sub- 
scripts. Any kind of versioning dimension usually considered in the literature 
could actually be employed - such as transaction time, valid time and symbolic 
labels - provided that a suitable mapping between version coordinates and index 
values is defined. 
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Definition 1. An evolving object-oriented schema is a tuple S = (C5,yl5,5Vo, 
Ms), where: 

— Cs is a finite set of class names; 

— ^5 is a finite set of attribute names; 

— iSVo is the initial schema version, which includes class and view definitions 
for some C G Cs; 

— Ms is a set of modifications Mij, where i,j denote a pair of version coordi- 
nates. Each modification is a finite sequence of elementary schema changes. 

The set Ms induces a partial order 5V over a finite and discrete set of 
schema versions with minimal element iSVo- Hence 5 Vo precedes every other 
schema version and the schema version iSVj represents the outcome of the ap- 
plication of Mij to SVi. S is called elementary if every Mij in Ms contains 
only one elementary modification, and every schema version SVi has at most 
one immediate predecessor. In the following we will consider only elementary 
evolving schemata. 

Let us now introduce the meaning of an evolving object-oriented schema S. 
Informally, the semantics is given by assigning to each schema version a possible 
legal database state -- i.e., a legal instance of the schema version -- conforming 
to the constraints imposed by the sequence of schema changes starting from the 
initial schema version. 

Formally, an instance X of 5 is a tuple 1 ={0^ , , {Xq, . . . ,X„)), consisting 

of a finite set of object identifiers, a function ffi : Vq! giving a value 

to object identifiers, and a sequence of version instances I,, one for each schema 
version SVi in S. The set Vqx of values is defined by induction as the smallest 
set including the union of with all possible “sets” of values and with all 
possible “records” of values. Although the set Vox is infinite, we consider for an 
instance X the finite set Vi of active values, which is the subset of Vqx formed 
by the union of and the set of values assigned by (Q). 

A version instance Xi ={n^f •^‘) consists of a total function : Cs > 2®^, 
giving the set of object identifiers in the extension of each class C G Cs for 
that version, and of a function (the interpretation function) mapping type 
expressions to sets of values, such that the following is satisfied: 

= TT^fiC) 

( Union Ti, ... ,Tk = T^M...UT^^ 

( Set-of [m,n] = {{\ vi, ... ,Vk \ rn < k < n,Vj G 

for j G {!,... ,k}} 

( Record Ai:Ti, . . . ,Afc:Tfc End)^* = {|Ai : vi, . . . , Ak : Vk, . . . , Ah '. Vhj \ 

for some h > k, 

Vj G Tjfior j G {!,... ,fc}, 

Vj G Vox, for j G {k-\-l,... ,h}} 
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Add-attribute C, A, T 


1 I-V (C) = (C) n {o G 1 (o) = [. . . , A A « G TV }, 

(D) = -n-V (D) for all D ^ C 


Drop-attribute C, A 


,rV(C) = -n-ViC) n {o G 1 p^(o) = [. . . ,A:v,.. .]}, 

(D) = ttV (D) for all D / C 


Change-attr-name C, A, A.' 


ttV (C) n {o G O"- |p"-(o) = [. .. ,A = 

irV (C) n {o G 1 p^(o) = [..., A' . .]}, 

(D) = irV (D) for all D 5^ C 


Change-attr-type C, A, T' 


irV(C) n {0 G 0 ^ 1 p^(o) = [. . . , A A « G T'V} = 

ttV (C) n {0 G 0 ^ I p^(o) = [. . . , a : . .]}, 

irV (D) = (_D) for all D ^ C 


Add-class C, T 


Tr'-^i(C) = 0 , p^(7r^i(C)) C TV, ,rV (D) = .^-V (D) 

for all D 


Drop-class C 


tt-^3 (C) = 0. ir^i (D) = ttV (D) for all D ^ C 


Change-class-name C, 


7r^i(C) = (D) forallD/C,C' 


Change-class-type C, T' 


irV (C) = ttV (C) n {0 G 0^ I p^(o) G T' V }, 
irV (D) = ttV (D) for all D C 


Add-is-a C, C' 


,rV (C) = irV(C) n TrV(C'), ttV (D) = .^-V (D) for all D 5 ^ C 


Drop-is-a C, 


,rV(c) = ttV (C) n ttV (C'). irV (D) = .n-V (D) for all D ^ C 



Fig. 1. Semantics of the schema changes. 

where an open semantics for records is adopted (called *-interpretation in 
in order to give the right semantics to inheritance. In a set constructor if the 
minimum or the maximum cardinalities are not explicitly specified, they are 
assumed to be zero and infinite, respectively. 

The semantics of schema changes is shown in Fig.^ For each schema change 
A4ij, it defines a relationship between the instances of the involved schema 
versions. 

A legal instance X of a schema S should satisfy the constraints imposed by 
the class definitions in the initial schema version and by the schema changes 
between schema versions. 

Definition 2. An instance X of a schema S is said to be legal if 

— for each class definition in 5Vo 

Class C is-a Ci, . . . ,Ch disjoint Ch+i, ■ ■ ■ ,Ck type-is T, it holds that: 

C^o c for each j € {1, . . . , h}, 

C^° n Cj” = 0 for each j S {/i + 1, . . . , k}, 

{ff{o) I oe 7T^«(C')} C r^o; 

— for each view definition in 5Vo 

View-class C is-a Ci, . . . ,Ch disjoint Ch+i, ■ ■ ■ ,Ck type-is T, it holds that: 
C^o c (jjo j g {1^ . . . ^ h}, 

C^° n Cf” = 0 for each j S {/i + 1, . . . , k\, 

{p^(o)|o€7r^o(c)} = T^o. 

— for each schema change M.ij in A4, the version instances li and Ij satisfy 
the equations of the corresponding schema change type at the right hand side 
of Ta&.O 
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4 Reasoning Problems 

According to the semantic definitions given in the previous section, several rea- 
soning problems can be introduced, in order to support the design and the man- 
agement of an evolving schema. 

Definition 3. Reasoning problems: 

a. Global/local Schema Consistency: an evolving schema S is globally consistent 
if it admits a legal instance; a schema version SVi ofS is locally consistent if 
the evolving schema S;i - obtained from S by reducing the set of modifications 
Msii to the linear sequence of schema changes in Ms which led to the 
version SVi from SVq- admits a legal instance. In the following, a global 
reasoning problem refers to S, while a local one refers to Sii. 

b. Global/local Class Consistency: a class C is globally inconsistent if for every 

legal instance T of S and for every version SVi its extension is empty, i.e., 
Vi. TT^'{C) = %; a class C is locally inconsistent in the version if for 
every legal instance I of S;i its extension is empty, i.e., = 0. 

c. Global/local Disjoint Classes: two classes C, D are globally disjoint if for 

every legal instance T of S and for every version SVi their extensions are 
disjoint, i.e., Vz. H = 0; two classes C,D are locally disjoint 

in the version SVi if for every legal instance I of S;i their extensions are 
disjoint, i.e., n tt^^{D) = 0. 

d. Global/local Class Subsumption: a class D globally subsumes a class C if for 

every legal instance I of S and for every version the extension of C is 
included in the extension of D, i.e., Vz. C a class D locally 

subsumes a class C in the version SVi if for every legal instance I of S;i 
the extension of C is included in the extension of D, i.e., C 

e. Global/local Class Equivalence: two classes C, D are globally /locally equiva- 
lent if C globally /locally subsumes D and viceversa. 

Please note that the classical subtyping problem - i.e., finding the explicit rep- 
resentation of the partial order induced on a set of type expressions by the 
containment between their extensions - is a special case of class subsumption, if 
we restrict our attention to view definitions. 

As to the change propagation task, which is one of the fundamental task 
addressed in the literature (see Sec. H, it is usually dealt with by populating 
the classes in the new version with the result of queries over the previous ver- 
sion. The same applies for our framework: a language for the specification of 
views can be defined for specifying how to populate classes in a version from 
the previous data. Formally, we require a query language for expressing views 
providing a mechanism for explicit creation of object identifiers. At present, our 
approach includes one single data pool and a set of version instances which 
can be thought as views over the data pool. Therefore we consider update as 
a schema augmentation problem in the sense of Q, where the original logical 
schema is augmented and the new data may refer to the input data. The result 
of applying any view to a source data pool may involve OIDs from the source 
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Fig. 2. The Employee initial schema version in UML notation. 



besides the new required OIDs to be created. The association between the source 
OIDs and the target ones should not be destroyed, and only the target data pool 
will be retained. In SectionH^^ii alternative approach will be discussed. 

Of course, at this point the problem of global consistency of an evolving schema 
S becomes more complex, since it involves the additional constraints defined by 
the data conversions: an instance would therefore be legal if it satisfies not only 
the constraints of Definition H but also the constraints specified by the views. 
Obviously, a schema S involving a schema change for which the corresponding 
semantics expressed by the equation in Tab. the associated data con- 

versions are incompatible would never admit a legal instance. In general, the 
introduction of data conversion views makes all the reasoning problems defined 
above more complex. 

We will try to explain the application of the reasoning problems through an 
example. Let us consider an evolving schema S describing the employees of a 
company. The schema includes an initial schema version iSVq defined as follows: 

Class Employee type-is Union Manager, Secretary, Worker End : 

Class Manager is-a Employee disjoint Secretary, Worker ; 

Class Secretary is-a Employee disjoint Worker ; 

Class Worker is-a Employee; 

View-class Senior type-is Record has_staff : Set-of [2,n] Worker End : 
View-class Junior type-is Record has_staff : Set-of [0,1] Worker End : 
Class Executive disjoint Secretary, Worker; 

View-class Everybody type-is Union Senior, Junior End End ; 

FigureOshows the UML-like representation induced by the initial schema 5Vo; 
note that classes with names prefixed by a slash represent the views. The evolving 
schema S includes a set of schema modifications M.s defined as follows: 
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(■A^oi) Add-is-a Secretary, Manager End : 

{Mm) Add-is-a Everybody, Manager End : 

{M 23 ) Add-is-a Everybody, Secretary End : 

{Moi) Add-is-a Executive, Employee End : 

{M.35) Add-attribute Manager, IdNum, Number End : 

(Adse) Change-attr-type Manager, IdNum, Integer End : 

{Mm) Change-attr-type Manager, IdNum, String End : 

{Mes) Drop-class Employee End; 

Let us analyse the effect of each schema change Mij by considering the schema 
version SVj it produces. 

First of all, it can be noticed that in 5 Vo the Junior and Senior classes 
are disjoint classes and that Everybody contains all the possible instances of the 
record type. In fact. Everybody is defined as the union of view classes which are 
complementary with respect to the record type: any possible record instance is 
the value of an object belonging either to Senior or Junior. 

Secretary is inconsistent in 5Vi since Secretary and Manager are disjoint: 
its extension is included in the Manager extension only if it is empty (for each 
version instance Ii, Secretary^^ = 0). Therefore, Secretary is locally incon- 
sistent, as it is inconsistent in iSVi but not in iSVq. 

The schema version iSVa is inconsistent because Secretary and Manager, 
which are both superclasses of Everybody, are disjoint and the intersection of 
their extensions is empty: no version instance I 3 exists such that Everybody^^ C 

0. It follows that S is locally inconsistent with respect to 5 V 3 and, thus, globally 
inconsistent (although is locally consistent wrt the other schema versions). 

In 5V4, it can be derived that Executive is locally subsumed by Manager, 
since it is a subclass of Employee disjoint from Secretary and Worker (Manager, 
Secretary and Worker are a partition of Employee). 

The schema version 5Vs exemplifies a case of attribute inheritance. The 
attribute IdNum which has been added to the Manager class is inherited by the 
Executive class. This means that every legal instance of S should be such that 
every instance of Executive in 5Vs has an attribute IdNum of type Number, 

1. e.. Executive^® C {o | p^{o) = |. . . , IdNum : r;, . . .] A t € Number^®}. Of 
course, there is no restriction on the way classes are related via subsumption, and 
multiple inheritance is allowed as soon as it does not generate an inconsistency. 

The Change-attr-type elementary schema change allows for the modification 
of the type of an attribute with the proviso that the new type is not incompat- 
ible with the old one, like in M^q. In fact, the semantics of elementary schema 
changes as defined in Tab. Bis based on the assumption that the updated view 
should coexist with the starting data, since we are in the context of update as 
sehema augmentation. If an object changes its value, then its object identifier 
should change, too. Notice that, for this reason. Mm leads to an inconsistent 
version if Number and String are defined to be non-empty disjoint classes. Since 
the only elementary change that can refer to new objects is Add-class , in order 
to specify a schema change involving a restructuring of the data and the cre- 
ation of new objects - like in the case of the change of the type of an attribute 
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Fig. 3. ALCQX concept and role expressions and their semantics. 

with an incompatible new type - a sequence of Drop-class and Add-class should 
be specified, together with a data conversion view specifying how the data is 
converted from one version to the other. 

The deletion of the class Employee in iSVg does not cause any inconsistency 
in the resulting schema version. In iSVg the Employee extension is empty and 
the former Employee subclasses continue to exist (with the constraint that their 
extensions are subsets of the extension of Employee in iSVe). Notice that, in a 
classical object model where the class hierarchy is explicitly based on a DAG, 
the deletion of a non-isolated class would require a restructuring of the DAG 
itself (e.g. to get rid of dangling edges). 

5 Reasoning Using Description Logics 

In this section we establish a relationship between the proposed model for evolv- 
ing schemata and the ACCQI description logic. To this end, we provide an 
encoding from an evolving schema into an ACC QI knowledge base S, such that 
the reasoning problems mentioned in the previous section can be reduced to 
corresponding description logics reasoning problems, for which extensive theo- 
ries and well founded and efficient implemented systems exist. The encoding is 
grounded on the fact that there is a correspondence between the models of the 
knowledge base and the legal instances of the evolving schema. 

We give here only a very brief introduction to the ACC QI description logic; 
for a full account, see, e.g., Q. The basic types of a description logic are concepts 
and roles. The syntax rules at the left hand side of FigureHdefine valid concept 
and role expressions. Goncepts are interpreted as sets of individuals — as for unary 
predicates — and roles as sets of pairs of individuals — as for binary predicates. 
Formally, an interpretation is a pair I = (A^, -^) consisting of a set of 
individuals (the domain of I) and a function A (the interpretation function 
of I) mapping every concept to a subset of and every role to a subset of 
A^ X A^, such that the equations at the right hand side of Figureflare satisfied. 
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A knowledge base is a finite set E of axioms of the form C Q D, involving 
concept expressions C, H; we write C = D as a, shortcut for both C Q D and 
DEC. An interpretation I satisfies C E D if and only if the interpretation of C 
is included in the interpretation of D, i.e., C it is said that C is subsumed 
by D. An interpretation X is a model of a knowledge base E iff every axiom of 
E is satisfied by X. If E has a model, then it is satisfiable. E logieally implies 
an axiom C E D (written E \= C E D) if C E D is satisfied by every model of 
E. Reasoning in ACCQE (i.e., deciding knowledge base satisfiability and logical 
implication) is decidable, and it has been proven to be an EXPTIME-complete 
problem Q. 

As in I, the encoding of an object-oriented schema in an AXCQX knowledge 
base is based on the reification of type expressions - i.e., explicit individuals exist 
to denote values of complex types. We introduce the concept Abstract Class to 
represent the classes, the concepts RecType, SetType to represent types, the role 
value to model the association between classes and types, and the role member 
to specify the type of the elements of a set. In particular, a record is represented 
as an individual connected by means of (functional) roles - corresponding to 
attributes - to the fillers of its attributes. The mapping function ifi translates 
type expressions into ACCQE concepts as follows: 

^i(C) = C, 

'0i(Unipn Ti, ... ,Tfc End) = ifi(Ti) U . . . U ifiiTk) 

ibi, ( Set-of [m,n] T) = SetType □ Vmember.'0,(r)n 

>mmember.T □ <nmember.T 

rA d Record Ai:Ti, . . . ,Ak'.Tk End) = RecType □ 3Ai.ifi{Ti) □ . . . □ dAft.-dd^fc) 

The translation function ifi is contextualised to the ith schema version, since a 
class in different schema version may have different extensions, and it is mapped 
into distinct concepts. 

Definition 4. The AXCQfX knowledge base E = tjj{S) corresponding to the 
object-oriented evolving schema S = (C 5 , A 5 , 5Vo, AI 5 ) is composed by the fol- 
lowing axioms: 

— Axioms on basic types: 

AbstractClass G dvalue.T □ <lvalue.T 

RecType C Vvalue.T 

SetType E Vvalue.T □ ^RecType 

— For each class definition 

Class C is-a C\, . . . ,Ch disjoint Cu+i, ■ ■ ■ ,Ck type-is T in 5Vo.' 
d’o(C') E AbstractClass □ d’o(C'i) H . . . □ %jjQ{Ch) H Vvalue.'0o(T) 

V’o(C') E ~'' 0 o(C'h+i) n . . . n -'d’o(C'fc) 

— For each view definition 

View-class C is-a C\, . . . ,Ch disjoint Ch-i-i, . . . ,Ck type-is T in iSVq.' 
d’o(C') E AbstractClass □ d’o(C'i) □ . . . □ tjjo{Ch) 
d’o(C') E ~'’<foiCh+i) n . . . n -•V'o(C'fc) 

MC) = Vvalue.d’o(T) 
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Add- attribute C, A, T 


ipj{C) = tpi{C) n Vvalue.(RecType H 3A.i/)j (T)), 
i>i{D) = i>j{D) for all D^C 


Drop-attribute C, A 


fi{C) = ipj(C) n Vvalue.(RecType C 3A.T), 

= f}j{D) for all D 5 ^ C 


Change-attr-name C, A, A' 


i/>i(C) n Vvalue.(RecType 13 3A.T) = 
ipj{C) 3 Vvalue.(RecType 3 3A'.T), 
i>i{D) = i>j{D) for all D^C 


Change-attr-type C, A, T' 


ipiiC) 3 Vvalue.(RecType 3 3A.ipj (T')) = 
ipj(C) 3 Vvalue.(RecType 3 3A.T), 
i>i{D) = i>j{D) for all D^C 


Add-class C, T 


'i/)i(C) = T, fijiC) 3 AbstractClass 3 Vvalue.i/ijdT), 
i>i{D) = i>j{D) for all D^C 


Drop-class C 


l/)j(C) = T, f>i{D) = ifj(D) for all D 5 ^ C 


Change-class-name C, C' 


MC) =lpj{C), fi{D) = 'tpj{D) for all D 5 ^ C,C' 


Change-class- type C, T' 


= i/)i(C) 3 Vvalue.i/),'(T'), 

f}i{D) = f}j{D) for all D 5 ^ C 


Add-is-a C, C' 


l/)j(C) = l/)i(C) 3 V'i(C'), lpi{D) = lpj{D) for all D 5 ^ C 


Drop-is-a C, C' 


l/)i(C) = V'j(C) 3 V'j(C'), MD) = lpj{D) forallD^^C 



Fig. 4. The axioms induced by the schema changes. 



— For each attribute in .■ 

BAi.T O <lAi.T 

— For each schema modification M.ij S Ms ® corresponding axiom from Ta&. J 

Based on the results of Q, we have proved in that the encoding is correct, 
in the sense that there is a correspondence between the models of the knowledge 
base and the legal instances of the evolving schema. The semantic correspondence 
is exploited to devise a correspondence between reasoning problems at the level 
of evolving schemata and reasoning problems at the level of the description logic. 

Theorem 1. Given an evolving schema S, the reasoning problems defined in 
the previous section are all decidable in EXPTIME with a PSPACE lower bound. 
The reasoning problems can be reduced to corresponding satisfiability problems 
in the ACCQI Description Logic. 

Please note that the worst case complexity between PSPACE and EXPTIME 
does not imply bad practical computational behaviour in the real cases: in fact, 
a preliminary experimentation with the Description Logic system FaCT 
shows that reasoning problems in realistic scenarios of evolving schemata are 
solved very efficiently. 

As a final remark, it should be noted that the high expressiveness of the 
Description Logic constructs can capture an extended version of the presented 
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object-oriented model, at no extra cost with respect to the computational com- 
plexity, since the target Description Logic in which the problem is encoded does 
not change. This includes not only taxonomic relationships, but also arbitrary 
boolean constructs, inverse attributes, n-ary relationships, and a large class of 
integrity constraints expressed by means of ALCQI inclusion dependencies Q. 
The last point suggests that axioms modeling schema changes can be freely com- 
bined in order to transform a schema in a new one. Some combination can be 
defined at database level by introducing new non-elementary primitives. 



6 Discussion 

In this paper we have introduced an approach to schema versioning which con- 
siders a (conceptual) schema change as a (logical) schema augmentation, in the 
sense of In fact, the sequence of schema versions can be seen as an increas- 
ing set of constraints, as defined in Table H every elementary schema change 
introduces new constraints over a vocabulary augmented by the classes for the 
new version. An update of the schema is also reflected by the introduction of 
materialised views at the level of the data which specify how to populate the 
classes of the new version from the data of the previous version. Formally, in 
our approach the materialised views coexist together with the base data in the 
same pool of data. In some sense, there is no proper evolution of the objects 
themselves, since the emphasis is given to the evolution of the schema. 

More complex is the case when it is needed that a particular object maintains 
its identity over different version - i.e., the object evolves by varying its structural 
properties - and it is requested to have an overview of its evolution over the 
various versions. This is the case when a query - possibly over more than one 
conceptual schema - requires an answer about an object from more than one 
version. 

In this case an explicit treatment of the partial order over the schema ver- 
sions induced by the schema changes is required at the level of the semantics. 
Formally, this partial order defines some sort of “temporal structure” which leads 
us to consider the evolving data as a (formal) temporal database with a tempo- 
rally extended conceptual data model With such an approach, different 

formal “timestamps” can be associated with different schema versions: all the 
objects connected with a schema version are assigned the same timestamp, such 
that each data pool represents a hon^eneous state (snapshot) in the database 
evolution along the formal time axi^ Objects belonging to different versions 
can be distinguished by means of the object’s OID and the timestamp. 

In such a framework, the (materialised) views expressing the data conver- 
sions can be expressed as temporal queries. In some sense, we can say that 
such a query language operates in a schema translation fashion Q instead of a 
schema augmentation, where new data are presumed to be independent of the 

^ This case corresponds to the multi-pool solution for temporal schema versioning of 
snapshot data in the taxonomy. 
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source data and an explicit mapping between them has to be maintained. Mul- 
tischema queries can be seen as temporal queries involving in their formulation 
distinct (formal) timestamps. Moreover, in case (bi)temporal schema version- 
ing is adopted, this “formal” temporal dimension has also interesting and non- 
trivial connections, which deserve further investigation, with the “real” temporal 
dimension(s) used for versioning. 

7 Conclusions 

This paper deals with the support of database schema evolution and versioning 
by introducing a general framework based on a semantic approach. The reducibil- 
ity of a general Object- Oriented conceptual model to the proposed framework 
made it possible to provide a sound foundation for the purposes stated in the 
Introduction. In particular, the adoption of a Description Logic for the frame- 
work specification implies the availability of powerful services (like consistency 
checking and classification) which can be proved decidable. 
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Abstract. The magic set technique is a standard technique for query 
evaluation in deductive databases, and its variants are also used in mod- 
ern commercial database systems like DB2. Numerous improvements of 
the basic technique have been proposed. However, each of these opti- 
mizations makes the transformation more complicated, and combining 
them in a single system is at least difficult. 

In this paper, a new transformation is introduced, which is based on 
partial evaluation of a bottom-up meta-interpreter for SLD-resolution. 
In spite of its simplicity, this technique gives us a whole bunch of opti- 
mizations for free: For instance, it contains a tail recursion optimization, 
it transforms non-recursive into non-recursive programs, it can pass ar- 
bitary conditions on the parameters to called predicates, and it saves the 
join necessary to get subquery results back into the calling context. In 
this way, it helps to integrate many of the previous efforts. 

The usefulness of these optimizations is illustrated with example pro- 
grams querying the World Wide Web. 



1 Introduction 



Many current developments aim at integrated systems consisting of a program- 
ming language and a database management system. For instance, object-oriented 
database systems combine both functionalities, but also stored procedures and 
triggers in relational systems go into this direction. Deductive databases offered 
such an integrated language for a long time. Theoretically, this is very appeal- 
ing since here a declarative language is also used for the programming part. 
Declarativity has proven to be very useful in SQL. 

Deductive database systems have also become interesting again because they 
are well suited to process graph-structured data, and the World Wide Web can 
be seen as a large directed graph of interconnected documents. This view of the 
WWW is the basis of web query languages, e.g. Al so, 

recently proposed data models for semi-structured data and XML as 

well as the RDF model for Web metadata are graph-structured. 



* This paper is a completely rewritten and significally extended version of a paper 
which appeared in the electronic proceedings of the International Workshop on “Ad- 
vances in Databases and Information Systems”, Moscow, 1996. 
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One of the biggest problems of deductive databases is still the performance, 
which is quite far behind other integrated DB/PL systems. It is known that 
“Bottom-Up [evaluation with magic sets] Beats Top-Down for Datalog” 

However, as noted by Ross ^ 



I (see also this does not mean that 

current deductive databases are at least as efficient as Prolog implementations. 
This is not even true asymptotically (in 0-notation). So let us quickly explain 
the main difference between magic sets and SLD-resolution (which is the basis 
of Prolog evaluation) . Although both are top-down evaluation methods, and in 
fact equally goal-directed (see, e.g., there are important differences. 

The magic set method treats predicates (views) like procedures, which are 
called with a set of bindings for the input (bound) arguments. This input relation 
is the so-called “magic set” . They return a relation for all arguments, such that 
every returned tuple agrees with one input tuple in the bound arguments. So 
the result is the semijoin of the magic set and the full extension of the predicate. 
Of course, the trick is to avoid computing this full extension. 

For instance, consider a predicate locaLlink(From_URL, To_URL, Label) which 
returns links in the web page From_URL refering to a page To_URL on the same 
server. An invocation with the first argument bound could look as follows: 



From_URL 
http://x . edu/ 
http://y . edu/ 



From.URL 


To_URL 


Label 


http://x . edu/ 
http://x . edu/ 
http://y . edu/ 


http://x . edu/ a 
http://x . edu/b 
http://y . edu/ c 





In contrast, SLD-resolution works by repeatedly “unfolding” query literals — 
it replaces the predicate call by the predicate definition. This is what many 
relational database systems do with view definitions, but in SLD-resolution this 
is the only computation mechanism and works also with recursive views. Let 
locaLlink be defined as follows: 

localJink(From_URL, To_URL, Label) ^ link(From_URL, To_URL, Label) A 

same_server(From_URL, To_URL). 



Furthermore, let the query be 

local_link(’http://www. pitt.edu’, URL, Label) A 
like(Label, ’%lnf%Sc%’). 

SLD-resolution replaces this query by 

link(’http://www. pitt.edu’, URL, Label) A 
same_server(’http://www. pitt.edu’, URL) A 
like(Label, ’%lnf%Sc%’). 

In SLD-resolution, there is no explicit procedure call and return. Instead, we 
always work on complete continuations of the computation. Even if we should 
choose to evaluate next the calls to link and same_server, the control passes then 
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immediately to like without entering the rule for locaLlink again. This is essential 
for tail recursions. Furthermore, we can choose a different evaluation sequence, 
for instance evaluate the call to like before the call to same_server. This gives 
us a much bigger optimization potential than the sideways information passing 
rule of magic sets, which can only locally reorder the body literals within a rule 
(or decide not to use all available bindings J 

Of course, SLD-resolution also has its problems, the most important being 
the possibility of non-termination. There are tabulation techniques which avoid 
this but these are essentially equivalent the magic set method. In this 

paper, we present a new method to combine advantages of bottom-up evaluation 
and SLD-resolution. The title says that this is the “real magic”, because we 
believe that it was from the beginning the goal of the magic set transformation 
to combine bottom-up evaluation with Prolog evaluation (i.e. SLD-resolution). 

Deductive databases are normally applied when there are large sets of facts 
which Prolog implementations cannot handle. While we do SLD-resolution as 
Prolog, we execute it on a bottom-up machine using set-oriented evaluation 
techniques. Whereas Prolog always does nested loop joins, we can apply merge- 
joins or hash-joins. Also, we will see that the SLD-resolution selection function, 
which is not used in Prolog, can be an important means for query optimization. 

Our approach is based on the idea of partially evaluating a meta-interpreter. 
Bry has done this for the standard magic set technique we only start 

with another meta-interpreter and do a bit more involved partial evaluation. It 
is fascinating how many optimizations we get for free based on this idea. Such 
optimizations are known for the magic set method , but 

integrating them in a single system is at least hard work. 

2 Problems of Magic Set Query Evaluation 

Let us consider some examples which demonstrate weak points of the standard 
magic set technique. We will see that an approach based on SLD-resolution can 
avoid these problems. Specialized solutions to most of these shortcomings have 
already been developed. Our contribution is an integrated approach which solves 
all of these problems (and is actually quite simple) . 

2.1 Tail Recursions 

It is a standard task to find all documents which are reachable from a given docu- 
ment via local links (i.e. links refering to documents on the same server). In order 
to do this, we first define a predicate for the transitive closure (corresponding to 
— >* in WebSQL 

local_reachable(X, Y) ^ local_link(X, Y, _). 

local_reachable(X, Z) ^ local_link(X, Y, _) A local_reachable(Y, Z). 

^ “Informally, for a rule of a program, a sip represents a decision about the order 
in which predicates of the rule will be evaluated, and how values for variables are 
passed from predicates to other predicates during evaluation.” 
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Then we can call this predicate with the given start document, say dp: 

local_reachable(do, D). 

To keep the example simple, let us consider the following hypertext structure: 




However, the same problem appears when we have additional links, and this 
path is only a subgraph. Actually, we could have used any reasonable connection 
of n + 1 pages (e.g. a star topology with backlinks). 

In order to solve the task, we must only follow the links and output every page 
we reach. Thus a complexity of 0(n) seems reasonable, or 0(n * log(n)), if we 
check for cycles due to backlinks. But if we use the magic set technique in this ex- 
ample, the complexity is at least O(n^). The reason is that this method explicitly 
represents the results of subqueries. We start with the call local_reachable(do, D), 
but since there is a link to page di, we get the recursive call local_reachable(di, D), 
and so on, for any page of the chain. For each such subquery, the magic set 
method computes all matching facts which follow from the original program. 
So we not only get local_reachable(do, di), . . . , local_reachable(do, d„), but also 
local_reachable(di, d2), and so on. This is a quadratic number of facts, thus the 
complexity is at least O(n^), and probably higher due to join computations and 
duplicate eliminations. 

In contrast, Prolog can process this example in linear time, and this can be 
understood without looking inside Prolog implementations. The tree of goals 
(queries) created by SLD-resolution for the above program and data (including 
the rule for locaLlink) contains 8n -I- 5 nodes, and all nodes have < 3 literals. 

However, SLD-resolution will not terminate for cyclic hypertext graphs. But 
our method of evaluating SLD-resolution bottom-up will compute only a finite 
number of SLD-goals, and does so in the required time 0(n*log(n)) . In contrast, 
previous tabulation methods for making SLD-resolution terminate, such as those 
used in the XSB-system have the same problem as magic sets: They 

store proven instances of literals in a table, which is already a quadratic number. 

The magic set method with tail-recursion optimization developed in 
and further analyzed in solves the problem. There are also methods 

for more specific kinds of tail-recursions However, our 

method contains such optimizations, and solves many other problems as well. 

Current query languages for the web, semistructured data, and XML typi- 
cally contain path expressions for following edges in the graph. There are spe- 
cialized algorithms for evaluating these expressions which of course do not have 
this problem. While path expressions work well for XML, retrieving a page on 
the web is an expensive operation, so we might need the full power of Datalog 
to describe as precisely as possible which links we want to follow. 
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2.2 Nonrecursive Programs 

The following predicate computes pages reachable via at most two local links: 

reach2(X, Y) ^ local_link(X, Y, _). 

reach2(X, Z) ^ local_link(X, Y, _) A local_link(Y, Z, _). 

The program is non-recursive and should be easy to evaluate. However, if we use 
the magic set technique for the query reach2(do, D), we get a recursive program. 
The reason for this problem is that the magic set technique collects all calls to a 
predicate (with the same “binding pattern”) into a single magic predicate. But 
here, due to the second rule for reach2, the queries for locaLlink (in the second 
body literal) depend on solutions for locaLlink (in the first body literal). And of 
course, solutions for a predicate always depend conversely on the queries. 

In contrast, SLD-resolution treats the two calls to locaLlink separately, and 
thus the problem does not occur. Of course, merging calls sometimes can be 
advantageous, if this helps to avoid recomputations. Therefore our method can 
be parameterized in such a way that for every body literal either magic sets or 
SLD-resolution can be chosen. 

The methods of ensure that non-recursive programs are transformed 

into non-recursive programs. The basic approach is also to distinguish the two 
calls. In one of their solutions, they also do some unfolding, and add a “covered 
subgoal elimination” which we do not (yet) have. Again, the strength of our 
solution is that it solves different problems at the same time. 



2.3 Getting Results Back into the Context of the Caller 

Suppose we have a relation my_links(URL, Last_Visited) in which we store our 
personal collection of most interesting web pages. It is the combination of such 
local information with a web interface which makes web query languages a useful 
and powerful tool. Now the following predicate returns those pages which have 
changed since the time of last visit: 

has_changed(URL) ^ my_links(URL, Last_Visited) A 
doc_mtime(URL, Modif) A 
Modif > Last_Visited. 

When has_changed is called with URL free, the magic set method will evaluate 
the body literals in the given sequence. So it first accesses the relation my_links. 
This gives bindings for the two variables URL and Last_Visited. Let us assume 
that doc_mtime is also an IDB-predicate: 

doc_mtime(URL, Modif) ^ www_get(URL, Title, Modif, Contents). 

Then a magic set for doc_mtime is constructed by projecting the bindings for URL 
and Last_Visited on the variable URL. The predicate doc_mtime returns bindings 
for URL and Modif. But in the context of the calling rule, all three variables URL, 
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my_links(URL, Last_Visited) A doc_mtime(URL, Modif) A Modif > Last_Visited 
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Fig. 1. Projection and Join During Magic Set Evaluation 



Last_Visited, and Modif are bound, and all three variables are still needed. Thus, 
the two relations must be joined on the attribute URL (see Figure H- 

Since a join is expensive, it would have been better not to project the vari- 
able Last_Visited away. SLD-resolution always retains the complete bindings for 
all variables which are still needed: The goals in the SLD tree contain the full 
continuation of the computation. 

Magic sets with supplementary predicates do not solve this problem. This 
method reduces unnecessary recomputations while evaluating a single rule, but 
does not change the arguments of the IDB-predicates, as would be required here. 

Magic sets could be advantageous to SLD-resolution if e.g. my_links would 
produce several solutions for a single URL (In the given example, this cannot 
happen because URL is key). Then the projection could do a duplicate elimina- 
tion and thereby reduce the input to doc_mtime. 



2.4 Passing Conditions on the Parameters to Called Predicates 

Suppose that we are again interested in pages from our hotlist which were mod- 
ified since our last visit, but only from a specific server. Then we use the query 

has_changed(URL) A on_server(URL, ’www.sis.pitt.edu’). 

Consider now the evaluation of has_changed: While my_links is a locally stored 
relation, the call to the WWW-interface predicate doc_mtime is very expensive: 
We have to fetch each page under all URLs stored in my_links, and only later 
throw out all pages which are not on the given server. 
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The problem here is that for the magic set technique, the structure of the 
program in predicates is significant: The “sideways information passing” strategy 
cannot move literals between predicate boundaries. However, in this case, the 
optimal sequence would be 

my_links(URL, Last_Visited) A 
on_server(URL, ’www.sis.pitt.ed u’)A 
doc_mtime(URL, Modif) A 
Modif > Last_Visited. 



The literals on_server(URL, ’www.sis.pitt.edu’) and Modif > Last_Visited are very 
cheap to evaluate, however, they can only be evaluated after their arguments 
are bound. And of course, we should try to “fail as early as you can”, at least 
before very expensive literals are evaluated. This corresponds to the classical 
optimization strategy to push selections as far “down” as possible, and especially 
evaluate them before expensive joins. 

The magic set technique can pass only conditions of the form X = const on the 
parameters to the called predicates. The rectification transformation^^^^H was 
invented to handle conditions of the form X = Y. The technique of can 

pass conditions of the form X < const. Our method inherits from SLD-resolution 
the possibility to evaluate arbitrary conditions of the parameters as soon as they 
become bound. In SLD-resolution this kind of “global optimization” is done by 
means of the selection function: It decides which literal from the continuation 
should be evaluated next. In this way, it considerably generalizes the magic set 
SIP-strategy (at least the reordering part. The SIP-strategy also can decide to 
use only a subset of the available bindings.) 

While we reach the same optimization as the method of 

has features which would have to be added to our approach. It can move linear 
arithmetic constraints both from the uses of a predicate into its rules as well as 
from the definitions towards its uses. Our method breaks up the rule structure 
so that constraints to be satisfied are visible when we evaluate a predicate. 
However, it evaluates them only as soon as the become bound, we do not yet 
check the constraints for consistency. We also do not generate constraints for 
predicates which would help to detect inconsistencies earlier. On the other hand, 
our method is not limited to any particular type of constraints. Any predicate 
which can be evaluated cheaply can act as a constraint. 



2.5 Combining Conditions for Index Access 

This greater flexibility in the evaluation order is also important for index struc- 
tures which can evaluate conjunctions of literals. For instance, when we submit 
a query to a search engine, we should first collect all literals specifying search 
terms for the same document. 

Suppose we have defined a predicate containing the URLs of possible job 
offers in the Web: 

job_offer(URL) ^ keyword(’Job Opportunity’, URL). 
job_offer(URL) <— keyword (’Free Positions’, URL). 
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Here the predicate keyword gives access to a search engine. While this particular 
definition of the predicate job_offer is very naive, such predicates can be used to 
represent knowledge about searching in the WWW. The possibility to reuse and 
share such knowledge is an important issue for future web querying systems. 
Now suppose that we are interested only in job offers mentioning “Prolog” : 

Job_offer(URL) A keyword(’Prolog’, URL). 

Then it might be important that when we evaluate the call to Job_offer, we 
already see that there is another call to the predicate keyword. It will certainly 
be better to combine the search terms, and not to collect first all job offers and 
then to select those mentioning “Prolog” . 

In general, index structures often allow to evaluate conjunctions of literals at 
once. Even a classical B-tree over e.g. the attribute Sal of the relation emp allows 
us to evaluate a conjunction like emp(X, Y, Sal) A Sal > 1000 A Sal < 1500 in one 
shot. However, in the source program, these conditions might not be contained 
in the same rule. Therefore, good query optimization needs the unfolding power 
of SLD-resolution. 

It is sometimes assumed that standard relational query optimization can be 
done after the magic-set transformation. In our view, this is an error. The result 
of the transformation prescribes more or less the evaluation order. So many 
physical parameters (such as the existence of indexes) must already be taken 
into account when the transformation is done. 

3 The Meta-interpreter 

Often, an evaluation method can be explained by presenting an interpreter for it. 
If this interpreter is written in the language itself, it is called a meta-interpreter. 
It is a standard exercise in Prolog programming courses to write an interpreter 
for Prolog in Prolog. However, Bry clarified in that such interpreters 

depend heavily on the machine model used to execute them. While the standard 
meta-interpreter runs only on Prolog, Bry developed a meta-interpreter which 
formalized top-down evaluation, but run itself on a bottom-up machine. He used 
explicit call and return, and in this way reconstructed the standard magic set 
transformation. So all we have to do now is to start with a meta-interpreter 
which describes real SLD-resolution. 

3.1 Bottom-Up Execution of SLD-Resolution 

We present SLD-goals (nodes of the SLD-tree) by lists of literals which still have 
to be proven. For instance, the query local_reachable(do, D) gives the root node 
of the SLD-tree: 

node([local_reachable(do, D)]). 

The rules of the given program are stored in the form rule(Head, Body), e.g. 
rule(local_reachable(X, Z), [local_link(X, Y, _), local_reachable(Y, Z)]) . 
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Now the SLD-resolution step can be described by means of the following main 
rule of our meta-interpreter (for simplicity, we have chosen here the “first literal” 
selection function of Prolog): 

node(Child) ^ 

node([Lit|Rest]) A 
rule(Lit, Body) A 
append(Body, Rest, Child). 

Our meta-interpreter will be evaluated bottom-up, so you have to read the rule 
from right to left: If we insert, e.g., the above node- and rule-facts, we will derive 
the following node-fact: 

node([local_link(do, Y, _), local_reachable(Y, D)]). 

Bottom-up evaluation with non-ground facts does the necessary unification, and 
renames the variables of the used “facts” before that in order to avoid name 
clashes. In addition, it treats derived facts as duplicates if they differ only by a 
variable renaming from known facts. This is important for the termination and 
can be easily achieved by normalizing variable names (e.g. Xi, X2, . . .). 

There is the small problem that in this way it is difficult to track the bind- 
ing for the answer variable D. When all literals are proven, we get the empty 
goal node([]), but the answer substitution is lost. We solve this problem by 
adding to each derived node-fact the current instance of the query. This will be 
the first argument of the predicate node, the second argument will be the current 
goal as above. So instead of the above node-fact we really derive 

node(local_reachable(do, D), [local_link(do, Y, _), local_reachable(Y, D)]). 

This is similar to a rule where the head always remains an instance of the query 
and we iteratively unfold the body. Since the substitutions are also applied to 
the first argument, it contains the proven query instance as soon as the goal 
becomes empty: 

node(local_reachable(do, d2), []). 

The complete meta-interpreter is shown in Figure^ We assume there that EDB- 
facts from the database are stored in the predicate db. The distinction between 
program rules with empty bodies and database facts becomes relevant only later 
when we do partial evaluation. For simplicity, we assume that the query is a single 
literal stored in the predicate query. The meta-interpreter can be executed by 
deductive database systems like CORAL which allow structured terms 

and non-ground facts. 

Theorem 1 (Relation to SLD-Resolution). Let the above meta-interpreter 
be exeeuted on rule, db, and query-faets eorresponding to a program P, database 
DB, and query Q. Then it eomputes the goals in the SLD-tree for PUDBUj^Q}.' 

— For every node M in the SLD-tree with goal <— Ai A • • • A A„, there is a fact 
node(Q0, [A(, . . . , A(,]) which is derivable from the meta-interpreter and a 
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/* Initialization (Root Node): */ 
node^Query, [Query]) ^ 
query(Query). 

/* SLD-Resolution: */ 
node(Query, Child) ^ 

node (Query, [Lit] Rest]) A 
rule(Lit, Body) A 
append(Body, Rest, Child). 

/* Evaluation of DB-Literal: */ 
node(Query, Rest) <— 

node (Query, [Lit] Rest]) A 
db(Lit). 

j* Turn Proven Query into Answer: * j 
answer(Query) <— 

node(Query, ]]). 



Fig. 2. Bottom-Up Meta-Interpreter for SLD-Resolution 



variable-renaming a sueh that A'cr = A^, i = 1, . . . , n, and Q6a is the result 
of applying to the query all most general unifiers which SLD-resolution used 
on the way from the root node to Af. 

— And vice versa, every derivable fact corresponds in this way to (at least) one 
node in the SLD-tree. 

From the soundness and completeness of SLD-resolution, we directly get the 
following corollary: 

Theorem 2 (Soundness and Completeness). Let the meta-interpreter be 
executed on rule, db, and query-facts corresponding to a program P, database DB, 
and query Q. 

— For every derived fact answer(Q0), the substitution 9 is a correct answer 
substitution. 

— For every correct answer substitution 9, there is a derived fact answer(Q0') 
and a substitution a with 9 — 9'a. 



3.2 Termination 

So our meta-interpreter correctly simulates SLD-resolution. As explained in Sec- 
tion H tiiis is advantageous for many applications. But do we get in exchange 
for these advantages also the problem of possible non-termination? The answer 
is: Often not. Since we do not compute the nodes themselves, but only the 



SLDMagic — The Real Magic (With Applications to Web Queries) 1073 



goals attached to them, the termination behaviour is better than that of SLD- 
resolution. For instance, the rule p(X) p(X) poses no problem at all, since it 
does not yield new goals. In general, we can guarantee the termination for all 
tail-recursive Datalog-programs using only finite database predicates. We do not 
suggest to simulate SLD-resolution for predicates with other kinds of recursions. 
For such programs, we will later present a combined method which allows to use 
the “magic set” behaviour (tabulation) for calling some literals. 

Definition 1 (Tail- Recursive Program). A program is at most tail-recursive 
iff for every rule 

the predicates ofBi, 1 < i < m — 1, do not depend on the predicate of A, i.e. no 
body literal except possibly the last is recursive. 

Note that this class of program s is larger than the class for which the “right re- 
cursion optimization” of is applicable. Most practical programs are cov- 

ered. The condition ensures that the number of literals in SLD-goals is bounded 
(assuming the left-to-right selection function). 

Theorem 3 (Sufficient Condition for Termination). Let P be an at most 
tail-recursive program, DB a database, and Q be a query such that PUDBU{<— Q} 
is finite and does not contain structured terms. Then the bottom-up evaluation 
of the above meta-interpreter terminates, i.e. there are only finitely many facts 
derivable from it (modulo variable renamings). 

3.3 Adding “Magic Set” Behaviour 

Because of the problems with general recursive calls, we might be interested 
to evaluate such literals with the magic set technique. Also, the strength of 
magic sets is that every predicate is evaluated only once for the same input 
values. While often the behaviour of SLD-resolution is better, we sometimes 
might want to table calls and computed results in order to avoid unnecessary 
recomputations. Fortunately, it is easy to extend the meta-interpreter in such a 
way that we can choose for every body literal whether it should be evaluated 
via SLD-resolution or via magic sets. 

Let us enclose body literals intended for magic set evaluation into the special 
predicate call. Then it suffices to add the two rules in FigureHto our meta- 
interpreter. The idea is that we allow SLD-resolution to call itself recursively for 
evaluating certain literals (like standard SLD-resolution does for negative liter- 
als). So we now construct not a single SLD-tree, but one for each recursive call. 
This explict call and return is the key to understanding the difference between 
magic sets and SLD-resolution. One can view the two rules also as describing 
SLD-resolution with tabulation: The first rule enters a predicate call into a table, 
and the second rule takes solutions from a table in order to solve this literal. 

If all IDB-literals are evaluated in subproofs, we get something very similar to 
magic sets with supplementary predicates: The query-facts correspond to magic 
facts, answer-facts correspond to derived IDB-facts, and node-facts correspond 
to facts of the supplementary predicates. 
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/* Set Up Recursive Call (Derive Magic Fact): */ 
query(Lit) ^ 

node(_, [call(Lit)|_]). 

/* Get Result of Recursive Call: */ 
node(Query, Rest) ^ 

node(Query, [call(Lit)| Rest]) A 
answer(Lit). 



Fig. 3. Additional Meta- Interpreter Rules for “Magic Set” Behaviour 



Interpreter 



Program (rule) 



Query (query) 



Database (db) 



Known at 
Compiletime 



Known at 
Runtime 



Fig. 4. Inputs of the Meta-Interpreter 

4 Partial Evaluation 

While the above meta-interpreter can be directly executed (e.g. on CORAL), the 
use of lists and non-ground facts significantly decreases the performance. It is well 
known that from an interpreter, one can get a compiler via partial evaluation. 
Such a compiler will transform a program intended for SLD-evaluation into a 
program which runs on a bottom-up machine. For Bry’s meta-interpreter, it was 
sufficient to unfold the call to the predicate rule. In our case, partial evaluation 
becomes a bit more complicated. There are a number of papers which investigate 
partial evaluation for Prolog (i.e. top-down evaluation), but partial evaluation 
for bottom-up execution seems to be a new problem. 

Our task is to evaluate the meta-interpreter as far as possible, given program 
and query, but with a yet unknown database (see Figure^. Especially, we should 
try to avoid using lists and non-ground facts. This is feasible, since the number of 
literals in node-facts is bounded as long as the program is at most tail-recursive 
or other recursions are evaluated via call. 

Our main idea is to use conditional facts of the form A ^ B to separate what 
is known at compile-time (A) from what is only at runtime (B). For instance, we 
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might know at compilation time that we can derive facts of the form 

node(local_reachable(do, D), [local_reachable(d, D)]). 

This corresponds to the situation that we have followed links from the start 
page do to some page d, and therefore any page D reachable from d is also 
reachable from do- Of course, the possible values for d depend on the data, and 
are not yet known at compile time. So we would encode this knowledge as 

node(local_reachable(do, D), [local_reachable(X, D)]) ^ p(X) 

where p is a new predicate used for the runtime computations. 

Let us now explain the partial evaluation in more detail. Basically, we do a 
standard bottom-up fixpoint computation, but we work now with conditional 
facts. So we have a set COND of conditional facts which will increase until a 
fixpoint is reached. An important invariance is that COND will never contain 
two different conditional facts with the same predicate p in the body. In this 
way, we can translate facts produced later at runtime (e.g. p(d)) uniquely back 
to facts of the original program. 

We start with the following facts COND (if we want to partially evaluate our 
meta-interpreter) : 

— db(p(Xi, . . . , X„)) ^ p(Xi, . . . , X„) for every EDB-predicate p. Actually, if 
there are certain small lookup-tables which seldom change, we might be 
allowed to compile them into our program. In this case we would have a 
conditional fact db(p(ci, . . . , c„)) ^ true for every row (ci,...,c„) in the 
lookup-table. 

— query(Query) ^ true for the given query literal Query. If we want to run 
the query repeatedly with different constants, we can replace them by vari- 
ables Xi, . . . , X„ and start with query (Query) ^ p(Xi, . . . , X„) instead. When 
the constants are known at runtime, we would add the corresponding p-fact. 

— rule(A, [Bi, . . . , ^ true for each rule A ^ Bi, . . . , B^ in the given input 

program. 

In addition we have a set PROG of program rules which are the result of the 
partial evaluation. The set PROG starts out empty. 

Now let A <— Bi,...,Bm be a rule of our meta-interpreter (or whatever 
program we want to partially evaluate). We choose conditional facts B- ^ Ci 
from COND (but with fresh variables) such that there is an mgu 9 of {Bi , . . . , B^) 
and (B'^, . . ., B(„). Then the result of the unfolding with respect to the given 
conditional facts is 

A9 < — C\9 A • • • A Cm9. 

Now the body is already in the right form, but we want to encode also the head 
via a conditional fact. Let Yi,...,Y„ be those variables which appear in A9 
and in at least one of the Ci9. Then we search COND for a conditional fact of 
the form A6 ^ p(Yi, . . ., Y„) (with any predicate p and the variables possibly 
renamed). If there is none, we insert this conditional fact with a new predicate p 
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into COND. Finally, we add the rule p(Yi, . . . , Y„) <— Ci6* A • • • A to PROG. 
Of course, duplicate elimination is needed here: We normalize the variables in 
such a way that we do not get two rules in COND or PROG which differ only in 
a renaming of variables. 

Some body literals (like the call to append) can already be evaluated fully at 
compile-time, so there is no need for a matching fact pattern. 

When a fixpoint is reached, PROG is the result of the partial evaluation. Each 
fact derivable from PROG can be translated back into the syntax of the original 
program by a unique rule from COND. 

In the special case of the meta-interpreter, we can guarantee that partial 
evaluation terminates under the above conditions (all recursions other than tail- 
recursions are evaluated via call, the input program contains no structured terms, 
program and database are finite). We also can handle structured terms at least 
when we move them into the conditional fact bodies which are evaluated at 
runtime. More research is needed for deciding which function symbols can in 
general be evaluated during partial evaluation. 



5 Conclusions 



SQL-3 contains recursion, and current applications like web queries really need 
it. The main techniques for evaluating recursion are magic sets (with many vari- 
ants) and SLD-resolution (used in Prolog). In this paper, we have clarified the 
differences between these two techniques. We have shown that SLD-resolution is 
often advantageous, and that SLD-resolution can be evaluated in a set-oriented 
fashion using database techniques. A first prototype implementation of the trans- 
formation is available from ittu : //www:z . sis .pitt . eau/ sDrass/siamagic/ 

It seems that for future performance improvements, we have to look more 
at the internal data structures. Especially, we want to avoid copying variable 
values. Our goal is to reach the performance of Prolog systems. This also needs 
a powerful program analysis to avoid duplicate eliminations. 

For simplicity, we have considered only negation-free programs. Adding strat- 
ified negation is not difficult, although some care has to be taken to make the out- 
put stratified. We are currently working on using our ideas from | 
to handle general negation. 
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Abstract. This paper reports on the design and implementation of 
FLORA — a powerful DOOD system that incorporates the features of 
F-logic, HiLog, and Transaction Logic. FLORA is implemented by trans- 
lation into XSB, a tabling logic engine that is known for its efficiency 
and is the only known system that extends the power of Prolog with an 
equivalent of the Magic Sets style optimization, the well-founded seman- 
tics for negation, and many other important features. We discuss the 
features of XSB that help our effort as well as the areas where it falls 
short of what is needed. We then describe our solutions and optimization 
techniques that address these problems and make FLORA much more 
efficient than other known DOOD systems based on F-logic. 



1 Introduction 

Deductive object-oriented databases (abbr. DOOD) attracted much attention in 
early 1990’s but difficulties in realizing these ideas and performance problems 
had dampened the initial enthusiasm. Nevertheless, the second half of the last 
decade witnessed several experimental systems They, along 

with the proliferation of the Web and many recent developments, such as the 
rdJ standard, have fueled renewed interest in DOOD systems; in particular, 
systems for logic-based processing of object-oriented meta-data 
Also, a new field — processing of semistructured data — is emerging to address 
a specialized segment of the research on DOOD systems [y]. 

In this paper, we report our work on FLORA, a practical DOOD system that 
has already been successfully used to build a number of sophisticated Web-based 
information systems, as reported in By “practical” we mean a DOOD 

system that has high expressive power, is built on strong theoretical founda- 
tions and offers competitive performance and convenient software development 
environment. 

FLORA is based on F-logic Q, HiLog and Transaction Logic | ■ - 1 , 

which are all incorporated into a single, coherent logic language along the lines 
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described in However, rather than developing our own deductive engine 

for F-logic (such as the ones developed for FLORID or SiLRI "''^6 

chose to utilize an existing engine, XSB and implement FLORA through 
source-level translation to XSB. Apart from the benefits of saving considerable 
amount of time, our choice of XSB was motivated by the following considerations: 



1. XSB augments OLD-resolution with tabling, which extends the well- 
known Magic Sets method Q, thereby offering both goal-driven top-down 
evaluation and data-driven bottom- up evaluation 

2. Mapping of F-logic and HiLog into predicate calculus is well known 

3. XSB is known to be an order of magnitude faster than other similar logic 
systems, such as LDL and CORAL [3. 

4. XSB has compile-time optimizations particularly suited for source- level trans- 
lation, such as specialization unification factoring and trie-based 
indexing (which permits indexing on multiple arguments of a predicate). 



To the best of our knowledge, the first functioning F-logic prototype based on 
the source-level translation approach was FLIP FLIP served as the starting 
point and the inspiration for our own work. Fortunately, there was plenty of 
work left for us to do, because FLIP’S translation was essentially identical to 
that described in and it was rather naively relying on the ability of XSB to 
apply the right optimizations. As a result, the implementation of FLIP suffered 
from a number of serious problems. In particular: 



1. As a compiler optimization, XSB’s specialization does not apply to many 
programs obtained from a direct translation of F-logic This is even more 
so when HiLog terms (which FLIP did not have) occur in the program. 

2. Although fundamental to evaluating F-logic programs, tabling cannot be 
used without discretion. First, tabling can, in some cases, cause unnecessary 
overhead. Second, tabling and databases updates do not work well together. 

3. FLIP did not have a consistent object model and had limited support for 
path expressions, functional attributes, and meta-programming. 

4. Finally, FLIP did not provide any module system, which basically confined 
users to a single program file, making serious software development difficult. 

In this paper we discuss how these problems are resolved in FLORA. The full pa- 
per will present performance results, which compare FLORA with other systems 
that implement F-logic. 



2 Preliminaries 

In this section we review the technical foundations of FLORA — F-logic 
HiLog Transaction Logic — and describe their naive translation 

using “wrapper” predicates. This discussion forms the basis for understanding 
the architecture of FLORA and the optimizations built into it. 
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2.1 F-Logic 

F-logic subsumes predicate calculus while both its syntax and semantics are 
still defined in object-oriented terms. On the other hand, much of F-logic can 
be viewed as a syntactic variant of classical logic, which makes implementation 
through source-level translation possible. 

Basic Syntax. F-logic uses Prolog ground {i. e., variable-free) terms to represent 
object identities (abbr., oid’s), e.g., john and father(mary). Objects can have 
scalar (single- valued), multivalued, or Boolean attributes, for instance, 

mary[spouse— >john, children^>{alice, nancy}]. 
mary[children^>{jack}; married]. 

Here spouse— >john says that mary has a scalar attribute spouse, whose value 
is the oid john; children^>{alice, nancy} says that the value of the multivalued 
attribute children is a set that contains two oid’s: alice and nancy. We emphasize 
“contains” because sets do not need to be specified all at once. For instance, the 
second fact above says that mary has one other child, jack. The attribute married 
in the second fact is Boolean: its value is true in the above example. 

While some attributes of an object can be specified explicitly as facts, other 
attributes can be defined using inference rules. For instance, we can derive 
john[children^>{alice, nancy, jack}] with the help of the following rule: 

X[children^>{C}] : — Y[spouse— >X, children^^jC}]. (1) 

Here we adopt the usual Prolog convention that capitalized symbols denote 
variables, while symbols beginning with a lower case letter denote constants. 

F-logic objects can also have methods, i.e., functions that return a value or 
a set of values when appropriate arguments are provided. For instance, 

john[grade@(cs305,f99)^100, courses@(f99)-^{cs305, cs306}]. 

says that john has a scalar method, grade, whose value on the arguments cs305 
and f99 is 100, and a multivalued method courses, whose value on the argument 
f99 is a set of oid’s that contains cs305 and cs306. As attributes, methods can 
also be defined using rules. 

One might wonder about the purpose of the “@”-sign in method specification. 
Indeed, why not write grade(cs305,f99) instead? The purpose is to enable meta- 
programming without using meta-logic. The “@”-sign trick makes methods into 
objects so that variables can range over them. For instance, the following rules 

X[methods-^{M}] : — X[M@(_)-^_]. , , 

X[methods-^{M}] : — X[M@(_,_)^_]. 

where the symbol denotes a new unique variable, define a new method, 
methods, which for any given object collects those of the object’s methods that 
take one or two arguments. 
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Thus, the “@”-sign is just a syntactic gimmick that permits F-logic to stay 
within the boundary of first-order logic syntax and avoids having to deal with 
terms like M(X,Y), where M is a variable. However, there is a better gimmick, 
HiLog ^3, which will be discussed shortly. 

Finally, we note that F-logic can specify class membership {e.g., 
John : student), subclass relationship {e.g., student :: person), types {e.g., 
person[name=>string]), and many other things that are peripheral to the sub- 
ject of this paper. 

Translation into Predicate Calculus. A general translation technique, called 
flattening, was described in It used a small, fixed assortment of wrapper 
predieates to encode different types of specifications. For instance, the scalar 
attribute specification mary[age^30] is encoded as fd(age,mary,[ ],30) whereas 
the multivalued method specification john[courses@(f99)—^>{cs305, cs306}] is en- 
coded as mvd(coursesjohn,[f99],cs305) A mvd(coursesjohn,[f99],cs306). 

However, one problem is that the indexing advantage is lost due to the small 
number of wrapper predicates used, since most Prolog systems index on predicate 
names. At first thought, one might think that the problem can be easily avoided 
if the encoding used method and attribute names as predicates instead of the 
“faceless” general wrappers. However, this is not the case, because variables are 
allowed to occur in place of method names, which would make the translated 
program second-order. 

Recursion presents another serious difficulty. The naive translation scheme 
will most likely produce rules that are highly recursive, due to the small number 
of wrapper predicates used. For instance, consider the rule B presented earlier; 
its naive translation is as follows: 

mvd(children,X,[ ],C) : — fd(spouse,Y,[ ],X), mvd(children,Y,[ ],C). 

In general, evaluating such rules using a regular Prolog-style engine will go to 
infinite loop even if logically there is only a finite number of possible answers. 
In contrast, such rules present no problems to a tabling logic engine, like XSB, 
which uses memorization to terminate unnecessary loops in the evaluation. 

For completeness, we note that class membership has its own translation, e.g., 
isaQohn, student), and so does the subclass relationship, e.g., 
subclass(student, person) . Type specifications have their own translation as well. 
In addition, a set of axioms must be added to enforce various properties of 
F-logic. For instance, we have to ensure that scalar attributes yield at most one 
value for any given object, that the subclass relationship is transitively closed, 
and that subclass membership is contained in the superclass membership. 

Last but not least, although the non-monotonic part of F-logic — inheritance 
— cannot be directly translated into predicate calculus, it can still be encoded 
using Prolog-style rules and computed using XSB’s efficient implementation of 
the well-founded semantics for negation Bl- 
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2.2 HiLog 

We have seen that one can do certain amount of meta-programming in F-logic, 
mostly owing to the “@”-sign gimmick. Although the rules in iQ show that 
all method names can be collected using this trick, it is not easy to collect 
all method invocations {i.e., methods plus their arguments). Our experience 
with FLORA 1.0 also shows that it is very convenient to treat both method 
names and method invocations uniformly as objects, because the “@”-sign trick 
is error-prone: people tend to forget to write down the “@”-sign (in F-logic, 
grade@(cs305,f99) is different from grade(cs305,f99)). 

Fortunately, with the extension of HiLog all these problems disappear. 
We illustrate HiLog through examples. The simplest yet most unusual one is the 
definition of the standard Prolog meta-predicate, call: call(X) : — X. This means 
that HiLog does not distinguish between function terms and atomic formulas: 
the same variable can range over both. Variables can also range over function 
symbols, as in X(Y,a). A query of the form ?— p(X), X, X(Y,X) is well within the 
boundaries of HiLog. The syntax for HiLog terms also extends that of classical 
logic. For instance, g(X)(f(a,X),Y)(b,Y) is perfectly fine. Of course, such powerful 
syntax should be used sparingly, but people have found many important uses 
for these features (see ^3 for some). 

Obviously HiLog is a suitable replacement for the “@”-sign gimmick. Now 
with the HiLog extension, users can write, say, 

X[methods— : — X[M(_,_)^_] 

instead of the rules shown earlier in Q . Trivial as it might appear, HiLog com- 
pletely eliminates the need for special meta-syntax used in FLORA 1.0, and 
reduces the danger of programming mistakes. In addition, the underlying con- 
ceptual object model becomes much more consistent. The HiLog extension is 
implemented in the upcoming FLORA 2.0. Section H discusses the techniques 
that were developed to optimize the translation. 

Encoding in Predicate Calculus. It turns out that the semantics of HiLog is 
inherently first-order and that it can actually be encoded using standard pred- 
icate calculus I 'i I j . Although the translation is rather subtle, it is defined with 
just two recursive transformation functions (we omit steps irrelevant to the main 
subject): encodeg, for translating formulas, and encodet, for translating terms: 

1. encodet (X) = X, for each variable X. 

2. encodet (s) = s, for each function symbol s. 

3. encodet (t(ti,. . .,t„)) = applyn+i(encodet(t), encodet(ti),. . ., encodet(tn)). 

4. encodes (A) = call(encodet(A)), where A is a HiLog atomic formula. 

5. encodes (A A B) = encodes (A) A encodes (B). 

For instance, f(a,X)(b,Y) A X(Y) A Z is encoded as: 
apply 3 (apply 3 (f,a,X),b,Y) A apply 2 (X,Y) A call(Z) 
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Note that this naive HiLog encoding uses essentially one wrapper predicate 
per arity. For a Prolog-style implementation, this poses an even greater chal- 
lenge than F-logic, since all predicate-level indexing is lost. To overcome this 
problem, two kinds of compiler optimizations can be used: unification factoring 
and specialization . They both are source-level transformations aimed at 
improving predicate-level indexing. These techniques are discussed in Section^ 



2.3 Transaction Logic 



An important aspect of an object-oriented language is the ability to update the 
internal states of objects. In this respect, F-logic is only partly object-oriented, 
since it is just a query language. To address this problem, Q introduced tech- 
niques based on preserving the history of object states, so different object states 
can be distinguished through the extra state argument. However, such techniques 
do not support modular design. For instance, one cannot define more and more 
complex update transactions using the previously defined subroutines. 

In our view, subroutines are fundamental to programming, and any practi- 
cal proposal for dealing with updates in a logic-based programming language 
must address this issue. Transaction Logic is one such proposal, which 

provides a comprehensive theory of updates in logic programming. The util- 
ity of Transaction Logic has been demonstrated in various applications ranging 
from database updates, to robot action planning, to reasoning about actions, to 
workflow analysis, and many more 

In FLORA 2.0, F-logic and Transaction Logic are integrated along the lines of 
the proposal in and the corresponding implementation issues are described 
in Section B In Transaction Logic, both actions (transactions) and queries are 
represented as predicates. In the context of F-logic, transactions are expressed 
as object methods. Underlying Transaction Logic are just a few basic ideas: 

1. Execution = Truth. Execution of an action is tantamount to it being true on 
a path, i.e., a sequence of database states that represent the execution trace. 

2. Elementary Updates. These are the building blocks for constructing complex 
transactions. Their behavior can be specified by a separate program {e.g., in 
the C language) or via a set of axioms. In this paper, we shall use only two 
types of elementary updates: insert and delete. 

3. Atomicity of Updates. A transaction should either execute entirely (in which 
case it is true along the execution path) or not at all. Although common in 
databases, this behavior is not typical in logic programming, where assert 
and retract are not backtrackable. 

The following program is a FLORA 2.0 adaptation of the block-stacking program 
from B. Here, the action stack is defined as a Boolean method of a robot. The 



1084 Guizhen Yang and Michael Kifer 



“#”-sign marks transactional methods that change the database state. 

R[#stack(0,X)] R: robot. 

R[#stack(N,X)] R: robot, N > 0, 

Y[:j^move(X)], R[^stack(N-l,Y)]. 

Y[:j^move(X)] Y : block, Y[clear], X[clear], X[wider(Y)], 

del(Y[on^Z]), ins(Z[clear]), ins(Y[on^X]), del(X[clear]). 

Informally, the program says that to stack a pyramid of N blocks on top of block 
X, the robot must find a block Y, move it onto X, and then stack N-1 blocks 
on top of Y. To move Y onto X, both of them must be “clear” (he., with no 
block on top), and X must be wider than Y. If these conditions are satisfied, 
the database will be updated accordingly (ins and del are elementary insert and 
delete transactions, respectively). 

Note that because of the non-backtrackable nature of Prolog updates, using 
assert and retract to translate the ins and del transactions in the above program 
would not work properly. However, backtrackable updates can be implemented 
efficiently in XSB at the engine level, due to XSB’s use of tries — a special data 
structure for storing dynamic data. Transaction Logic provides semantics to this 
type of updates. 

3 Implementation Issues 

3.1 Transactions in a Tabling Environment 

As mentioned in Section translation from F-logic to predicate calculus re- 
quires tabling all the wrapper predicates used for flattening. It turns out, how- 
ever, that tabling and database updates are fundamentally at odds: tabling has 
the effect that whenever the same query is repeated, it is not evaluated and 
instead the previously computed answers are returned. Even a subsumed query 
does not necessarily need to be evaluated. Its answers can be computed from 
the answers for the corresponding subsuming query. Obviously, this hurts the 
semantics of update transactions and other procedures that have side effects. To 
see the problem, consider the following program: 

:— table p/1. p(X) : — write(X). 

The first time p(a) is called, the system will print out “a” and return the answer 
yes. However, if p(a) is called the second time, the system will only answer yes 
without the “side effect” of “a” being printed out. 

This problem implies that update transactions in Transaction Logic should 
not be translated using tabled predicates. Moreover, a tabled predicate p should 
not depend (directly or indirectly) on an update transaction q, since the se- 
mantics of such dependency is murky: the first call to p will execute q while 
subsequent calls might not. Therefore, FLORA must check that regular F-logic 
methods and attributes do not depend on update transactions. A special syntax 
is introduced to help FLORA perform proper translation: transactional methods 
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are preceded by a “#”-sign to distinguish them from regular F-logic methods. 
Primitive update transaction, such as insertion and deletion, also look special: 

ins(smith : professor[teach(1999,fall)^csel00]) 
del(cse200[taught_by(1999,spring)— >david]) 

A more difficult problem arises when a transaction changes the base facts that 
a tabled predicate depends on. In this case, the changes should propagate to all 
answers that are already tabled for this predicate. This is similar to the view 
maintenance problem in databases, but the overhead associated with database 
view maintenance methods is unacceptable for fast in-memory logic engines. 
Currently, FLORA takes a rather drastic approach of abolishing all tables and 
letting subsequent queries rebuild them. However, this problem is not specific to 
FLORA, and a more efficient solution can be developed at the XSB engine level. 

3.2 Problems with Naive Translation of HiLog and F-Logic 

Choice Points and Indexing. In Section ^we described the naive transla- 
tion from F-logic and HiLog into classical predicate calculus. Such translation, 
however, cannot be the basis for practical implementation. The first problem is 
that the naive translation lays down too many choice points in the top-down 
execution tree and thus causes excessive backtracking. Consider the following 
program and its encoding using the apply predicate (we consider translation of 
HiLog, because it illustrates the problem more dramatically): 

p(X,Y) :-f(X), g(Y). apply(p,X,Y):-apply(f,X), apply(g,Y). , . 

s(X,Y) : — p(X,Y). apply(s,X,Y) : — apply(p,X,Y). ^ ' 

If apply(p,X,Y) is evaluated, it will unify with all the rules even though its uni- 
fication with the last rule is bound to fail. In large programs this might cause a 
serious performance penalty. 

Degradation of indexing is another source of performance penalty. Typically, 
a deductive system indexes on the predicate name plus one of the arguments, 
e.g., the first. In the naive translation, however, predicate-level indexing is lost, 
because there are too few predicates used. For instance, in the above example, 
the translated program has no indexing mechanism corresponding to the first- 
argument indexing in predicates p and s in the original program. 

These problems are not new to logic programming. To tackle them, XSB has 
developed compiler optimization techniques known as specialization and 
unification factoring which both perform source-to-source transformation. 

Specialization takes place when a goal can only unify with a subset of the 
candidate rules. By replacing this goal’s predicate with a different predicate 
that can only unify with the heads of some of the rules, specialization throws 
out the unnecessary choice points. For instance, performing specialization on 
the translated program in Q yields the following more efficient program, where 
some occurrences of the predicate apply are replaced with apply_l: 

apply(p,X,Y) : — apply(f,X), apply(g,Y). apply(s,X,Y) : — apply_l(X,Y). 
apply_l(a,X) :-apply(f,X), apply(g,Y). 
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In contrast to specialization, unification factoring is driven by the patterns 
in rule heads. The idea is to factor out common function symbols to save on 
unification and achieve better indexing. Consider the following program: 

p(apply(a),X) : - q(X). p(apply(b),X) : - r(X). 

and the query ?- p(apply(X),Y). Here unification for apply has to take place once 
with each rule head. However, this repeated unification can be avoided if the 
same goal is executed against the following transformed program: 

p_apply(a,X) : - q(X). p(apply(X),Y) : - p_apply(X,Y). 

p_apply(b,X):- r(X). 

Because apply is used to encode HiLog terms, common functors, as in the 
above example, occur very frequently in a translated FLORA program. It turns 
out that the native XSB unification factoring performs quite well with FLORA- 
translated programs. XSB specialization, however, exhibits subtle problems. 



Double Tabling. The first problem with specialization is tabling. In HiLog 
translation, it is not very clear how a tabling directive like : — table p/2 should 
be translated. If FLORA handles this by tabling apply/3, then XSB specialization 
may cause “double tabling” — a situation where certain predicates are tabled 
unnecessarily. For instance, consider the following program (which computes 
transitive closure) and its naive encoding: 



: — table p/2. 

p(a.b). 

p(b,c). 

t(X,Y):-p(X,Y). 
t(X,Y):-p(X,Z), t(Z,Y). 



: — table apply/3. 
apply(p,a,b). 

apply(p,b,c). (4) 

apply(t,X,Y) : — apply(p,X,Y). 
apply(t,X,Y) : — apply(p,X,Z), apply(t,Z,Y). 



XSB specialization on the translated program Q would yield the following: 



: — table apply/3. 

: — table apply_l/2. 

apply_l(a,b). 

apply_l(b,c). 

apply(p,a,b). 

apply(p,b,c). 



: — table apply_2/2. 
apply_2(X,Y) : — apply_l(X,Y). 
apply_2(X,Y) : — apply_l(X,Z), apply_2(Z,Y). 
apply(t,X,Y) : — apply_l(X,Y). 
apply(t,X,Y) : — apply_l(X,Z), apply_2(Z,Y). 



Being essentially another copy of apply(t,X,Y), tabling the tuples of apply_2(X,Y) 
is redundant, although this caching is needed to guarantee termination of the 
specialized program. The size of the compiled code is also considerably larger 
than the original. 



Meta-programming. Yet another problem is due to meta-programming, which 
tends to produce programs that preclude XSB specialization. To see the crippling 
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effect of meta-rules on XSB specialization, consider the following program and 
its naive translation: 

p(a). apply(p,a). 

p(b). apply(p,b). . . 

X(Y) : - X=p, Y=c. apply(X,Y) : - X=p. Y=c. 

t(X) : - p(X). apply(t,X) : - apply(p,X). 

XSB specialization on the previous translated program Q looks as follows: 

apply(p,a). apply_l(p,a). 

apply(p,b). apply_l(p,b). 

apply(X,Y) : — X=p, Y=c. apply_l(X,Y) : — X=p, Y=c. 

apply(t,X) : — apply_l(p,X). 

In this program, the predicate apply_l(p,X) still has to unify with all the apply_l 
facts and rules. Not only the unification on p is repeated, but indexing on the 
first argument in the original program is lost as well. 

Note that although so far we have been illustrating the XSB specialization 
problems using HiLog only, F-logic exhibits the same problem. Consider the 
following F-logic program and its naive translation: 



obja[atta— >vala]. fd(atta,obja,[ ],vala). 

objb[atta-^valb]. fd(atta,objb,[ ],valb). 

objc[X-^Y] : — X=atta, Y=valc. fd(X,objc,[ ],Y) : — X=atta, Y=valc. 
0[attb— >->{X}] : — 0[atta-^X]. mvd(attb,0,[ ],X) : — fd(atta,0,[ ],X). 



It is easy to see that the translation is just another version of the previous HiLog 
program Q and thus it cripples XSB specialization just as badly. 

The next section proposes a new kind of specialization, called skeleton-hased 
specialization, which is used in FLORA 2.0 to optimize source-level translation 
for F-logic and HiLog. The system is designed in such a way that skeleton-based 
specialization and XSB specialization compliment each other. 



4 Solutions 

As explained in Section^ a major problem with the naive translation of F-logic 
and HiLog is the loss of indexing and while XSB unification factoring performs 
well for the translated programs, specialization often fails to yield any improve- 
ments and, in some cases, it might even cause unnecessary overhead. In this 
section we propose skeleton-based specialization, which supplements the native 
XSB specialization and fixes the aforesaid problems. 



4.1 Skeleton-Based Specialization Algorithm 

Definition 1 (Skeleton). Given a HiLog term T, its skeleton Skel(T) is an 
abstract view of the syntactic structure ofT. Skel(T) is defined as follows: 
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1. Skel(T) = T, T is a constant. 

2. Skel(T) = _, if T is a variable. 

3. Skel(T) = Skel(F)/n, i/T = F(Ti,...,Tn). 

Example 1 (Skeletons of HiLog Terms). 

1. Skel(f) = f 

2. Skel(X(a,b)(Y)) = _/2/l 

3. Skel(X(f(Y))) = _/l 



Input: a FLORA program F consisting of rules (including facts) 

Output: an XSB program that encodes F 

1 HL := {L I L is a literal in a rule head of F}; 

2 BL := {L I L is a literal in a rule body of F}; 

3 HS := {Skel(L) | L G HL}; 

4 BS := {Skel(L) | L G BL}; 

5 for each skeleton S G HS U BS do seq(S) := a unique integer; 

6 for each rule H : — B from the input program F do { 

7 H' := flatten(H,Skel(H)); 

8 B' := B; 

9 for each literal L G B' do L := flatten(L,Skel(L)); 

10 output the rule H' :— B'; 

11 } 

12 for each literal H G HL do { 

13 H' := naive(H); 

14 H" := flatten(H,Skel(H)); 

15 output the rule H' :— H”; 

16 } 

17 for each literal L G BL do 

18 for each rule H : — B from the input program F do 

19 if L unifies with H with the mgu 9 and Skel(L) yf Skel(H) then { 

20 H' := flatten(H6l.Skel(L)); 

21 B' := B; 

22 for each literal T G B' do { 

23 S := T9; 

24 ifSkel(S)GBS 

25 then T := flatten(S,Skel(S)); 

26 else T := flatten(S,Skel(T)); 

27 output the rule H' :— B'; 

28 } 



Fig. 1. Skeleton-Based Specialization Algorithm 



The algorithm in Figure B describes FLORA skeleton-based specialization. 
It applies to F-logic and HiLog translation separately, since the set of wrapper 
predicates used for F-logic translation is disjoint from those wrapper predicates 
used for HiLog predicates. 
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First we explain the algorithm in the context of HiLog translation. It takes a 
FLORA program as input and yields an equivalent program in predicate logic; 
the algorithm has the following steps: 

Skeleton Analysis (Lines 1-5). First we collect all the literals in rule heads 
into the set HL and all the literals in rule bodies into the set BL|xhen, the 
algorithm computes the set of skeletons HS and BS for each literal in HL and 
BL, respectively. Each unique skeleton in the union of HS and BS is assigned a 
unique sequence number. 

The rest of the algorithm consists of three main tasks: flattening, trap rule 
generation, and instantiation. 

Flattening (Lines 6 - 11). The purpose of flattening is to eliminate unneces- 
sary wrapper predicates and unification. Let S = X/ni/. . ./nk, where X is either 

or a constant, and L be of the form T(Tin,,. . ..Tn^nJ- ■ -(Tini, Tn^nt)- The 

transformation procedure flatten(L,S) then does the following: Let n be the se- 
quence number assigned to the skeleton S, then the wrapper predicate used 
to encode the HiLog literal L is apply_n, which is unique across HiLog trans- 
lation. Next, if X is a constant in X/ni/. . ./nk, then so must be T (in Lines 
7, 14 and 25 the skeleton argument of flatten is that of the literal argument 
whereas in Lines 20 and 26 the skeleton either subsumes or is the same as 

that of the literal) and flatten(L,S) yields apply_n(Einj Emm . ..En^nJ. 

Otherwise, X is and T might be any HiLog term, then flatten(L.S) will return 

apply_n(E,Eim Emm En^nJ, where E, E;j = encodet(T), encodet(Tij), 

respectively, encodet is the naive encoding of HiLog terms described in 
Section ^3 For instance, if the sequence number assigned to the skeleton f/1/2 
is 2, then flatten(f(Y)(a,Z), f/1/2) will produce apply_2(Y,a,Z). The reason why 
the functor symbol f can be omitted is because it is already encoded in the 
sequence number for the skeleton. 

Trap Rule Generation (Lines 12 - 16). These steps generate rules to “trap” 
the naive encoding of literals. The translation outputs a rule whose head is 
the naive encoding of the original rule-head, while the body is the result of 
flattening the head. For instance, the trap rule for f(Y)(a,Z) : — body is like 
apply(apply(f,Y),a,Z) : — apply_2(Y,a,Z). Trap rule generation is indispensable for 
inter-module communications in FLORA. Since specialization in principle has 
no knowledge of other modules, calls referring to other modules have to be en- 
coded using the naive translation. Due to space limits, we will not elaborate on 
this topic further. 

Instantiation (Lines 17 - 28). Even when two literals unify, their encodings 
might not unify after flattening. For instance, X(Y) and f(a)(Z) unify, but their 
flattened forms, e.g., apply_l(X,Y) and apply_2(a,Z) (with respect to the skeletons 
_/l and f/1/1, respectively), do not unify. 

^ Each HiLog literal is assumed to have the functor part and the arity. Propositional 
constants are treated as 0-ary literals, e.g., p(). 
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Instantiation ensures that unifiability is preserved after specialization. The 
idea is that if a body literal unifies with the head of a rule, R, using the mgu 
9, but the two literals have different skeletons, then a new rule, R6*, must be 
generated. For instance, consider the following program: 

g(X):-p(X). Y(Z):-q(Y,Z). 

Here p(X) will be flattened as apply_l(X) and Y(Z) as apply_2(Y,Z). Because p(X) 
unifies with Y(Z) : — q(Y,Z), this rule must be instantiated using the substitution 
Y/p, yielding p(Z) : — q(p,Z). Specializing this rule yields 
apply_l(Z) : — apply_2(p,Z), which ensures that the semantics of the original pro- 
gram is preserved. 

However, rule instantiation might generate body literals with new skeletons 
that have not been seen before in the original program. Thus, instantiation 
might have to be applied again, using these new body literals. This opens up 
the possibility of an infinite instantiation process. For instance, in the following 
program: 

g(X):-p(X). Y(Z):-Y(Z)(Z). 

when the second rule is instantiated with Y /p (the mgu of p(X) and Y(Z)), a new 
rule p(Z) : — p(Z)(Z) is generated. The literal p(Z)(Z) has a completely new skele- 
ton: p/1/1. If p(X)(X) is flattened with respect to p/1/1, the rule Y(Z) : — Y(Z)(Z) 
has to be instantiated with Y/p(X), the mgu of p(X)(X) and Y(Z). Thus yet an- 
other new skeleton p/1/1/1 will emerge, and so on. 

Lines 24 - 26 in the algorithm are designed to ensure termination of the in- 
stantiation process. The solution is simple: the quality of specialization is traded 
in for termination. When a literal with a new skeleton shows up in a newly 
instantiated rule, its skeleton must extend the skeleton of that literal before 
instantiation. Thus, we can flatten the instantiated literal with respect to the 
skeleton of the original literal. Unifiability is also preserved by such translation. 
For instance, specializing the above example yields the following program (where 
the trap rules are omitted): 

apply_l(X) : — apply_2(X). apply_2(X) : — apply_4(p,X,X). 

apply_3(Y,Z) : — apply_4(Y,Z,Z). apply_4(Y,Z,Z) : — apply_4(apply(Y,Z),Z,Z). 



4.2 Putting It All Together 

For the translated program Q, which computes transitive closure, the result of 
skeleton-based specialization is as follows: 

: — table apply_2/2. 

apply_l(a,b). apply_2(X,Y) : — apply_l(X,Y). 

apply_l(b,c). apply_2(X,Y) : — apply_l(X,Z), apply_2(Z,Y). 

The following program is the result of skeleton-based specialization of the pro- 
gram shown in Q: 
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apply_l(a). apply_3(X) : — apply_l(X). 

apply_l(b). apply_l(X) : — p=p, X=c. 

apply_2(X,Y):-X=p, Y=c. 

Note that although we illustrate the idea of skeleton-based specialization 
using HiLog translation, our algorithm applies to F-logic translation as well. In 
fact, the translation views F-logic literals as just another kind of HiLog literals, 
which just happen to use different wrapper predicates. 

For instance, a slight variation of the naive F-logic translation can convert 
0[M^V] into the HiLog literal M(0,V) and then further convert it to predicate 
logic using the wrapper predicate fd instead of apply. Likewise, 0[M^>V] can 
be converted to M(0,V) and then to predicate calculus using mvd as a wrap- 
per. Therefore, skeleton-based specialization can be performed on HiLog and 
F-logic independently. The only part of the algorithm that needs to be changed 
is the prefix used to construct the wrappers. For instance, instead of apply_2 we 
would use fd_2. Thus, the result of applying skeleton-based specialization to the 
program Q would be the following (where the trap rules are omitted): 

fd_l(obja,vala). mvd_l(0,X) : — fd_l(0,X). 

fd_l(objb,valb). fd_l(objc,Y) : — atta=atta, Y=valc. 

fd_2(X,objc,Y) : — X=atta, Y=valc. 

Our experiments show that even for small programs discussed in this section 
FLORA skeleton-based specialization can speed up programs by a factor of 2.1, 
whereas XSB native specialization reduces execution time only by a factor of 
1.85. A more detailed comparison will be reported in the full version of this paper. 
Nevertheless, as said earlier, FLORA specialization is not intended to replace 
XSB specialization. Instead, it is used as a first-line optimization technique. 
Then the FLORA-translated program is further optimized through the native 
XSB specialization and unification factoring. 

Another observation about FLORA specialization is that better-quality spe- 
cialization is possible with more detailed skeleton representation. Indeed, con- 
sidering HiLog terms as trees, we could define skeletons as the abstract view 
of their structures at some depth level. For example, a two-level skeleton for 
f(X)(X,a,f(b)) would be f/(_)/(_,a,(f/l)). There is a subtle relationship, though, 
between the amount of detail preserved in skeletons and the quality of specialized 
programs. More detailed skeletons normally mean better specialized programs 
and thus better performance, but longer compilation time and larger program 
size. 

5 Conclusion 

This paper discusses techniques for building efficient DOOD systems by transla- 
tion into lower-level Prolog syntax and utilizing an existing tabling logic engine, 
such as XSB {J. The feasibility of our approach has been demonstrated by 
the F-logic based FLORA system, which delivers very encouraging performance. 
(Performance results will be included in the full version of this paper.) We also 



1092 Guizhen Yang and Michael Kifer 



discuss the compiler optimization techniques that were used to achieve this per- 
formance; some of them are just native XSB optimizations, while others are 
designed specifically for FLORA. Due to lack of space we omitted a number of 
other implementation issues, such as the FLORA module system and perfor- 
mance optimizations related to handling path expressions. Details can be found 
at n;T;D://www.cs.sunvsD.eau/ euizvane/ papers/ riora'cecn.'D; 
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Abstract. Webbases are database systems that enable creation of Web 
applications that allow end users to shop around for products and ser- 
vices at various Web sites without having to manually browse and fill out 
forms at each of these sites. In this paper we describe XRover which is an 
implementation of the physical layer of the webbase architecture. This 
layer is primarily responsible for automatically locating and extracting 
dynamic data from Web sites, i.e data that can only be obtained by form 
fill-outs. We discuss our experience in building XRover using FLORA, a 
deductive object-oriented system. 



1 Introduction 

The World Wide Web is becoming the dominant medium for information deliv- 
ery and electronic commerce. The number of users who routinely use the Web 
to buy goods and services continues to increase at a rapid pace. In response, 
software robots (called “shopbots” ) that allow consumers to quickly find out the 
best prices for comparable goods and services are beginning to emerge. Infor- 
mation about prices and other attributes of products are typically obtained by 
filling out forms at a vendor’s site. Software robots retrieve such information by 
automatically navigating to relevant sites, locating the correct forms, filling them 
out and extracting the data of interest from web pages returned as the resultj 
Hence tools that can do automatic form fill-outs and extract relevant information 
from the data pages returned in response, are becoming very important. 

One such enabling technology is a webbase which is a database 

system for managing and querying the dynamic Web content (i.e., data that can 

* XRover is a registered trademark of XSB Inc. 

** Work supported in part by the ARCHIMEDES Contract SP0103-99-C-002 from De- 
fense Logistics Agency, by NSF SBIR Award 9960485, by NSF grants CCR-9711386, 
EIA-9705998, and INT9809945, and by a SPIR grant from New York State and XSB, 
Inc. 

^ Jango and mySimon | are two examples of such shopbots. 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 1094^^^2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 
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only be extracted by filling out multiple forms) . Designing webbases is an active 
area of current database research in view of the rapid proliferation of shopbots. 
Managing the dynamic Web content encompasses automating several tasks that 
include specifying and locating the data of interest (e.g. price information) in a 
Web site and extracting and integrating information from multiple sites into a 
coherent view. 

In I we proposed a 3-layer architecture for designing and implementing 
webbases — an architecture that is akin to the traditional layering of database 
systems. The most significant difference between a webbase and a database is 
the absence of the traditional physical layer. The actual data in webbases is the 
exclusive domain of the Web server, and the only way a webbase can access it is 
by filing requests to the server, such as following links or filling out forms. Hence, 
the notion of virtual physical layer (VPL) was introduced for the lowest layer 
in the webbase architecture in order to provide a unifying view of all the data 
that can be retrieved by filing requests to the server. While the physical layer in 
databases describes data storage, VPL specifies how to navigate to the various 
data sources in the Web. In this way, VPL provides navigation independence 
by shielding the user from the complexities associated with retrieving raw data 
from Web sources and thereby presents a database view of the Web to the up- 
per layers of the webbase architecture, namely the logical layer and the external 
schema layer. While these layers are similar to the corresponding upper layers in 
traditional databases, they have special semantic meaning in webbases. For in- 
stance, the logical layer provides site independence in the sense that it integrates 
and reconciles heterogeneous information available from different sites, which is 
available through VPL in navigation-independent, but nonetheless site-specific 
form. 

We had proposed techniques centered around Transaction F-Logic that 
facilitate creation of wrappers for the virtual physical layer Q. Our architecture 
makes it possible to automate data extraction from web data sources to a much 
higher degree than was previously possible. But the design and implementation 
of the VPL itself was left open and is the subject of this paper. Specifically we 
describe our experience with implementing the XRover using FLORA a 
deductive object-oriented system that we recently developed. 

A Case for Deductive Object-Oriented Design of VPL: The first step in the 
design process is to develop a suitable data model for HTML pages. Observe 
that an HTML page is a semistructured data source comprising several elements, 
each having a tag that identifies the type of the element. For instance, a tag can 
identify an element as a paragraph, an image, a link, a table, a form, etc. We 
designed a syntactic HTML object data model to represent the elements in a 
page. In this model we define an object class corresponding to every tag. The 
HTML page is parsed and its elements are assigned an object class based on 
their tags. 

HTML is a display-oriented mark-up language with only limited structural 
capabilities. In particular, it provides no machine understandable information to 
describe the contents of a page. Hence, we also need a semantic data model so 
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as to be able to structure the syntactic objects presented in HTML and invoke 
meaningful operations on them, such as follow a link object, fill-out a form object, 
or query the value of a certain attribute (say, in a table). For this purpose, we 
designed a semantic navigation object model, which consists of aggregate objects 
that draw information from the HTML model and enable automated navigation 
in Web sites. In database terms, navigation objects are semantic views over the 
purely syntactic HTML objects. 

The first step, converting an HTML page into a set of objects, is a relatively 
simple task. The crux of the VPL is the design of the navigation object model 
and the mapping between the syntactic HTML object model and the semantic 
navigation object model. One important issue in this design is the resilience of 
that mapping, namely, the ability of the mapping to yield correct navigation 
objects in the face of variations and changes in the page layout. We propose 
a deductive rule-based approach for locating and extracting information from 
objects in Web pages. Such a paradigm lets us efficiently search for objects 
and their associated attributes with high degree of independence from the page 
layout. 

The rest of this paper is organized as follows: In Section 2 we provide an 
overview of our approach to the design of the VPL. Section 3 describes the 
details of the ^sign. Section 4 discusses XRover, our implementation of VPL 
using FLORA|a recently developed deductive object-oriented system based on 
F-logic Our implementation experience is discussed in Section 5. 

2 Our Approach 

One of the most important tasks that a shopbot must do is to collect information 
and services from different sites and present it to the customer in an integrated, 
unified view. In many shopbot sites, most of this extraction happens automati- 
cally, by “learning” regular expressions that match the desired information. The 
learning process is guided by a set of simple heuristics, such as those described in 
^ 3 . These techniques work well for a typical consumer site, where information 
is obtained by filling out a simple keyword-based search form and the result is 
presented in a simple, structured table. It is much more difficult to deal with sites 
that cater to business customers where search forms allows complex parametric 
queries based on multiple attributes, and results are presented in multiple re- 
lated HTML segments. For instance, Figurejshows part of a search result page 
on the Web site of a large distributor of electronic components. 

The page consists of three visible tables (each providing a different kind 
of information for the electronic part), many more invisible tables, one form to 
enable purchase, plus a plain text header that provides classification information 
for the retrieved part. Such complex result pages vary widely from site to site and, 
to the best of our knowledge, no automatic techniques exist for extracting and 
integrating such complex information. However, the semantic structure of Web 

^ : / / xsD . sourceioree .neT;/i±ora/ 
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pages can be mapped with relative ease with the help of appropriate graphical 
tools. The purpose of such a tool is to let the user identify (and specify to the 
system) the objects of interest, such as the relevant tables, forms and links. The 
physical virtual layer of our webbase system provides the needed infrastructure 
to support the process of site mapping and complex information extraction. 
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Fig. 1. A Complex Catalog Search Result Page 



The architecture of the VPL is object-oriented and it is implemented using 
FLORA. The approach has two main components: 

1. A general mechanism for locating objects of interest on a page; and 

2. An object model for describing aggregate objects in the navigation model. 

Navigation objects are queried by the higher levels of the webbase. 

The first mechanism is based on the object locator language (OLL) — a special 
declarative language that allows the user to specify object location in a flexible 
way. It is akin to the language of extended path expressions in semistructured 
query languages B. The system includes a FLORA program that acts as an 
interpreter for this language. Since FLORA implements F-logic, which in itself 
is a powerful query language for semistructured data, building such an interpreter 
for OLL is very easy. Thus, when the user points to an HTML object of interest. 
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an OLL expression must be generated in order to arrange for the subsequent 
retrieval of the object. 

The unique aspect of our approach is how these expressions are generated. 
First, an OLL expression for the desired object is automatically created. This 
expression is fairly simple-minded, as it specifies the location of the object in 
rather rigid terms. This initial expression is similar to URLs in XML: it provides 
a sequence of simple navigation commands that direct the search towards the 
requisite object. However, such expressions are not appropriate for locating Web 
information, because the location of an object can change due to a page redesign 
or simply because the page is generated dynamically, by a script. Such changes 
tend to break Web extraction systems so resilience cannot be achieved by rigid, 
brittle locator expressions. Thus, at the next stage, we transform the initial 
OLL expression into an unambiguous and resilient expression that extracts to 
the same object. Here “unambiguous” means that the expression identifies just 
one object; this requirement guards against the possibility of over-generalizing 
the initial OLL expressions. “Resilience” means that the expression will be able 
to locate the requisite object under a large class of variations in the page layout. 
Some of the techniques used to create unambiguous resilient expressions are 
detailed in 

To illustrate the idea, consider the second visible table in FigureH(below the 
“Component Detail” header). This table is actually part of a bigger, invisible 
table, so the initial OLL expression would be generated as follows: 

table, table.tr, tr.td, td.img, table, table, td, 

table, img, table, text, table, table, form, text, table 

The actual initial expression is much more detailed — we skipped many of the 
intermediate features of the Web page. In this expression, the symbols correspond 
to HTML objects, the period “.” means that the search must nest inside a 
complex data element, such as a table or a form, and the comma signifies 
horizontal scan accross the siblings in the HTML tree. The above expression 
tells us that in order to find the second visible table, we have to find the second 
top-level table in the HTML source, go inside the table (nest), find the second 
row and then start examining the fields of that row. Having found the second 
field, which happens to have complex internal structure, we must nest into that 
structure. Then we must scan this structure horizontally to find an image, skip 
two tables, find an out-of-place <td> element (which happens to be a formatting 
bug on this page) , and then skip a number of images, tables, and text items to 
locate the table we need. 

The problem with this addressing schema is that it is too brittle. It will get 
us the desired table for a particular instance of the page, but a page generated 
for a different catalog search request might look slightly different and the above 
address might then point to a wrong item (or not point anywhere at all). This 
problem was addressed in Combining the techniques described in that work 
with other heuristics, we can create a much more resilient OLL expression: 

*.text[contents — * Component*'], table 
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This expression says that in order to find the desired table, we must find a text 
object that matches the word “Component” at any level of nesting and then 
scan horizontally to the first table. This expression is much more resilient to 
changes in the page contents than the original one, and it stands a much better 
chance of being able to fetch the right object regardless of the actual search 
parameters, even in the presence of many types of page layout changes. Not 
only is the above expression more resilient, but it also can be processed faster 
using a deductive system, such as FLORA, because we can build an index on 
the contents attribute of the text class. 

The second layer in our architecture, the aggregate navigation objects that 
unify the information scattered in disparate HTML segments, is essentially a 
view over the basic HTML model of a Web page. This view is specified using 
the page extraction map, which itself is a set of F-logic objects that use the OLL 
expressions to tell the system where the individual components of the navigation 
object are coming from. Page extraction maps are composed together to form a 
site map for the Web site. 

The page extraction map object corresponding to the second table in the 
above example looks as follows: 

oil (*. text [contents -> ’*Component*’] , table) : normal_table [ 
column_names -> rel_oll( .tr(l) ); 
init_row -> 2; 

row(Row) -> rel_oll( .tr(Row) ); 
total_rows -> rel_oll( .last ) 

] . 

oil (*. text [contents -> ’*Component*’] , table. tr(l)) 

: header_row[ 

column_name (Column) -> rel_oll( . th (Column) . text ); 
width -> rel_oll( .last ) 

] . 

oil (*. text [contents -> ’*Component*’] , table.tr (Row)) 

: data_row[ 

column (Column) -> rel_oll( . td (Column) . text ); 
width -> rel_oll( .last ) 

] . 

The above specifies that the HTML segment pointed to by 

*.text[contents — * Component*^], table 

is a normaLtable in the navigation object model and its header column can be 
extracted from the segment pointed to by the OLL expression 

*.text[contents — * Component*^], table. tr(l) 




1100 Hasan Davulcu et al. 



where tr(l) means the first row in the table. The rows can be extracted from the 
segment pointed to by *.text[contents— !-'*Component*'], table. tr(Row) where 
Row is a parameter. The second extraction map object is interpreted similarly. 

Some of the navigation objects extracted with the help of this extraction 
map object are as follows: 



nav_obj3 : normal_table . 

nav_obj3 [ 

column_names -> nav_obJ4; 
row(l) -> nav_obJ5; 
row(2) -> nav_obj6; 

total -> 10 

] . 

nav_obj5 : data_row. 

nav_obj5 [ 

column(l) -> 'Mfg Pt No'; 
column(2) -> '29021'; 
width -> 2 

] . 



nav_obJ4 : header_row. 

nav_obJ4 [ 

column_name (1) -> 'Attribute'; 
column_name (2) -> 'Value'; 
width -> 2 



nav_obJ6 : data_row. 

nav_obJ6 [ 

column(l) -> 'Manufacturer'; 
column(2) -> 'LOCTITE CORP.'; 
width -> 2 



We discuss navigation objects in further detail in subsequent sections. 



3 Architecture of the Virtual Physical Layer (VPL) 



There are two aspects in VPL implementation: 

1. Site Mapping which is done once per site. 

2. Run-time query processing driven by the site maps. 

We first explain the process of site map construction. 

Site Map Construction. The process is shown in Figure ^ XRover begins by 
using an HTTP library to fetch the Web page. This page is then parsed by an 
HTML parser that translates the page into a set of F-Logic objects, and for 
each object its OLL expression is computed. For instance, the following objects 
describe two consecutive tables in an HTML page: 



htmlobj3 : table. 

htmlobj3 [ 

parent -> htmlobj2; 
position -> 0; 
rows -> htmlobj4; 
oil -> [table] ; 



htmlobjll : table, 

htmlobj 11 [ 

parent -> htmlobj 2; 
position -> 1; 
rows -> htmlobj 12; 
oil -> [table,table] ; 
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Fig. 2. Site Map Construction 



width -> 640; 
border -> 0 

] . ] . 

Next, a page extraction map is created using a graphical editor by drag 
and drop operations on the HTML object tree, such as the one illustrated in 
Figure^ The oil’s in the page map are then optimized and made more resilient 
as described in Section | This process is repeated for every page of interest, 
including those dynamically generated by scripts. 

Extraction maps for individual pages are put together to form a site map, 
which encodes all access paths to the data of interest. A site map can be viewed 
as a labeled directed graph where the nodes represent the extraction map objects, 
and the labeled edges represent possible actions on the navigation objects (i.e., 
following a link or filling out a form) that can be executed from that page. 

The overall structure of a site-map for an electronics catalog could be as 
depicted in Figure J 

The above represents a simple site map with three nodes: pagel, page2 
and pages. There is an edge from pagel to page2 labeled table(2).tr(2).td(2). 
f orm(l) which corresponds to a form invocation. The items attribute of the form 
in the page extraction map would describe its queriable attributes. Also, there 
is an edge from page2 to pageS with the label table(2).tr(l).td(l). a. action 
which represents a link that could be followed to retrieve additional part infor- 
mation such as the information presented in FigureJ 

Runtime Query Processing. The purpose of this sub-system is to automatically 
extract data in response to user queries. Its overall operation is as depicted 
in Figure H When a user query arrives, the navigation planner determines the 
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Fig. 3. An HTML parse-tree 



table(2).tr(2).td(2).forin table(2).tr(l).td(l).a.action 

o -o 

page 1 page2 

Fig. 4. A simple site map. 



O 

pages 



sequences of pages to be followed using the site maps and navigation objects 
that are needed to answer the user’s query. It then constructs a navigation plan 
for the query. For example, if the user just requests pricing information for an 
electronic part then only the pricing table needs to be extracted from the HTML 
page of Figure H 

Next, the navigation plan is passed to the plan evaluator which accesses the 
actual Web pages. It parses and translates page contents into FLORA HTML 
objects. From these objects, the Extractor module extracts the navigation objects 
of interest using the page extraction map, and the cycle repeats until the entire 
query plan evaluation is completed. The resulting navigation objects are returned 
to the user or to the higher levels of XRover. 



4 XRover Implementation: Status and Statistics 

XRover was built using FLORA, a deductive object-oriented system imple- 
mented through source-to-source translation into XSB Q, which is a fast deduc- 
tive engine that is based on tabled resolution approach. This technique is known 
to produce fast executable code and combines the advantages of top-down and 
bottom-up query processing. 
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Fig. 5. Run-time query processing. 



The overall system is about 1,500 lines of FLORA code and it took less than 
two man months to implement. The average size of a site map is under 100 lines. 

We also developed a graphical site-mapping tool to facilitate the job of build- 
ing site maps. Using this tool one can construct the extraction map for a page 
by dragging and dropping the relevant objects from the HTML parse tree. The 
site-mapping GUI was written entirely in Java using the Swing library. 

Even though both FLORA and XRover are just prototypes, we observed 
that the system has very acceptable performance. A typical number of XRover 
accesses per Web site is three pages, and results are returned within 3 seconds. 
In most cases, the response time is dominated by network delays. 

So far we have built two applications with XRover - a direct mail marketing 
service for a large pharmaceutical company and a electronic parts portal for the 
U.S. Defense Logistics Agency. In the former we extract names and addresses 
of potential customers from phone directories posted at the web sites of various 
medical institutions. The parts portal provides price, availability and technical 
data of electronic parts from various vendor and OEM catalogs on the Web. 



5 Conclusion 

We described the object-oriented architecture of the virtual physical layer of 
XRover, a Web based information system that presents a unified database view 
over multiple Web sites. The implementation was done using FLORA — a 
DOOD system based on F-logic. The experience gained during the course of 
this project is perhaps the most interesting part, because DOOD systems are 
still rare and there are not that many applications developed with them. As 
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expected, the use of a high-level DOOD language significantly reduced the im- 
plementation effort: the entire VPL layer was implemented in less than two 
man-months. Despite the fact that both XRover and the FLORA programming 
environment are just prototypes, the performance is quite acceptable — about 
3 seconds per site — and further significant optimizations are possible. 

The support for object-oriented design in FLORA was crucial for helping 
us produce clear and concise data models at several levels of detail, and the 
deductive nature of FLORA made it easy to implement the query evaluator and 
the various interpreters {e.g., the OLL interpreter). The high-level, declarative 
nature of FLORA made it easy to glue the various pieces of the system together. 

Even more important is what was learned about the shortcomings of FLORA 
as implementation platform. First, a practical DOOD system requires a good 
module system that can simplify the task of developing multi-file projects. Sec- 
ond, the current implementation of FLORA relies on the underlying XSB system 
to do most of the optimization. It has been realized that significant speedup can 
be achieved through F-logic-specific source transformation techniques Fi- 
nally, we discovered that DOOD systems need better support for declarative 
update primitives, such as the ones proposed for Transaction Logic ' ~ | . These 
features are being added in the upcoming implementation of FLORA 2.0 M- 
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Abstract. An important behavioural property for sets of active database 
rules is that of termination. In current commercial database systems, ter- 
mination is guaranteed by imposing a fixed upper limit on the number 
of recursive rule firings that may occur. This can have undesirable ef- 
fects such as prematurely halting correct executions. We describe a new 
approach based on a dynamic upper limit to the number of rule firings. 
This limit reflects knowledge about past rule behaviour on the database 
and provides a more accurate measure for when the DBMS should ter- 
minate rule execution. The approach incurs little cost and can easily be 
integrated with current techniques for static analysis of active rules. 



1 Introduction 

Active databases provide the functionality of traditional databases and addition- 
ally are capable of reacting automatically to state changes without user inter- 
vention. This is achieved by means of Event-Condition-Action (EGA) rules of 
the form on event «/ condition do action. One of the problems of using EGA rules 
is the inherent difficulty of analysing and controlling their behaviour. An impor- 
tant behavioural property is that of termination, since when multiple EGA rules 
have been defined in an active DBMS, possibly by different people at different 
times, there is the possibility that the rules may trigger each other indefinitely. 

The research community has addressed this problem by focusing principally 
on static analysis of rule sets. The aim here has been to develop methods which 
can predict whether a set of rules is always guaranteed to terminate Since 

the problem is undecidable even for simple rule languages Q, these methods 
cannot achieve full precision. Also, given the lack of any consensus on what 
constitutes a “typical” terminating or non-terminating rule set, it is not easy to 
compare various methods with one another. 

These difficulties are recognised by the current SQL3 standard for triggers 
Q, which does not attempt to prescribe methods for ensuring termination. 
Thus, commercial database products do not use any static analysis on rule sets, 
and termination is enforced by imposing a fixed upper limit (hereafter referred 
to as k or the k limit) on the number of recursive rule firings allowed (in Oracle 8, 
for example, this limit is 64) . If fc is reached, the actions of all the rules are rolled 
back. This approach has the limitation that correct sequences of rule firings may 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 1106^^^2000. 
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be prematurely halted due to an overly conservative (i.e. too low) choice of k. 
Conversely, allowing k to be too high can lead to unnecessary rule processing if 
a non-terminating computation occurs. This wasted effort may be problematic 
for applications such as real-time systems, where there are hard deadlines on 
transaction execution time and where minimising work is important. 

In this paper, we describe a new approach to termination management based 
on a variable upper limit on the number of recursive rule firings. Before rule ex- 
ecution begins, some analysis is first performed to calculate a “suitable” k limit 
for that particular execution. This calculation is performed using information 
about the past execution behaviour of the rules. The aim is that calculating 
the k limit dynamically will allow rule executions to run for longer if eventual 
termination can definitely be predicted. This in turn helps with the second diffi- 
culty above, which occurs when the k limit is too high. This is because the rule 
designer can now choose a lower default k limit, more confident in the knowledge 
that fewer correct rule execution sequences will be aborted. 

The paper is structured as follows. Section defines our assumed rule exe- 
cution semantics. Section ^ describes our method for inferring future rule ter- 
mination from past rule execution behaviour using incremental inferencing tech- 
niques. Section H extends the treatment to detect the possibility of future rule 
non-termination by checking for repeating states. Section^ discusses the practi- 
cal usefulness and applicability of our approach, including how it fits within the 
overall transaction execution, and how it can be applied to analysis of SQL3 trig- 
gers. In Section^we compare our work with other approaches and in Section^ 
we summarise our results and outline directions for future research. 



2 Rule Execution Semantics 



We assume that active rules are of the form on event if condition do action. The 
event part is of the form ins{R) or del{R), where i? is a relation. The condition 
part is an SQL query. The action part is a sequence of insertions or deletions of 
the form ±R <— query where i? is a relation and query an SQL query. In this 
paper we do not consider UPDATE events as found in SQL3, but the approach 
described here could easily be extended to cater for these also. 

Events occur as transactions execute. A rule is triggered when the event spec- 
ified in its event part occurs. A rule fires if it is triggered and its condition part 
evaluates to true. A rule set is terminating if for any initial event and database 
state, rule processing always terminates. In this paper we will be considering 
specific execution sequences and are thus interested in whether rule execution 
terminates from a given database state when triggered by a given event. 

We specify the assumed rule execution semantics as a function, execRules. 
This inputs the current database and an initial schedule of rule actions. It re- 
peatedly pops the first action off the schedule, executes it (by calling updateDB), 
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determines which rules have fired as a result (in the for loop) and places their 
actions on the schedule. execRules terminates when the schedule is emptyj 

function execRules (db :DB ,s : Sched) :DB ; 
var i : Nat; 

action: Action; 
while s != [] do { 

action := head s; 
s := tail s; 

db := updateDB (db, action) ; 

for i := 1 to NoOf Rules do 

if nonEmpty(eval(eventQueries[i] ,db)) and 
nonEmpty (eval (condQueries [i] , db) ) then 
s := bindCactions [i] ,db) ++ s; 

} 

return (db) ; 

Rules are identified by numbers 1 . . NoOf Rules, in order of increasing priority. A 
schedule is a list of rule actions waiting execution. We assume the initial update 
initiating rule execution is itself the action part of one of the rule^ so the initial 
schedule passed to execRules is a singleton list [a] for some action a. 

A database is a set of pairs of relation names and relation extents. Relations 
are of three kinds: (i) user-defined ones; (ii) for each user-defined relation R, two 
delta relations, AR and V^i (V^) contains tuples inserted into (deleted 
from) R by the latest action executed; (iii) for each user-defined relation i?, two 
ewenf relations, insEventR and delEventR, insEventR (delEventR) is non-empty 
if and only if the latest action executed was an insertion into (deletion from) R. 

The types DB and Sched are defined as follows, where the types RelName, 
deltaRelName, Tuple, Query, List and Set are self-explanatory: 

type DB = Set (RelName , Set (Tuple) ) ; 
type Action = (DeltaRelName , Query) ; 
type Sched = List (Action) ; 

A number of global variable declarations representing the rules are assumed: 

var eventQueries : array [1 . .NoDf Rules] of DeltaRelName; 

var condQueries : array [1 .. NoDf Rules] of Query; 

var actions : array [1 .. NoDf Rules] of List (Action) ; 

eventQueries records for each rule the name of the relation which, if it is 
non-empty, triggers the execution of the rule: if the rule’s event part is ins{R) 
{del{R)), this relation will be AR (v^B condQueries represents the condition 

^ We use the notation [x\,X2, ■ ■ ] for lists, < X\,X2,--- > for tuples and [i] for 
indexing array elements. For any list [xi,X2,---], head [xi,X2,---] returns xi and 
tail [xi,X2, ■ ■ ■] returns [x2, ■ ■ ■]■ -t-l- is the list concatenation operator. 

^ If not, then the original rule set can be extended with a new rule whose action part 
is the initial update and whose event part is not triggered by any rule. 

® This is semantic triggering i.e. rules are triggered if delta relations are non-empty. 
Later we will also consider syntactic triggering where rules are triggered when up- 
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part of each rule, which is just an SQL query, actions is the list of updates con- 
stituting the action part of each rule. An insertion +R <— query is represented 
by the pair (Aii, query) and a deletion— ii ^ query by is/R, query). 

execRules calls four other functions (which are straightforward and so not 
given here): updateDB applies the first action on the schedule to the database 
and returns the resulting database (including updated delta and event relations), 
eval evaluates a query with respect to the database and returns a set of tuples. 
nonEmpty tests whether a set is non-empty, bind takes a list of rule actions and 
the current database, and substitutes all occurrences of delta relations in the 
bodies of the rule actions by their current values in the database. 

We have assumed Immediate rule coupling rnode whereby the actions of a 
fired rule are placed at the front of the schedul(B This is the coupling mode 
assumed by SQL3. However, our method is also applicable to Deferred coupling 
mode, or mixtures of coupling modes. For reasons of space we do not consider 
this issue here, and refer the reader to ^ which discusses a general framework 
for abstract interpretation of active rule execution. 

3 Incremental Inference of Termination Behaviour 

Our method for inferring future rule termination behaviour is specified below 
as a function, INC, which performs an incremental inferencing of future rule 
behaviour using knowledge about past behaviour: 

function INC (deltaVals : array [1 .. NoOf Rules] of List (TruthVal) , 
condVals : array [1 .. NoOf Rules] of TruthVal, 
s : AbstSched) : Status ; 
var i : Nat; 

ev, cv : TruthVal; 

a : Action; 

eventVals: array [1 .. NoOf Rules] of TruthVal; 
while s != [] do { 

<ev,cv,a>:= head s; 
s := tail s; 

deltaVals : = INFER_DELTAS (deltaVals , deltaQueries , <ev, cv, a>) ; 
eventVals := INFER_EVENTS(eventQueries,a,deltaVal_a) ; 
condVals := INFER_CONDS(condVals,condQueries,a,deltaVal_a) ; 
for i := 1 to NoOf Rules do 

if eventVals [i] != False and condVals [i] != False then 
s := [<eventVals [i] , condVals [i] ,a> I a <- actions[i]] 

++ S J 

} 

return(Def initeTermination) ; 

date statements occur, i.e. when event relations are non-empty, regardless of whether 
the database has changed. 

^ Since rules are considered in increasing order of priority in the for loop, actions of 
higher priority rules will be placed in front of actions of lower priority ones. 
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We observe the syntactic similarity between execRules and INC. In fact, 
INC can be considered to be performing an abstract interpretation of execRules 
(see I for theoretical foundations). The abstract schedule is a list of triples: 

type AbstSched = List(TruthVal,TruthVal, Action) 

As well as each action, it records the truth values of the event and condition 
queries when the rule fired. This is because INC places rules on the schedule 
if their event and condition queries are inferred to be True or Unknown, and 
the imprecision caused by the latter case needs to be carried forward into the 
subsequent inferencing process. Thus, the variables ev and cv above are the truth 
values of the rule’s event and condition queries when the rule action was placed 
on the schedule, and a is the actual action. The variable deltaVal_a denotes the 
current value of the delta query corresponding to the action a. 

The database state is abstracted by two arrays which contain the truth values 
of all the rule conditions and rule delta queries w.r.t. the current database state: 

var condVals : array [1 .. NoOf Rules] of TruthVal; 
var deltaVals : array [1 .. NoOf Rules] of List (TruthVal) ; 

where the type truthVal consists of three constants True, False and Unknown. 

By rule delta query we mean the query that defines the value of the positive or 
negative delta relation that results when a rule action is executed. In particular, 
for an insertion +R <— query the rule delta query is query — R while for a 
deletion— i? <— query it is query n R. A rule in general has a list of actions, 
and hence a list of corresponding delta queries and delta query truth values. We 
assume the following global variable contains the rules’ delta queries: 

var deltaQueries : array [1 .. NoOf Rules] of List (Query); 

The condVals record whether a rule condition is currently True, False or Un- 
known. The deltaVals record whether a rule action would have a semantic effect 
(i.e. produce a change in the database) were it to be executed. So, instead of 
using an actual database with relations containing tuples as does execRules, 
INC uses a coarser view of the database to perform inferencing about how the 
actual rule execution might proceed. 

condVals and deltaVals need to be maintained in synch with the cur- 
rent database state during actual rule execution. This is done by modifying 
execRules as follows: 

(a) When a rule is triggered within the for loop and its condition query is then 
evaluated, the resulting truth value (True or False) will be recorded in the 
corresponding entry of the condVals array. 

(b) Condition queries that are not evaluated within the for loop (because the 
rule has not been triggered) will have truth values inferred for them using 
incremental evaluation techniques (see Section^Jfor details of these); 

(c) New truth values for all the delta queries are similarly inferred on each 
iteration of the while loop. 
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Notice that under (a) condition queries will be assigned a value of either True 
or False while under (b) and (c) condition and delta queries may be assigned an 
Unknown truth value. 

INC calls three functions to repeatedly infer the next round of truth values 
for the rules’ delta queries, event queries and condition queries. INFERJDELTAS 
takes the current values of the delta queries, the delta queries themselves, and the 
triple <ev , cv , a> currently at the head of the schedule and infers new truth values 
for the delta queries. INFER_EVENTS takes the event queries, the current action 
a, and the current value of the delta query corresponding to a, deltaVal_a, and 
infers the truth values of the event queries. Finally, INFER_CONDS takes the 
current truth values of the condition queries, the condition queries themselves, 
the current action a, and its corresponding delta query value, deltaVal_a, and 
infers the new truth values of the condition queries. The inferencing techniques 
employed by all three functions are described in Section^H below. 

If INC terminates from a given initial action and database state, we can 
infer that execRules would also terminate from that initial action and database 
state. This is reflected by INC’s return status of Def initeTermination. 

As it stands, INC may of course fail to terminate. There are several possible 
ways to force it to do so: place an upper limit on the number of iterations of 
its while loop, or implement a check for the occurrence of repeating states, or 
both of these. We discuss these methods further in Section^ With any of these 
approaches, the status returned by INC would be PossibleNonTermination. 

3.1 The INFER Functions 

The three INFER functions invoked by INC use incremental techniques to deduce 
a new truth value for a query from its old truth value. Suppose we have an event, 
condition or delta query q and an update occurs in the database. What new truth 
value will be inferred for g ? If an inclusion occurs into a relation r referenced 
by q, then the new truth value of q is inferred using the following rules: 

Rule Incl: If the previous truth value of q was T and r doesn’t occur in q or 
occurs only positively, then the new truth value of q is T. 

Rule Iuc2: If the previous truth value of q was F and r doesn’t occur in q or 
occurs only negatively, then the new truth value of q is F. 

Rule Iuc3: Otherwise, the new truth value of 9 is U. 

Similarly, if an exclusion occurs from a relation r referenced by q, then the 
new truth value of q is inferred using the following rules: 

Rule Excl: If the previous truth value of q was T and r doesn’t occur in q or 
occurs only negatively, then the new truth value of q is T. 

Rule Exc2: If the previous truth value of q was F and r doesn’t occur in q or 
occurs only positively, then the new truth value of g is F. 

Rule Exc3: Otherwise, the new truth value of q is U. 

In the above rules, r can be either a user-defined relation or a delta relation 
since both of these may appear in condition queries and delta queries. For a user- 
defined relation, inclusions and exclusions will occur via the explicit insertions 
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and deletions specified in the rule actions or in the top-level transaction. For 
a delta relation, inclusions and exclusions will occur implicitly. In particular, a 
delta relation AR (s/R) will undergo an implicit inclusion whenever an insertion 
(deletion) occurs on R, and will then undergo an implicit exclusion in the next 
action executed that is not an insertion (deletion) on R. 

An action a has a special effect on its own delta query dq_a as given by the 
following rules, where an action ±R <— query is idempotent if R does not appear 
within query, otherwise it is non-idempotent: 

Rule Ownl: If the old truth value of dq_a was F, then the action a will not 
execute and so the new truth value of dq_a is also F. 

Rule Own2: If a is idempotent and the old truth value of dq_a was U or T 
then the new truth value of dq_a is F. 

Rule Own3: If a is non-idempotent and the old truth value of dq_a was U or 
T then the new truth value of dq_a is U. 

The INFER_DELTAS function calculates the new truth value for the delta 
query, dq_a, associated with the action a as follows, where inf er_own performs 
inferences according to Rules Ownl-sJ 

newDeltaVal_a = ev & cv & inf er_own(dq_a, oldDeltaVal_a, a) 

For all other delta queries dq_i, their new truth value is the same as their old 
truth value if newDeltaVal_a is False or if dq_i is independent of the action 
a (i.e. the relation in the head of a does not appear in dq_i). Otherwise, the 
new truth value of dq_i is determined as follows, where inf er .normal performs 
inferences according to Rules Incl-3 and Excl-3: 

newDeltaVal.i = ev & cv & infer_normal(dq_i,oldDeltaVal_i,a) 

The INFERJIVENTS function calculates the new truth value for each event 
query eq_i as follows, where inf er .event returns T if the action a matches the 
event query eq.i and F otherwise: 

newEventVal.i = newDeltaVal.a & infer. event (eq.i, a) 

Finally, the INFER.CDNDS function calculates the new truth value for each 
condition query cq.i. The new truth value of cq.i is the same as its old truth 
value if deltaVal.a is False or if cq.i is independent of a. Otherwise the new 
truth value of cq.i is given by: 

newCondVal.i = newDeltaVal.a & infer.normal(cq.i,oldCondVal.i,a) 



Here, & is a 3- valued logic conjunction operator: 



& 


T F U 


T 


T F U 


F 


F F F 


U 


U F U 



5 
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Example 1. Consider the 6 rules belovj 



Rule 


Event 


Condition 


Action(s) 


Delta Query(s) 


ri 


ins^Ri) 




— i?3 <— Rs; +Re <— R 4 R 5 


R 3 C Rs', {R 4 IXI Rg) — Rg 


T2 


ins(Re) 


i?4 — i?3 


+R 3 <— i?4 — i?3 


(i?4 — R 3 ) — R 3 


r-3 


ins{R 3 ) 


N Ri 


—Ri <— Rg 1X1 (i?5 — R 4 ) 


{Rg 1X1 {Rg — R 4 )) C Ri 


r4 


del{R\) 


true 


—Rg ^ R 5 


Rg n Rg 


Tb 


del{Ro) 


true 


+Rg <— i?2 n V^O 


{Rg n v^o) - Rg 




ins{Ro) 


Ry N Rq 


—Rg ^ i?3 


Rg n R 3 



These rules are non-terminating, since and re could trigger each other in- 
finitely. We will see, however, that knowledge about the initial truth values of 
the condition and delta queries means that we can predict that the rules will 
terminate for the current database instance. 

Consider the trace given below of successive iterations of the while loop in 
INC, starting from the abstract database state shown in the first line. Recall 
that a triple <T,T,a> on the abstract schedule indicates an action, a, whose 
corresponding event and condition queries were both True at the time the action 
was placed on the schedule. a_i denotes the action of rule (for a single-action 
rule) while a_i_j denotes the action of rule (for a multi-action rule). 

Note that all actions except r 2 ’s are idempotent, so that the delta queries 
of all other rules are made False by the execution of their actions. Step 1 shows 
an initial abstract database state where ri was triggered. In step 3 T 2 has fired; 
the deltaVals of ri have become False due to the idempotence property of ri’s 
actions. In step 4 has fired; the first deltaVal of ri, the deltaVal of and the 
condVal of T 2 have all become Unknown due to the execution of 02 . In step 5 
T 4 has fired. In step 6 has fired. In step 7 rg has become triggered; however, 
since the condVal of rg is False, it will not fire. Thus INC terminates after the 
execution of five rules. 



Step 


deltaVals 


condVals 


abstract schedule 


1 


[[T,T],T,T,T,T,F] 


[T,T,T,T,T,F] 


[<T,T,a_l_l>,<T,T,a_l_2>] 


2 


[[F,T],T,T,T,T,F] 


[T,T,T,T,T,F] 


[<T,T,a_0>] 


3 


[[F,F],T,T,T,T,F] 


[T,T,T,T,T,F] 


[<T,T,a^>] 


4 


[[U,F],U,T,T,T,U] 


[T,U,T,T,T,F] 


[<T,T,a_3>] 


5 


[[U,F],U,F,T,T,U] 


[T,U,U,T,T,F] 


[<T,T,a_4>] 


6 


[[U,F],U,F,F,T,U] 


[T,U,U,T,T,F] 


[<T,T,a_5>] 


7 


[[U,F],U,F,U,F,U] 


[T,U,U,T,T,F] 


n 



We thus infer that the actual rule execution will also terminate after execut- 
ing these rules, at most (in fact we can infer that it will execute precisely this 
sequence of rules because no triggered rule has an Unknown event, condition, or 



For reasons of brevity, we use the relational algebra notation for this and subse- 
quent examples, rather than SQL. In this and subsequent examples, all the rules are 
statement-level rules, unless otherwise stated. 
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delta query). Thus, checking for the k limit during the subsequent actual rule 
execution can be turned off since we know that this rule execution will terminate. 



4 Detecting Possible Non-termination 

Both the actual rule execution and the abstract semantics of INC suffer from 
the drawback that the while loop may fail to terminate. One way of preventing 
this for the actual rule execution would be to maintain a history of states and to 
check for the reoccurrence of a past state, where a “state” consists of the current 
database and current action to be executed. 

Due to the size of real databases, this may not be a feasible extension to 
execRules, although work in Q shows how to improve its efficiency. However, 
checking for repeating states is also possible in INC and moreover is much less 
costly in this case. The “state” now consists of the triple <ev,cv,a> which is 
currently at the head of the abstract schedule, and the current truth values of 
the rule conditions and rule delta queries. The history is a list of such states and 
is maintained by prefixing the current state to the history on each iteration of 
the while loop. An extra test is added to the while loop to test if the current 
state is equal to a state in the history — note that this is just a simple syntactic 
equality: 

history := [] ; 
while s != [] do { 

<ev,cv,a>:= head s; 
s := tail s; 

if member(<deltaVals,condVals,<ev,cv,a», history) then 
return(PossibleNonTermination) ; 
history := [<deltaVals,condVals,<ev,cv,a>>] ++ history; 
deltaVals : = 1NFER_DELTAS (deltaVals , deltaQueries , <ev, cv, a>) ; 
eventVals:= ... as before ... } 
return(Def initeTermination) ; 

There is a bounded number of possible distinct states that INC can reach, of 
the order of NoOfRules*3^°®^^“®''“® (since there are NoOfRules rules and NoOf- 
Queries condition and delta queries each of which can take one of three truth 
values). The extended INC function is thus guaranteed to terminate since a re- 
peating state will eventually occur if execution proceeds for long enough. Notice 
that this is even true for rules that are non- function- free. In contrast, in the 
actual rule execution, a repeating state may never occur if the rule language is 
able to create new constants. 

Example 2. Consider the following two rules: 



Rule 


Event 


Condition 


Action 


Delta Query 


ri 


CO 


00 

X 


+R 3 R 5 


R 5 ~ R 3 


T2 


ins{R^) 


i?5 — i?4 


1 

CO 

T 


RinR3 
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We trace through an execution of INC in the same way as before: 



Step 


deltaVals 


condVals 


abstract schedule 


1 


[T,T] 


[T,T] 


[<T,T,a_l>] 


2 


[F,T] 


[T,T] 


[<T,T,a^>] 


3 


[U,F] 


[T,T] 


[<T,T,a_l>] 


4 


[F,U] 


[T,T] 


[<U,T,a^>] 


5 


[U,F] 


[T,T] 


[<U,T,a_l>] 


6 


IF,UJ 


[T,TJ 


[<U,T,a^>J 



Notice that both rule actions are idempotent. Step 1 shows an initial abstract 
database state where ri has fired. In step 2 r 2 has fired. The two rules continue 
to fire in turn during steps 3 to 6. In step 3 r 2 ’s action makes ri’s delta query 
Unknown and in step 4 ri’s action makes T 2 ’s delta query Unknown. The state 
in step 6 is a repetition of that in step 4 and so INC terminates with a status of 
PossibleNonTermination. It is therefore not safe to ignore the default value of 
the k limit during the subsequent actual rule execution. 

In summary, if INC returns PossibleNonTermination, then we perform 
actual rule execution with the default k limit {kdef)- Otherwise, if INC returns 
Def initeTerminationafter I iterations, then we perform rule execution with the 
k limit set to L If 1 > kdef, then we will have prevented an unnecessary abort of 
rule execution. If ^ < fc or PossibleNonTermination was returned by INC, then 
running INC will have brought no benefits, but since the cost of INC is low (see 
Section^ there will have been negligible impact on system performance. A final 
point to note is that adding new rules to the rule set is easily accomplished: extra 
entries just need to be created for these rules in the condVals and deltaVals 
arrays and their starting values set to Unknown. 



5 Evaluation 

Cost and Effectiveness of the Method. We have extended the PFL active 
database system Q with the dynamic rule analysis method described here. 
The history of abstract database states is stored in main memory as a list of 
arrays of truth values. The time cost incurred is primarily dependent on the 
cost of (a) performing the INFER functions and (b) scanning the history for a 
repeating state. The cost of (a) is negligible. With our present simple encoding 
of the history, the cost of (b) grows quadratically with the length of the history 
and on a mid-range Pentium machine reaches 0.5 seconds at a history length 
of approximately 500 and 1 second at a history length of approximately 1500 
Clearly, more sophisticated encodings of the history would improve these times. 

The main space cost incurred is by the history. This is bounded by the 
number of different states that can occur, of the order of NoOfRules*3^°‘^^^“®'^“®. 
This could be very large if NoOfRules is greater than 10 (say). In practice an 
upper limit, L, will be imposed on history length, determined by the time cost 
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of searching for repeating state^ We conjecture setting L to a relatively high 
number (2 to 3 orders of magnitude larger than the default k limit) will be 
sufficient to detect most cases of definite termination, and our experiments with 
synthetic sets of rules indicate that this is indeed the case.| 

Relationship to Transaction Execution. We now consider how our dynamic 
analysis approach integrates with the overall system behaviour. This behaviour 
can be divided into two modes, transaction mode and rule execution mode. In 
transaction mode, transactions are submitted to the database and are executed. 
The truth values of the condition queries and delta queries are maintained in 
synch with the updates made by the transaction, using the same incremental 
evaluation techniques as used during INC. If a rule is triggered within a trans- 
action, the system enters rule execution mode. This consists of executing INC 
followed the actual rule execution. After termination of rule execution, the sys- 
tem reverts to transaction mode again. 

Integration with Other Methods. Extra knowledge about properties of the 
rule set may be available and it is possible to incorporate this into the INC 
algorithm. Firstly, we may know from prior static analysis that execution is 
guaranteed to terminate when certain rules are reached, in which case INC need 
not continue if it reaches one of these rules. Secondly, we can utilise human-aided 
analysis in the inference procedure. For instance, rules may be self disactivating 
(i.e. their condition is always made False by their action) and this knowledge 
can be used for more accurate inferencing. Inferencing can also be made more 
precise by applying containment and satisfiability tests to determine whether 
actions will ever have an effect on condition and delta queries. Finally, there is 
also scope for improving inferencing using knowledge about global properties of 
rules (e.g. event based stratifications of rule sets as in Q). 

Relationship to SQL3. The rule execution semantics of execRules under- 
take a semantic, set-oriented triggering of rules. It is semantic triggering in 
the sense that rule event queries are delta relations, and rules are triggered if 
these delta relations are non-empty. In contrast, SQLS’s statement-level triggers 
undertake a syntactic triggering of rules i.e. rules are triggered when update 
statements occur irrespective of whether they cause any change to the database. 

Our semantics are easily modified to model execution of SQL3 statement- 
level AFTER triggers. The condition parts of rules need to be encoded within the 
bodies of the rule actions and not evaluated within the for loop of execRules. 
This causes rule conditions to be evaluated with respect to the database state 
that the action will be executed on, rather than the database state when the 
rule was triggered. We use a schedule to store triggered rule actions, rather 
than SQL3’s trigger execution contexts (TECs), but the effect is the same. The 
event parts of rules now need to be event relations {insEventR or delEventR) 
rather than delta relations (Ai? or SjR)- Incremental inferencing proceeds as 



^ Note that L should not be confused with the default k limit for actual rule execution. 
® Of course it may be tempting to just use a default k limit set to some high num- 
ber e.g. 1000, but this would result in wasted execution when the rules are non- 
terminating. 
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with semantic triggering, except now all delta query values are assumed to be 
always True and event query values will be either True or False (never Unknown) . 

SQL3’s BEFORE triggers are not significant for the purposes of termination 
analysis since they cannot trigger any other trigger. We have also ignored the 
checking of integrity constraints and have assumed that these will not be vio- 
lated (for the purposes of termination analysis the worst-case scenario is that no 
integrity constraints are violated and no aborts occur). 

Our rule execution semantics are set-oriented rather than instance-oriented 
and thus do not directly model the behaviour of SQL3’s row-level triggers. How- 
ever, execRules is easily extended to also support row-level triggers, as fol- 
lows. If a rule i has fired and it is a row-level rule then for each tuple t G 
eval (eventQueries [i] ) a list of actions is placed on the schedule, obtained 
from actions [i] by substituting each occurrence of eventQueries [i] in the 
body of the actions by the singleton set {t}. 

The question is how should INC be modified, and in particular how many 
copies of each rule action should be placed on the abstract schedule ? The so- 
lution is to dynamically place as many copies as are required until either a 
repeating state is reached or definite termination can be concluded. 

So we recursively invoke INC from the current abstract database state, dbo, 
with a schedule consisting of 1 copy of the rule action. Either a repeating state 
will be encountered or definite termination will be inferred. In the former case, we 
are done and the overall result of INC is possible non-termination. In the latter 
case we examine if the abstract database state now reached, dbi say, is the same 
as dbo- If so, we are done and we can infer definite termination of the execution of 
this row-level rule and continue processing the rest of the schedule. Otherwise, 
we recursively invoke INC again from dbi with a schedule again consisting of 
1 copy of the rule action. We continue recursively invoking INC in this way, 
obtaining a sequence of database states dbo, dbi, db^, ■■■ dbi, until either possible 
non-termination results from the invocation or dbi is equal to some prior dbj. 
In the former case the overall result of INC will be possible non-termination. In 
the latter case we can infer definite termination of the execution of this row-level 
rule and continue processing the rest of the schedule. 

Example 3. Consider the rule set and initial abstract database state of Example 
1, but now make rule 5 a row-level rule. Execution is the same as in Example 1 
for steps 1-4. At step 5, an action is placed on the schedule, corresponding to a 
single instance of rs’s action, and INC is recursively invoked with this singleton 
schedule; at step 6, re’s condition is false, so the schedule becomes empty and 
the recursive invocation of INC terminates. INC is then re-invoked recursively, 
with another instance of rs’s action. Again this recursive invocation terminates, 
this time with the same state as in Step 6. We thus conclude that execution of 
the row-level rule terminates. The overall execution of INC thus terminates. 
So, checking for the k limit during the subsequent actual rule execution can be 
turned off since we know that this rule execution will terminate. 
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Step 


deltaVals 


condVals 


abstract schedule 


1 


[[T,T],T,T,T,T,F] 


[T,T,T,T,T,F] 


[<T,T,a_l_l>,<T,T,a_l_2>] 


2 


[[F,T],T,T,T,T,F] 


[T,T,T,T,T,F] 


[<T,T,a_l_2>] 


3 


[[F,F],T,T,T,T,F] 


[T,T,T,T,T,F] 


[<T,T,a_2>] 


4 


[[U,F],U,T,T,T,U] 


[T,U,T,T,T,F] 


<T,T,aJ>] 




5 


[[U,F],U,F,T,T,U] 


[T,U,U,T,T,F] 


<T,T,a_4>] 


6 


[[U,F],U,F,F,T,U] 


[T,U,U,T,T,F] 


[<T,T,a_5>] 


7 


[[U,FJ,U,F,U,F,UJ 


[T,U,U,T,T,FJ 


U 


8 


[[U,F],U,F,U,T,U] 


[T,U,U,T,T,F] 


[<T,T,a_5>] 


9 


1[U,FJ,U,F,U,F,UJ 


[T,U,U,T,T,FJ 


U 



Example 4. Consider the next rule set. Suppose that ri is a row-level rule, r 2 , 
T 3 and T 4 are statement-level rules and that has higher priority than r 2 - 



Rule 


Event 


Condition 


Action 


Belt aval 


ri 


del{R^) 


i?S ^ ^4 


+R 3 <— T?5 C X/Rs 


(i ?5 n x/Rs) - R3 


T2 


ins{R^) 


~ R 3 


1 

T 


Re n i ?4 


rs 


ins{R^) 


Ri — Re 


— i?7 ^ — i ?4 


R’j n R4 


C 4 


del{Rj) 


true 


— ^ N RI N R-j 


Rj n (-R3 R\ N Rj^ 



Consider the following execution trace of INC from the stated initial state. Note 
that the actions of rules ri, r 2 and are idempotent. Rule ri is assumed to 
be initially triggered and INC is recursively invoked with a single instance of its 
action on the schedule. This invocation terminates at step 3. Another recursive 
invocation of INC is performed at step 4. This time both T 2 and are triggered 
and their actions placed on the schedule in order of priority. Execution continues 
and a repeating state is found at steps 7 and 8. We therefore conclude the set of 
rules is possibly non-terminating from this initial state: 



Step 


DeltaVals 


condVals 


abstract schedule 


1 


[T,T,T,TJ 


[T,T,F,TJ 


[<T,T,a_l>J 


2 


[F,T,T,T] 


[T,U,F,T] 


[<T,U,a^>] 


3 


[F,F,T,T] 


[T,U,U,T] 


n 


4 


[T,F,T,T] 


[T,U,U,T] 


[<T,T,a_l>] 


5 


[F,F,T,T] 


[T,U,U,T] 


[<T,U,a_3>,<T,U,a_2>] 


6 


[F,F,F,U] 


[T,U,U,T] 


[<U,T,a_4>,<T,U,a_2>] 


7 


[F,F,U,U] 


[T,U,U,T] 


[<U,T,a_4>,<T,U,a_2>] 


8 


[F,F,U,U] 


[T,U,U,T] 


[<U,T,a_4>,<T,U,a_2>] 



Remark. If rule ri had been statement-level, then execution would have halted 
at step 3 and definite termination from the initial state concluded. 

6 Related Work 

Most previous work on termination analysis for active rules has dealt with static 
analysis. In triggering graphs were first presented and later refined in in 
and ^3, where techniques for removing paths are shown. Generalisations 
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using a method called rule reduction are described in Q. If one were to extend 
this method to allow incorporation of knowledge about constraints known to 
hold in the database (e.g. truth values of conditions), then the result would 
be quite similar to the approach we have described in this paper. The idea 
of using abstract interpretation to assist with rule analysis was first presented 
in Q and extended to a more complex language in Q. In Q complex, and 
potentially expensive, abstractions are used without any knowledge about the 
initial database state, whereas here we use a simple, and cheap, abstraction 
together with some knowledge about the initial database state. 

The principal previous work in dynamic analysis is P, where checking is 
performed at run-time to see whether a repeating database state has occurred in 
a history of previous states. In principle, the method is totally precise. However, 
it is restricted to function-free rules. Also, even with the optimisations presented, 
it is potentially quite expensive to store the history of database states. Moreover, 
for real-time applications it is less applicable if one needs to detect loops in a 
timely manner i.e. before having needlessly executed rules. 

Our inferencing depends on deducing new query values from old ones in 
the presence of updates, and we can make use of previous techniques such as 
These techniques were developed for use in query optimisation. 
Here we have applied them instead to analysis, our focus being on when the 
values of queries should to be incrementally inferred and with what input, rather 
than how the inference should be done. Finally, optimisation of triggers based 
on execution flow is treated in but there it is the execution context of a 
transaction program, not the rules themselves, which is of interest. 



7 Summary and Further Work 

We have examined the problem of dynamically enforcing termination of active 
rules. Rather than aborting rule execution after a fixed number of rule firings, we 
have described an approach which dynamically infers this limit. The advantage 
of this is that more terminating rule execution sequences can be allowed to 
proceed without being aborted prematurely. The algorithms required are cheap 
since they only operate on synthetic databases, and are thus immediately usable 
in practical systems. There are a number of directions of further work: 
Improving the Precision of INC. INC loses precision when condition or delta 
queries have an Unknown value, which may result in INC returning 
PossibleNonTermination where execRules would terminate. This can be al- 
leviated in two ways, (a) condition/delta queries that have a current value of 
Unknown can be evaluated during periods of DBMS inactivity (and thus be up- 
dated to True or False), so that the input to the next invocation of INC is made 
more precise, (b) INC can be interleaved with phases of actual rule execution 
e.g. if actual rule execution reaches k, rather than giving up and aborting INC 
can be reinvoked to see more accurate inferences can be made. In particular, 
if definite termination can now be concluded from the new abstract database 
state, then the actual rule execution can be allowed to proceed to termination. 
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Improving the Precision of the INFER Functions. Rather than just 
recording the truth value of condition and delta queries, we could record truth 
values for their sub-queries also. For even more precision, we could use even more 
detailed information, such as the number of tuples that made a condition true. 
Other Analysis Questions. The thrust of this paper has been towards termi- 
nation enforcement. However, our techniques are also applicable to other analysis 
questions that involve reachability e.g. would a given rule eventually be triggered 
during rule processing on the current database ? 

Using Definite Analysis Information for Rule Optimisation. Suppose 
we infer from INC that certain rules are guaranteed to have a definitely True 
or False condition at particular points in the rule execution sequence (e.g. as in 
Example 1). Then can then use this knowledge to optimise the subsequent actual 
rule execution sequence by turning off condition evaluation at those points. 
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Abstract. There are many situations where cyclic rule activations — 
where some set of active database rules may be activated repeatedly 
until the database satisfies some condition — arise naturally. However, 
most existing approaches to termination analysis of active rules, which 
typically rely on checking that the triggering graph for the rules is acyclic, 
cannot infer termination for such rules. We present a constraint-based 
approach to termination analysis that is able to handle such cyclic rule 
activations for a wide class of rules. 



1 Introduction 

Active databases, which are conventional databases extended with a mechanism 
to create and execute production rules that manipulate the state of the database, 
have attracted considerable interest in recent years. Such rules provide a general 
mechanism for a number of database features such as integrity constraint check- 
ing and view maintenance, and simplify building and reasoning about database 
applications. 

In general, rule activations in active databases can “cascade,” i.e., the exe- 
cution of an active rule can cause a change in the database state that causes 
another rule to be executed; the resulting change can then cause the activation 
of a third rule; and so on. Ensuring that such cascaded rule activations do not 
go on forever therefore becomes of fundamental importance. Analyses that ex- 
amine a set of active rules to determine whether rule activations will terminate 
are called termination analyses. 

Almost all of the work to date on termination analysis for active databases 
(see Section ^ relies on checking that a directed graph called the “triggering 
graph” for a set of rules is acyclic. The essential intuition this expresses is that 
a rule should not be able to cause itself to be (re-)activated, either directly or 
indirectly. The differences between various proposals for such analyses lie in the 
sets of edges they are able to eliminate from the triggering graph before this 

* This work was supported in part by the National Science Foundation under grants 
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acyclicity check. In most of these proposals, the underlying sets of rules being 
considered satisfy the property of not being self-activating in this manner, and 
the analyses themselves focus on identifying and eliminating edges that could 
introduce spurious cycles into the triggering graph. 

There are, however, many situations where it is natural to have a rule that 
can activate itself, but where such self-activations are guaranteed to eventually 
terminate. As an example, suppose we have a rule stating that, whenever an 
employee in a firm gets a raise that causes his salary to exceed his manager’s 
salary, the manager should also get a commensurate raise. This rule can be self- 
activating, since the raise given to an employee can cause his manager to be 
given a raise, which in turn can cause the manager’s manager to get a raise, and 
so on. However, it is not difficult to see that, under realistic assumptions, such 
a cycle of rule activations cannot go on for ever. 

Throughout this paper, we use the following example, taken from Chapter 2 
of a text by Zaniolo et. al. 

Example 1. The following rule, defined by a budget-conscious manager, imposes 
a salary reduction of 10% on every employee in an organization whenever the 
average salary exceeds a threshold (in this case 100): 

rule SalaryControl on Emp 
when inserted, deleted, updated(Sal) 
if (Select Avg(Sal) from Emp) > 100 
then update Emp 

set Sal = 0.9*Sal 

Notice that this rule can be activated if an employee is hired with a high initial 
salary; if the initial salary is high enough, one round of salary reductions may 
not suffice to satisfy the termination condition, so the rule may be activated 
again. Eventually, however, the average salary must fall below 100, causing the 
rule activations to terminate. 

While this rule seems “obviously terminating,” reasoning about such rules can 
be quite subtle. For example, consider a rule that is identical to that shown 
above, the only difference being that the activation condition is 

if (Select Avg(Sal) from Emp) > 0 then . . . 

This rule is structurally very similar to that of Example J with a decreasing 
value for the average salary and a lower bound on how far it can decrease. It is, 
nevertheless, non-terminating. As another example, consider a rule that is iden- 
tical to that of Example J with the only difference being that the action is to 
set each employee’s salary to 0.9*Sal + Bonus, where Bonus is some constant. 
In this case, it turns out that the rule is terminating if Bonus < 10, and nonter- 
minating if Bonus >10. What these examples illustrate is that any termination 
analysis that aims to handle such cyclic rule activations must be able to analyze 
the effects of cyclic rule execution with a fairly high degree of precision. 
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2 Preliminaries 

2.1 Active Rules 

We consider Event- Condition- Action (EGA) rules: a rule is triggered when cer- 
tain events specified in the rule occur, and provided that their (optional) con- 
ditions hold; when a rule so triggered is executed, the actions specified in the 
rule are carried out. For concreteness we use the syntax and semantics of the 
Starburst rule system a rule is assumed to have the structure 

rule RuleName on Relation 
when EventList 
if C then Action 

where EventList specifies a set of events that cause the rule to be triggered. The 
execution of a triggered rule involves the evaluation of the condition C, and if 
this evaluates to true, carrying out the actions specified in the list Action. The 
condition C, which determines when the rule is activated, is referred to as the 
activation condition of the rule; we sometimes also use the term termination 
condition for the rule to refer to the condition ^C. 

Since the handling of aggregation operations is more or less orthogonal to 
the main focus of this paper, we make the simplifying assumption that any 
aggregation operations in active rules are applied to the entire relation, i.e., 
there is no aggregation over partitions of the relation computed using constructs 
such as the ‘group by’ clause of SQL. The basic idea is that if a rule computes 
an aggregate operation / on an attribute A of a relation R, we handle this using 
a dummy relation R_A_f containing a single tuple that has a single attribute 
whose value is that of the operation / applied to attribute A of R. Changes to 
the relation R through insert, delete, or update operations — including those in 
active rules — are considered to also modify such dummy relations appropriately, 
albeit in a conservative manner: that is, unless the new value of the aggregate 
value can be predicted, its value is considered to be unknown and represented 
in the dummy relation using a null value. 

2.2 Constraint Systems 

For the purposes of this paper, constraints are first-order formulae over a signa- 
ture E, such that: the binary predicate symbol ‘=’ is in E; there are constraints 
that are identically true and identically false; and the class of constraints is 
closed under variable renaming, conjunction, and existential quantification. A 
constraint system is a system for maintaining and manipulating constraints over 
a constraint domain T>, which is essentially a (first-order) structure, i.e., a uni- 
verse D together with an appropriate assignment of functions and relations over 
D to the symbols in E. Operations on constraints supported by the constraint 
system are assumed to include 

— A test for consistency or satisfiability: V ^ (3)c. 

— A test for implication (i.e., entailment) of one constraint by another: 

V \= Cq ^ Cl. 
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— The projection of a constraint cq onto variables x to obtain a constraint ci 
such that T> \= Cl (3j/)co, where y = vars(co) — x is the set of variables in 
Co except for those mentioned in x. 

It should be noted that typical constraint logic programming systems, such as 
CLP (7?,) and SICStus Prolog (see also the survey by Jaffar and Maher 
13), support this level of functionality. 

In particular, we focus on the CLP(F) constraint system which is pow- 
erful enough for our needs and whose implementation is freely available. This is 
a constraint system over the reals that supports, in addition to the usual arith- 
metic and comparison operators, the functions abs(x), exp(x), log(x), a;", x^, as 
well as the trigonometric functions sin{x), cos(a;), tan{x) and their inverses. Our 
implementation of this system uses interval constraints, and handles these func- 
tions using a reimplementation of the standard math library based on interval 
arithmetic. A detailed discussion of this system is omitted due to space con- 
straints: for our purposes it suffices to note that the constraint solver is queried 
with a quantifier-free first-order conjunction Q{x\, . . . ,Xn)^ interpreted as the 
question “do there exist any xi, . . . ,Xn such that Q(xi, . . . , Xn) f” The solver re- 
sponds either with a set of real intervals /i, . . . , interpreted as “if there exist 
any X\, . . .,Xn such that Q{xi , . . . , Xn), then for all such values it must be the 
case that Xi S Ii and . . . and Xn € Inf or indicates that there are no values 
for the variables Xi that satisfy Q{- • •). A fundamentally important aspect of 
the system is that the constraint system is provably sound ^3^9 > i-®-: if 
solver returns such a set of intervals /i, . . . , /„ for a query Q(a;i, . . . , Xn), then it 
is guaranteed that for every solution x\, ... ,Xn to the query it is the case that 
Xi G Ii. However, completeness is not guaranteed in general, i.e., just because 
the solver returns a set of intervals does not imply that these are the minimal 
intervals containing all solutions to the query. 

3 Annotated Triggering Graphs 

Many termination analyses proposed in the literature use the notion of triggering 
graphs. A triggering graph is a directed graph where each vertex represents a rule 
and where there is an edge from vertex Vi to vertex Vj if the action of rule Vi can 
cause rule Vj to become triggered We generalize this notion to that of “an- 
notated triggering graphs,” which additionally incorporate information, at each 
vertex, about the change(s) resulting from the activation of the corresponding 
rule. To this end, we first define how such changes might be represented. 

Definition 1. [Bounds Function] A bounds function over a schema S maps 
each attribute of S to a pair {lo,hi) where each of lo and hi is either A or a 
linear expressions over (numerical) attributes in S. 

If a bounds function maps an attribute to {lo, hi), this indicates that lo is a lower 
bound on the values of that attribute while hi is an upper bound, with a value 
of T indicating a complete lack of knowledge (i.e., indicating that we cannot say 
anything about the values for the corresponding attribute), and non-T values 
indicating definite knowledge. Note that these bounds are not restricted to be 
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numbers, but may in general be expressions that depend on the values for other 
attributes. 

Definition 2. [Annotated Triggering Graph] Given a set of rules R with schema 
S, an annotated triggering graph is a pair where G = {V,E) is a con- 

ventional triggering graph, and T maps each vertex in V to a bounds function 
over S. 

Thus, at each vertex of an annotated triggering graph, each attribute is mapped 
to a pair of expressions that specify upper and lower bounds on the values of that 
attribute. As an example, the rule in ExampleH^ould associate, with the ver- 
tex corresponding to the rule, the bounds function [Sal (0.9 * Sal, 0.9 * Sal)] 
(attributes that are not explicitly mentioned are assumed to not have changed, 
and are therefore mapped to themselves). This indicates that the result of the 
activation of the rule is to update each tuple so that the value of its Sal attribute 
is 90% of its old Sal value, while the other attribute values are left unchanged. 



3.1 Constructing Annotated Triggering Graphs 

This section describes a simple algorithm for constructing annotated trigger- 
ing graphs. It is quite conservative in its treatment of bounds, and can almost 
certainly be improved to increase its precision. Consider a rule 

rule RuleName on R 
when . . . 

if . . . 

then update R' 

set X = . . . , Vn) where Cond 

The first question we consider is whether all of the tuples in i?' will be modified. 
If the final where clause is absent, or Gond is identically true, then we know that 
all tuples in R' will have the value of attribute x set to ip(yi yn) ■ So in this 
case the bounds function maps x to {(p{yi , . . . , yn), ‘fiiyi, ■ ■ ■ , 2/n))- 

Otherwise, if it is possible that only some of the tuples will be updated, we 
attempt to determine the relationship of the value of the expression ip{yi , . . . , yn) 
with that of x. Let Cq be a conjunction of constraints on the possible values for 
various attributes, obtained from domain information for the database schema 
as well integrity constraints on the database (Cq is a global constraint and need 
be computed only once, at the beginning of the analysis). We then construct 
a constraint C = Cq A [z = (p{yi , . . . , yn) — x], where z is a new variable not 
appearing in Co, and examine whether or not certain constraints on z are entailed 
by C (see Section ^3 for our assumptions regarding entailment operations in 
constraint systems). We consider the following possibilities: 

— C entails z > 0. This means that the value of x is non-decreasing as a result of 
the update. Since it is possible that only some of the tuples will be updated, 
an upper bound on the x attribute value is given by g}{yi , . . . , yn)-, while a 
lower bound is given by x. Thus, in this case we have the bounds function 
[x 1 -^ {x,(p{yi, . ■■,yn))]- 
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— C entails z < 0. This means that the value of x is non-increasing. Reasoning 

as in the previous case, we get the bounds function [a; ■ ■ ■ , Vn), a;)]- 

— If neither of these previous two cases holds, we conclude that nothing can be 
said about the value of x after the update. The resulting bounds function is 

[a; ^ (-L,-L)]. 



bc-3. 




■ b-x, y 



Fig. 1. An example of a cycle in an annotated triggering graph 



3.2 Reasoning about Annotated Triggering Graphs 

Once we have constructed an annotated triggering graph for a set of rules, we 
examine any cycles in this graph to determine the net effect of going around the 
cycle once. Intuitively, what we need to do is to somehow compose the bounds 
functions at each of the vertices in the cycle. Before discussing the details of 
how this should be done, we consider an example. Consider the cycle consisting 
of three vertices, shown in Figure J Suppose we wish to determine an upper 
bound on the change in the value of x at vertex ri when we go around the cycle 
once. Let the upper bound on x be denoted by Xmax- after the execution of ri, 
we use the upper bound on x, from the bounds function at this vertex, to obtain 
the constraint Xmax = 2y — z. After the execution of rule r 2 , the new value of 
z has bounds y — x < z < y. Since z appears with a negative coefficient in the 
expression 2y — z, we use the lower bound to obtain the constraint z = y — x. 
Composition (i.e., conjunction) of constraints then yields Xmax = 2y — z A z = 
y — x; projecting on Xmax yields Xmax = y + x. Finally, at vertex r^, the bounds 
on y are a; — 3<y<a;-|-5; this time, since the coefficient of y is positive in 
the expression y + x, we use the upper bound a; -I- 5. As before, we compose 
constraints to obtain Xmax = y + xAy = x + 5; this is then projected on Xmax 
to yield Xmax = 2x + 5. Thus, the change in the value of x when we go around 
this cycle once is (at most) 2a; -I- 5. 

This example illustrates how we summarize the effects of a cycle. To estimate 
an upper bound on the value of a; at a vertex r after going around the cycle (the 
case for lower bounds is analogous), we start with the constraint Xmax = E, 
where E gives the upper bound on x after r’s execution. We then work our way 
around the cycle: at each vertex we take the conjunction of the current constraint 
on Xmax and constraints on the variables occuring in it, obtained from the bounds 
on these variables at that vertex given by the annotated triggering graph; the 
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resulting constraint is then projected on Xmax- During this process, we use the 
lower bound for a variable if it occurs negatively in the constraint associated 
with Xmax, and the upper bound if it occurs positively. 

Given a constraint C and a set of variable J X = {xi, . . . , Xn}, we use the 
notation 3xC to denote the constraint obtained by projecting away the vari- 
ables in X, i.e., 3x\X2 ■ ■ ■ XnC. Let vars{E) denote the variables appearing in an 
expression E. Given an annotated triggering graph (G, J-) with schema S and a 
vertex r in G, let E{r){v) = for any v G S. We can then formalize 

the procedure sketched above as follows. 

- Processing a single vertex r. Given a constraint G = Xmax = E, let C' be 
the constraint 



Since bounds functions map variables to linear expressions (Definition 
each variable occurs at most once in E. Thus, G' imposes a single (equality) 
constraint on any such variable, and therefore is satisfiable. 

The result of propagating G through the vertex r is then given by 



- Processing a sequence of vertices. The result of propagating a constraint G 
through a sequence of vertices s is given by ProcVertexSeq(s, G), where: 

ProcVertexSeq(£, G) = G 

ProcVertexSeq(rs', G) = ProcVertexSeq(s', ProcVertex(r, G)). 

Here, e denotes the empty sequence while rs' denotes the sequence whose 
first element is r and the remaining sequence is s' . 

- Processing a cycle. Given a cycle riT 2 • • • r„ri, an upper bound on the change 
in the value of a variable x on going around the cycle once is given by 

ProcCycle(a;, s) = ProcVertexSeq(s, ‘xmax = x’). 

where s = rir^ ■ ■ ■ r„. 

The determination of a lower bound on the change in the value of a variable is 
analogous. 

Since bounds functions map variables to linear expressions (Definition J, 
the procedure described above for computing ProcCycle(a;, s) for a cycle s is 
essentially involves composing a sequence of linear functions, and therefore yields 
a linear expression of the form ax+E. The effect on the value of x of going around 
the cycle n times can then be expressed as a difference equation Xn = aXn-i + E 
where Xi represents the value of x after i iterations around the cyclejln general, 

^ Since our approach uses constraints on attribute values, we treat attributes as the 
variables in such constraints. In the remainder of the paper, therefore, we will use 
the terms attribute and variable interchangeably. 

^ Again, note that this represents an upper bound on x, so strictly speaking we should 
write Xn < axn-i +E. However, since we are concerned with proving termination in 
the worst case, when this maximum is actually realized, we simply use the equality. 




vGvars(S) 



ProcVertex(r, G) = 3^ars(E)(C A G'). 
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the procedure described can yield a system of simultaneous linear difference 
equations. However, it is always possible to reduce a system of linear difference 
equations to a single linear difference equation in one variable ^3 , so it suffices 
to consider the solution of a single linear difference equation in one variable. 



3.3 Approximate Solution of Difference Equations 

Having obtained a difference equation as discussed above, we consider how it may 
be solved. The automatic solution of general difference equations is a difficult 
problem, but there is a wide class of equations that can be solved automatically, 
using either characteristic equations or generating functions For the 

purpose of analysis of active database rules, however, we additionally require 
that the solution method used be efficient, even if this means sacrificing precision 
in some cases. For this reason, we use a table-driven method for computing 
an upper bound to the actual solution. Our approach is to use a “library” of 
difference equation templates together with a symbolic solution for each such 
template The idea is to use pattern matching to identify a template 

that matches the equation obtained from the analysis described in Section^3 
Once a match is obtained against a template, the solution to the equation can 
then be obtained by substituting into the symbolic solution for that template. In 
general, the library of difference equation templates will contain many different 
entries, and the pattern matching process will try to match a given equation 
against these templates in increasing order of the “size” of their solutions. If the 
equation cannot be matched against any template in the library, we attempt to 
use simplifying approximations, as described below. If no match can be obtained 
even after any applicable simplifying approximations, we give up and return the 
value T, indicating that we cannot say anything about the solution. 

The idea can be illustrated by an example. Suppose that the difference equa- 
tion library has the template: 






B 



together with the symbolic solution 

Xn = {xo + where a;o is the initial value of x. 

Given an equation Xn = 0.9a;„_i, pattern matching against this template suc- 
ceeds with A — 0.9, B = 0, k = 1; substituting these values into the symbolic 
solution yields the solution Xn = 0.9^xq. 

If the difference equation at hand cannot be matched against any template 
in the library, we attempt to approximate it in a way that is conservative, i.e., 
termination inferred from the approximating equation (as discussed in the next 
section) must imply termination of the original equation. Space constraints pre- 
clude a detailed discussion of such approximations: we outline the general ideas 
and illustrate them with an example. Suppose we have the difference equation 
Xn = 0.8a;„_i — 0.15a;„_2, and are trying to simplify it so as to match against 
the template shown above. To do this, we use the activation condition on x (see 
Section ^3, obtained from the rule(s) involved in the cycle, to determine (i) 
whether the values of x are bounded above or below; and (ii) whether the values 
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of the Xi are positive or negative. This is done using the entailment operation 
of the constraint system, in a manner very similar to that discussed in Section 
For example, suppose that for this particular case we have the activation 
condition x > 100. Then, we have the following: 

(i) The termination condition for the rule is a; < 100, i.e., we have a lower bound 
on the value of x below which the rule will not be activated. This implies that 
we can use an upper bound on the actual difference equation for termination 
analysis. In other words, if we can construct a difference equation ?/„ = /(• • •) 
such that pn > Xn for all n > 0, and can use this equation to determine that 
eventually the values of yn will satisfy the termination condition for the rule, 
then we can conclude that the original variable Xn would eventually satisfy 
the termination condition of the rule as well. If the termination condition 
implied an upper bound for x, then we would, analogously, construct an 
approximation that is a lower bound on Xn- 

(ii) The activation condition x > 100 implies that x is positive. This, in turn, 
implies that the expression 0.8a;„_i is an upper bound on the expression 
0.8a;„_i — 0.15a;„_2. 

We therefore use the equation Xn = 0.8a;„_i to approximate (from above) the 
original equation. The approximating equation can now be successfully matched 
against the template shown above. 

3.4 Extensions 

The discussion thus far has focused on numerical attributes and update op- 
erations. This section discusses how it can be extended to handle rules that 
manipulate certain kinds of non-numerical attributes, as well as to the use of 
operations other than updates, i.e., insertion and deletion of tuples. 

Our approach can be readily extended to any non-numeric domain S that has 
a partial order ^ such that the poset (5, A) has no infinite descending chains. 
For any element s in such a domain S, let height(s) denote the length of the 
longest chain from any minimal element of S to s. For termination analysis, we 
use the height function to map domain values to numbers, then formulate and 
reason about difference equations as discussed. Thus, suppose we have the rule 

Whenever a professor A gets a raise, any professor in the same depart- 
ment who is more senior than A must also get a [commensurate] raise. 

Assuming that the “more senior than'’’ relation is a partial order with no infinite 
chains, we can show that this rule — which can be self-activating — will neverthe- 
less eventually terminate. Notice that, unlike the approach of Weik and Heuer 
^3, the poset {S, A) need not be a lattice: for example, in the rule above, we 
do not require the existence of a unique seniormost professor. 

The discussion in Section oii the construction of annotated triggering 
graphs focuses on update operations. This can be extended to handle insertion 
and deletion operations by reasoning about difference equations involving ag- 
gregate values such as the number of tuples in a relation. In the absence of 
any additional information, we can, at the very least, use the dummy relation 
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i?_Count, for handling the aggregation operation Count on a relation R (see Sec- 
tion to monitor the number of tuples in R\ the insertion of a tuple into R 
causes this value to increase by 1, the deletion of a tuple causes it to decrease 
by 1, and updates leave it unchanged. As an example, this can be used to infer 
termination of a cycle along which two tuples are deleted from a relation and one 
tuple inserted: we would obtain a difference equation stating that there is a net 
reduction of 1 tuple in the size of the relation each time around the cycle, and 
use this to determine that the deletions must eventually stop. This approach can 
be improved further using additional semantic information about the database, 
e.g., from integrity constraints. 

4 Static Termination Analysis 

The approach described in the previous section allows us to obtain an (upper 
bound) solution to a difference equation describing the effects of a cycle in the 
triggering graph. Ultimately, however, we are interested not so much in the 
solutions to these equations, but rather in determining whether or not the rule 
activations eventually terminate. Suppose that the activation condition for the 
rule under consideration is C{x). We use the constraint solver determine an 
interval within which all of the values of n for which C{xn) is true, i.e., for 
which the rule will be activated, must lie; termination can then be inferred by 
examining this interval. This is done as follows: 

1. We add constraints expressing upper and lower bounds on the value of xq, 
denoted by MAXVAL and MINVAL, obtained from domain information for the 
database schema as well as any applicable integrity constraints; if there are 
no applicable constraints, these can simply be the largest and smallest nu- 
merical values representable on the system. Moreover, if C{xq) is false the 
cycle of active rules will not be initially triggered (see Section so we 
may assume that C(xq) holds: this provides additional constraints on the 
values of Xq. Let the conjunction of these constraints on the possible values 
of Xq be denoted by Bounds ( xq). 

2. Suppose the difference equation library associates, with the equation tem- 
plate we have matched, the solution Xn = £{n,xo), where f(- • •) is some 
expression involving n and xq. We then solve the following constraint for n: 

(3a;oi Xn, n)[Bounds{xo) A Xn = £{n, a;o) A n > 0 A C(a;„)]. (1) 

If the activation cycle is non-terminating then the constraint Q will be true for 
all n > 0. The constraint solver will return an interval / C [0, oo] (or, if metalevel 
solvers are used f], a union / of intervals) and soundness of the solver implies 
that all n which satisfy this constraint must lie in I. If / is a proper subset of 
[0, oo] which omits some positive integer m, then termination (in at most m 
steps) has been proved. If, on the other hand, / = [0, oo], then nothing has been 
proved, and rule activation may indeed be nonterminating. 

Returning to the rule in Example J the difference equation we obtain is 
Xn = 0.9a;„_i. For the rule under consideration, we have C{x) = x > 100. 
Suppose that in the system under consideration, MAXVAL = 10^°°, which means 
Bounds(xo) = ‘xq > 100 A xq < 10^°°’. We therefore solve the constraint 
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xq > 100 A a;o < 10^°° A Xn = 0.9” *xoAn>0AXn> 100. 

In this case, the constraint solver yields the solution n < 2142| 

Notice that the constraint solver gives much more information than simply 
whether or not the cycle will terminate: it tells us that termination will occur 
after at most 2142 iterations of the cycle. This may seem high, but it is a result 
of the very large bound on the initial value Xq: it corresponds to starting out 
with an average salary of 10^'’°. If tighter bounds are available on the value of 
Xq, then the bound on the maximum number of iterations of the cycle can be 
correspondingly tightened. For example, suppose we know, from the integrity 
constraints on the database, that the maximum (and hence the average) salary 
cannot exceed 100,000: the bound we get in this case is n < 66. Information 
about the maximum number of iterations of a cycle can be a useful design 
and/or debugging tool for the database designer, e.g., for detecting inadvertantly 
omitted integrity constraints. It can also be useful, as discussed at the end of 
the next section, in application areas such as soft real-time systems, where we 
may be interested not just in whether a rule activation terminates, but also the 
maximum number of iterations it may execute. 

Recall that a cycle in a directed graph is simple if no vertex in the cycle is 
also part of a different cycle. The following theorem gives the soundness of our 
termination analysis: 

Theorem L The procedure described for termination analysis is sound provided 
that all cycles in the triggering graph are simple. In other words, if the analysis 
infers that a cycle terminates, then it in fact terminates ( equivalently, any cycle 
that may not terminate is inferred to be non-terminating) . 




Eg. 2 An example of a non-simple cycle 



The reason for the qualification that cycles should be simple is shown in Figure^ 
The vertex in the center is part of two different cycles, so it is possible to have an 
execution where we go around cycle 1 some number of times, then around cycle 
2 some number of times, then back around cycle 1, and so on. It may happen 
that each of the two cycles shown, considered on its own, can be shown to be 
terminating, but the two taken together do not terminate: this can happen, for 
example, if cycle 1 inserts some tuples into a relation until a maximum count is 

® Actually, the solution it returns is the interval [0,2141.725842024721714551560581]. 
In our current implementation the execution time for this is about 10 ms. 
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reached, while cycle 2 deletes tuples from that relation until a minimum count 
is reached. We believe that our results can be extended to non-simple cycles 
provided that the cycles don’t “interfere” with each other, in the sense that one 
of them increases a value that is decreased by the other. We are currently looking 
into how our ideas may be extended to deal with arbitrary cycles. 

Finally, the discussion of the way in which the solution to a difference equa- 
tion is used for termination analysis can be used to guide the construction of 
the difference equation library. In particular, it makes no sense to have a very 
precise solution to a particular equation template if the constraint system is not 
powerful enough to handle that solution. Thus, knowing the capabilities of the 
constraint system, we may choose to associate “approximate solutions” — i.e., 
upp er and lower bounds, intended to be used as discussed at the end of Section 
that we know can be handled by by the constraint system, if the exact 
solution cannot be handled by it. 

5 Dynamic Termination Analysis 

There may be situations where the approach described in the previous section 
does not work, i.e., we are unable to prove, statically, that a cyclic rule activa- 
tion will necessarily terminate. This may happen either because the cycle is, in 
fact, potentially non-terminating, or because the constraint system is not pow- 
erful enough to solve the constraint ^ sufficiently precisely. Conventional static 
termination analyses would then reject the rule set for not being provably termi- 
nating. An alternative, however, would be to use dynamic termination analysis 
Q, where we insert code into the appropriate active rules to determine, when 
the rule is activated, whether that particular activation of the rules can be guar- 
anteed to terminate. The latter approach gives us greater flexibility in handling 
rules, by allowing us to work with rules that may not be provably terminating 
via static termination analyses, but nevertheless guarantee that at runtime there 
will not be any nonterminating executions. 

The idea can be illustrated by the following variation to ExampleOmsntioiisd 
at the end of Section ^ 

if (Select Avg(Sal) from Emp) > 100 

then update Emp 

set Sal = 0.9*Sal + Bonus 

This rule will terminate if Bonus < 10; for values of Bonus > 10 the rule is 
nonterminating. Thus, if the value of Bonus is not known statically (e.g., if it 
is computed dynamically based on other values in the database), it will not be 
possible to prove the termination of this rule statically. Instead of rejecting the 
rule, however, we can introduce code into it to carry out dynamic termination 
analysis: the result would be to allow rule activation for situations where the 
value B of Bonus guarantees termination and rejecting it for values that do not. 
Suppose that at runtime, this rule is activated with Xq = 10, 000 and Bonus = 9. 
Then, given the static solution (see Section^3 Xn = (xq — * 0.9" -I- ^ for 

the difference equation for the corresponding cycle, and the value B = 9, this 
runtime check would use the constraint solve to solve for n in the constraint 
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Xn = {xo — * 0.9” -I- A xo = 10000 AB = 9An>0AXn> 100. 

In this case, the CLP(F) constraint solver infers the bound n < 66, which means 
that termination (in at most 66 steps) can be guaranteed. On the other hand, if at 
runtime we have Bonus = 10, the constraint solver infers the bound n C [0, +oo], 
correctly indicating that the rule activation may not terminate. 

An interesting aspect of this kind of dynamic termination analysis is that it 
allows runtime decisions based not just on whether or not a cycle terminates, 
but, if we wish, the maximum number of iterations that may be executed. This 
can be used for controlling rule activation in active databases within soft real- 
time systems. For example, suppose that based on runtime monitoring of rule 
activations, we decide that a particular cycle can be allowed to iterate at most 
50 times if the timing constraints are to be satisfied. Using our approach, we can 
test for this before the rule is activated: this allows more flexible systems (cyclic 
activations are permitted) but at the same time improves resource utilization 
( “bad” rule activations are rejected ahead of time, instead of having to be aborted 
if they are found to be running too long) . 

The overhead of dynamic termination analysis for cycles can be reduced 
significantly by observing that, once we have verified that a sequence of cyclic 
rule activations will eventually terminate, it is not necessary to test it again and 
again as we go around the cycle during that sequence of rule activations. The 
dynamic termination check can therefore be moved out of the cycle, in a manner 
similar to the optimization of invariant code motion out of loops commonly 
carried out in compilers 



6 Related Work 

There is a significant body of literature on termination analysis for active 
database rules. Among the earliest of these is the work of Aiken et al. who 
proposed using triggering graphs to reason about termination; this approach 
has subsequently been refined and improved by various authors 
The general idea here is to use acyclicity of the triggering graph to infer termi- 
nation; the relative precision of different analyses depend on their use of different 
techniques to remove edges from the triggering graph prior to the acyclicity test. 

Weik and Heuer describe an approach to identify terminating cycles in trig- 
gering graphs They consider lattice-structured domains: a cycle is then 
inferred to be terminating if it represents an increasing operation in the lattice 
(i.e., values get mapped to “higher” values according to the lattice ordering) with 
a non-decreasing step size, and there is an upper bound on the resulting values 
(and dually with decreasing operations). While their goals are similar to ours, the 
details are very different. Their approach is unable to infer termination for rules 
such as that in Example J since the step size of the operation in this example 
does not satisfy their criterion for being non-increasing. Moreover, as discussed 
in Section^3 our approach does not require lattice-structured domains. 

Bailey et al. use abstract interpretation for termination analysis of active 
rules 0. The idea is to reason about sequences of database states using an “ap- 
proximate semantics,” and use fixpoint computation (over a lattice) to handle 
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cycles. The algorithm described by these authors does not have any knowledge 
of arithmetic operations, and so cannot infer termination of rules such as that in 
Example^ A more fundamental problem is the issue of termination of the ter- 
mination analysis itself. The usual approach taken in the abstract interpretation 
literature for proving termination of analyses is to assume that the abstract do- 
main is Noetherian, i.e., does not contain any infinite ascending chains; such an 
assumption, while not explicitly stated, seems necessary for the work of Bailey 
et al. as well. This requirement restricts the structure of the abstract domains 
they are able to use. The restriction seems especially problematic for situations 
such as those considered here, where we have numeric domains such as the inte- 
gers and reals, and where it may not be a priori obvious which subsets of these 
domains may be relevant for a particular rule set. This problem does not arise 
with our approach because we do not attempt to construct fixpoints iteratively. 
For this reason, we believe that the approach described in this paper is more 
precise than that of Bailey et al. . 

Baralis et al. discuss the problem of dynamic termination analysis Q. Their 
approach is based on the idea of monitoring rule activations at runtime to detect 
situations where a database state is repeated during execution, thereby indicat- 
ing nontermination. This is a sufficient condition for nontermination in general, 
and is necessary and sufficient for “function-free” rules, which do not introduce 
any new values into the database. The runtime monitoring of database states 
can be quite expensive, and Baralis et al. propose a number of optimizations to 
their basic scheme to reduce this cost. Their approach differs from ours in two 
important ways. First, our approach does not involve keeping track of (repre- 
sentations or encodings of) previously encountered database states, and so can 
be made more efficient. Second, cyclic activations involving real numbers, as il- 
lustrated by the examples considered in this paper, may introduce new values 
into the database (e.g., the series of values 0.9, 0.9^, 0.9^, . . . ), and so are not 
function- free; for such rules, the technique of Baralis et al. give a sufficient con- 
dition for nontermination but not a necessary one. This means that, at least in 
principle, there may be nonterminating executions that will not be detected as 
nonterminating by their analysis; however, such executions will be detected as 
nonterminating by the approach described in this paper. 

The table-driven approach described here for approximate solution of dif- 
ference equations was developed by us in the context of optimized execu- 
tion of parallel logic programs We have subsequently used it for query 
size analysis for recursive rules in deductive databases and for estimat- 
ing the computational cost of recursive logic programs Caslog, a system 

for cost analysis of logic programs that is based on this work, is available 
via anonymous FTP from ttn : //Itn . cs . arizona. edu/casio£ and is part of 
the CIAO-Prolog distribution available at ittD://www. cud. aia.ii.uDm.es 
Our implementation of the CLP(F) constraint system is freely available at 
: / / www. cs . oranaeis . eau/ 1:1111/ cut 
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7 Conclusions 

Most existing approaches to termination analysis of active database rules rely 
on verifying that the triggering graph for those rules is acyclic. Because of this, 
they are unable to handle rules whose triggering graphs are inherently cyclic. 
Such rules can, nevertheless, be useful because they allow us to express, in a 
straightforward and natural way, situations that involve the repeated application 
of a set of active rules until some desired state is reached. This paper describes 
a constraint-based approach that can be used for termination analysis in such 
cases. The basic idea is to use a notion of annotated triggering graphs to capture 
the effect of going around a cycle in the triggering graph once, use this to estimate 
what happens after n executions of the cycle, and verify from this that the cyclic 
rule activation will eventually terminate. The idea can be readily generalized 
to allow dynamic termination testing, thereby allowing the analysis to cope 
with both proof systems that are not sufficiently powerful, and with rules that 
terminate sometimes but not necessarily always. 
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Abstract. The aim of this paper is two-fold. First, we want to show 
that the recent extension of XSL with variables and passing of data 
values between template rules has increased its expressiveness beyond 
that of most other current XML query languages. Second, in an attempt 
to increase the understanding of this already wide-spread but not so 
transparent language, we provide an essential and powerful fragment 
with a formal syntax and a precise semantics. 



1 Introduction 

XSL Q is a current W3C H proposal for an XML extensible stylesheet lan- 
guage. Its original primary role was to allow users to write transformations of 
XML to HTML, thus describing the presentation of XML documents. Nowadays, 
many people use XSL as their basic tool for XML to XML transformations which 
renders XSL into an XML query language. It has been noted by the database 
community though, that the transformations XSL can express are rather 
limited. For instance, XSL does not have joins or skolem-functions (and, hence 
cannot do sophisticated grouping of output data) . In other words, XSL lacks the 
most basic property any query language should have: it is not relationally com- 
plete. However, as the language is still under development, some features have 
changed over time. Recently various extensions were added to the language Q. 
The most apparent ones being the addition of variables and parameter passing 
between template rules. We show that these additions, together with the use of 
modes (which are actually states as used in finite state machines and which were 
already defined in earlier versions of XSL) render XSL into a powerful query 
language. Indeed, XSL not only becomes relationally complete, but it can do ex- 
plicit grouping (with or without skolem functions), it can simulate regular path 
expressions, and it can simulate most other current XML query languages. 

* The work of this author was supported by the EC TMR Network GETGRATS. 

** Research Assistant of the Fund for Scientific Research, Flanders. Work partly per- 
formed while visiting the University of California, San Diego. 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 1137^^^2000. 
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Actually together with the addition of the new features, XSL was split into 
two parts: XSL Transformations (XSLT) Q and XPath The latter contains 
the description of XSL’s associated pattern language, while the former defines 
the real transformation language. To emphasize that we are focusing on the 
transformation part, with the new features, we refer to XSL by XSLT in the rest 
of this paper. 

The main source for the definition of XSLT is its specification Q which is a 
bit difficult to read, especially when one only wants an impression of how the 
language works or what it is capable of. To remedy this, we define an abstract 
formal model of XSLT incorporating most of its features, but all of those which 
are necessary to simulate, say, XML-QL. The purpose of this model is two-fold: 
(i) the clean and formal semantics provides the necessary mathematical model 
for studying properties of XSLT; (ii) our formal model abstracts away from the 
actual syntax of XSLT and emphasizes on its features in such a way that the 
interested reader can get a feeling of the language and what it is capable of. 

We use this model to gain some insight in XSLT. First, we obtain that XSLT 
can compute all unary monadic second-order (MSO) structural properties. In 
brief, MSO is first-order logic (FO) extended with set quantification and is an 
expressive and versatile logic: on trees, for instance, it captures many robust 
formalisms, like regular tree languages Q, query automata finite-valued 
attribute grammars ■ ■ ■ ■ structural patterns we mean MSO without 

joins, that is, we cannot check whether the values of two attributes are the 
same (see SectionOfor details). In fact, Neven and Schwentick Q showed that, 
already w.r.t. structural patterns, MSO is more expressive than FO extended 
with various kinds of regular path expressions. Thus, as most current XML 
query languages are based on FO extended with regular path expressions, this 
already indicates that XSLT cannot be simulated by, say, XML-QL. 

Next, we study the expressivenesss of XSLT. To study decidability of type 
checking, Milo, Suciu, and Vianu defined the fc-pebble tree-transducer as 
a formalism capturing the expressiveness of all existing XML query languages, 
including XML-QL XQL Lorel Q, StruQL UnQL Q and the 
previous version of XSL. Their model does not take value equation into account 
(needed for joins, for instance) but can easily be modified to do so. We obtain 
that XSLT can simulate this model. For more concrete simulations, we refer the 
interested reader to Q, were we show how the XML-QL queries in Q can be 
expressed in actual XSLT. 

We want to emphasize that we do not provide a model for all of XSLT. For 
instance, we excluded for-loops and variables can only be instantiated by data 
values (not by result tree fragments or node-sets). The idea is that we want to 
use variables as a look-ahead or to fetch data values occurring ‘far’ from the 
current node. The resulting language is, hence, not Turing complete. The study 
of the properties of our formal model, however, is beyond the scope of the present 
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<!DDCTYPE organization [ 

<! ELEMENT organization 
<! ELEMENT topmgrs 
< ! ELEMENT group 
< ! ELEMENT mgr 
< ! ATTLIST employee 
< ! ATTLIST group 



groupt topmgrs> 
employee+> 

(mgr groupt) I employee+> 

employee> 

id ID #REQUIRED> 

id ID #REQUIRED> 



Fig. 1. A DTD describing an organization. 



paper. The most important fact is that the defined language is more expressive 
than the previous version of XSL as it is capable to do joins| 

The rest of the paper is structured as follows. In Section^ we introduce the 
important features of XSLT by means of two examples. In Section^ we define 
our formal model. Finally, in Sectionjwe obtain our expressibility results. 

2 XSLT by Example 

A basic XSLT program is a collection of template rules where each such rule 
consists of a matehing pattern, a mode (which indicates the (finite) state the 
computation is in), and a template (see, for example, the program in Figure^. 
The computation on a document t starts at its root in the starting modj and 
proceeds roughly as follows. When the computation arrives at a node, say u, in 
a certain mode, say q, the program tries to find a template rule with mode q 
and whose matching pattern matches If it finds such a template rule, the 
program executes the corresponding template. The latter usually instructs XSLT 
to produce some XML output and at various positions in this XML output to 
selects lists of nodes for further processing (we refer to patterns that select nodes 
for further processing as seleeting patterns). Each of these selected nodes are then 
processed independently as before. Finally, the documents that are constructed 
by these subprocesses are inserted in at the positions where the subprocesses 
were generated. 

To illustrate the new features of XSLT we use the DTD in Figure | It 
describes an organization as a sequence of groups together with a list of top 
managers. Each group has an ID, consists of a manager and a list of other groups, 
or just consists of a list of employees. For simplicity we identify employees by 
their ID. The XSLT program in Figure ^computes pairs (61,62) of employees, 

^ In previous work we defined a formal model for the version of XSL not incorporating 
data values 

^ Actually, modes are optional, but for convenience we assume every template has one 
and there is a start mode. 

® Usually, and in all our examples, such a matching pattern only refers to the label of 
the current node. In fact, we show in Section^that such patterns suffice. 
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<xsl : template match="organization" mode="start"> 

<result> 

<xsl : apply-templates select="/organization/topmgr /employee" 
mode="selecttopmgr"/> 

</result> 

</ xsl : template> 

<xsl :template mat ch=" employee" mode="selecttopmgr"> 

<xsl : variable name="varID"> 

<xsl : value-of select="@id"/> 

</ xsl : variable> 

<xsl : if test="$varID != ’Bill’"> 

<xsl : apply-templates mode="display" 

select =" //group [mgr /employee [@id=$varID] ] /group/ /employee "> 
<xsl :with-param name="varID" select="$varID"/> 

</ xsl : apply-templates> 

</xsl : if > 

</ xsl : template> 

<xsl :template mat ch=" employee" mode="display"> 

<xsl:param name="varID"/> 

<pair> 

<xsl : attribute name="topmgrID"> 

<xsl : value-of select="$varID"/> 

</ xsl : attribute> 

<xsl : attribute name="employeeID"> 

<xsl : value-of select="@id"/> 

</ xsl : attribute> 

</pair> 

</ xsl : template> 



Fig. 2. An XSLT program computing the query of Section H 



where ci is a top manager different from Bill and is a direct or indirect manager 
of 62- Pairs are encoded simply by a pair element with attributes topmgrlD and 
employeelD (cf. Figure^. 

On the face of it, the program just makes a join between the list of top 
managers and the group managers, that is, the ones occurring in the top man- 
ager list and the ones occurring as a manager of a group. However, it does 
so in a rather direct and procedural way. In brief, the XSLT program starts 
by applying the first template rule at the root in mode start. This rule se- 
lects each top manager (in mode selecttopmgr). In particular, the pattern 
/organizatioii/topmgr/employee is matched against the current node which 
is labeled by organization and then selects all employee children of all topmgr 
children (the symbol / means ‘child of’). For each selected employee (in mode 
selecttopmgr), the second template rule is applied which stores the employee’s 
ID, say ei, in the variable varlD and verifies, by using the latter, whether e\ 
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<organization> 

<group id="HR"> 

<mgr><employee id="Bill"/x/mgr> 
<group id="HR-prod"> 

<mgr><employee id="Edna"/></mgr> 
<group id="HR-prod-empl"> 
<employee id="Kate"/> 
<employee id="Ronald"/> 
</group> 

</group> 

<group id="HR-QA"> 

<mgr><employee id=" John"/></mgr> 
<group id="HR-QA-empl"> 

<employee id="Jane"/> 
<employee id="Jake"/> 
</group> 

</group> 

</group> 

<topmgr> 

<employee id="Bill"/> 

<employee id="John"/> 

</topmgr> 

</ organization> 



Fig. 3. An XML document conforming to the DTD of FigureO 



is different from Bill. If so, it selects all the descendants of the group manager 
who have an ID ei (in mode display). In particular, the selection pattern in the 
second template rule says ‘select all employees that are descendants of a group 
that itself is a child of a group whose manager has the same ID as the one stored 
in the variable varlD (the symbol // means ‘descendant of’; the expression be- 
tween the brackets ‘ [ . . . ] ’ is a filter on group elements) . In this latter selection 
the XSLT program passes the ID e\ along as a parameter. Next, for each em- 
ployee 62 selected by the latter selection, the program outputs an element pair 
with attribute values e\ and 62 for the attributes topmgrID and employeelD, 
respectively. 



<result> 

<pair topmgrID=" John" employeeID=" Jane"/> 
<pair topmgrID=" John" employeeID=" Jake"/> 
</result> 



Fig. 4. The output of the XSLT program of Figure Q on the document of 
Figure^ 
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The above program is not the ‘best’ way in XSLT to compute the desired 
query, but it nicely illustrates the three most important features of XSLT : modes, 
variables, and passing of data values. Let us discuss these briefly: 

(i) Modes enable XSLT to act differently upon arrival at the same element 
types. For instance, as described above, when our program arrives at an em- 
ployee element, its action depends on the actual mode, select or display, 
this element was selected in. 

{ii) Variables can be used for two purposes. The most apparent one, which is 
illustrated by the above query, is that they allow to perform joins between 
data values. A less apparent application is to use them as a ‘look-ahead’. 
In Figure H we give a fragment of an XSLT program evaluating a binary 
tree, representing a Boolean circuit, to its truth value. Essentially, the use 
of variables allows for a bottom-up computation. The restriction to binary 
trees is just for expository purposes. In fact, it can be shown that XSLT can 
evaluate any bottom-up tree automaton over unranked trees ^3- brief, 
when arriving at an or-labeled node, the program returns the correct truth 
value based upon the truth values of the first and second subtree. 

(Hi) Passing of data values to other template rules can be crucial for performing 
joins if the items that have to be joined are ‘far’ apart. Moreover, when node 
IDs are present in the XML document! we can use this mechanism to place 
‘pebbles’ on the input document which enables us to do complicated grouping 
operations. 

It are exactly these three features which render XSLT into a quite powerful 
transformation language. 

In the next section, we give an abstract formal syntax for XSLT. First of all, 
we restrict matching patterns to test only the label of the current node (as is 
already the case in Figure fl. This is no restriction, as Theorem J shows that 
we can test many properties of the current node in the body of the template 
rule. Further, we divide a template rule into two parts: the variable definition 
part and the construction part. Variables can only be assigned data values. In 
particular, a variable can be defined as the value of some attribute of the current 
node or by an XSLT apply-templates statement that will return exactly one data 
value. We will refer to such special templates as selection template rules. In the 
construction part of the template rule, the actual output is defined relative to 
some conditions on the values of the variables, the parameters, the attribute 
values of the current node, and possibly whether the current node is the root, a 
leaf, or the first or last child of its parent. 

3 A Formal Model for XSLT 

3.1 Trees and Forests 

We start with the necessary definitions regarding trees and forests over a finite 
alphabet X (the symbols in E correspond to the element names of the XML 



* If not, XSL is capable of generating them itself (see Section 
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<xsl : template match="or"> 

<xsl : variable name="argl"> 

<xsl : apply-templates select=" . / * [1] "/> 

</ xsl : variable> 

<xsl : variable name="arg2"> 

<xsl : apply-templates select=" . / * [2] "/> 

</ xsl : variable> 

<xsl : choose> 

<xsl :when test=" ($argl = ’false’) and ($arg2 = ’false’)"> 
<xsl : value-of select=" ’false’ "/> 

</xsl :when> 

<xsl : otherwise> 

<xsl : value-of select=" ’true ’ "/> 

</ xsl : otherwise> 

</xsl : choose> 

</ xsl : template> 



Fig. 5. The fragment of an XSLT program evaluating tree-structured Boolean 
circuits that takes care of or-nodes. 



document the tree represents). To use these trees as adequate abstractions of 
actual XML documents, we extend them with attributes that take values from 
an infinite domain D = {di, c? 2 , ■ ■ ■ }• 

The set of X-forests, denoted by !Fs, is inductively defined as follows: every 
(T G X is a X-forest; if ct G X and / G then a{f) is a X-forest; if /i, . . . , /„ G 
Ts then /i • • •/„ is a X-forest. A S-tree is a X-forest of the form <t(/). We 
denote the set of all X-trees by Ts- Note that there is no a priori bound on the 
number of children of a node in a forest. In the following, whenever we say tree 
or forest, we always mean X-tree and X-forest. 

The reason we consider forests is that even when we use XSL for tree to tree 
transformations only, we sometimes need to specify template rules that construct 
forests. 

For every forest / G Ts, the set of nodes of f denoted by Nodes(/), is the 
subset of N* inductively defined as follows: if / = cr{ti • • • with ct G X, n > 0, 
and ti, . . . ,tn & Ts, then Nodes(/) = {e} U {iu | z G {1, . . . , n}, u G Nodes(ti)}. 
If f = ti ■■■ tn, then Nodes(/) = {iu | z G {1, . . . , n}, u G Nodes(ti)}. Thus, for a 
tree the node e represents its root and ui represents the z-th child of u. Further, 
for a forest the node iu represents the node u of the z-th tree in the forest. 

Next, we add XML attributes to the above defined attributes. To this end, 
for the rest of the paper, we fix a finite set of attributes A. An attributed forest 
with domain S' is a pair (/, {Xl)a^A) with / G iFs and where for each a G A, 
X[ : Nodes (/) i-^- S is a (partial) function assigning a value in S to each node 
of /. The set of all attributed forests with domain S, is denoted by For S 
we will usually take D. However, to create output in template rules we will use 
attributed forests over DU{a;i, . . . , Xn} where the variables refer to those defined 
by the variable defining part of the template. Of course, in real XML documents. 
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usually, not all element types have the same set of attributes. Obviously, this is 
just a convenient, not a necessary restriction. In an analogous way one can define 
the set of attributed trees, denoted by 7^. For a set B, B^{B) denotes the set 
of attributed forests / over E U B such that symbols of B may only appear at 
the leaves of /. Below, B will be the set of apply template expressions. 

In our formal model we abstract away from a particular selection pattern 
language. Recall that XSLT uses the pattern language described in XPath Q 
(see for a formal semantics) . Patterns can be rather involved as illustrated 
by the second template rule in Figure Jwhere the pattern depends on the value 
of the variable varlD. In addition, patterns can also be moving instructions 
like select parent, left sibling, right sibling, or first child. Actually, the proof 
of Theorem H indicates that such local selections only are enough to simulate 
all existing XML query languages. In the following, we assume an infinite set 
of variables X. We define a pattern over the variables A C A as a function 
(T^ X (X 1 -^ D)) I— > (N* 1 -^ 2^ ) and denote the set of all patterns over X by 
V^. The idea is as follows. Let p be a pattern, f be a tree, and 7 be a variable 
assignment (for the variables in p). Then p{t,j){u) is the set of selected nodes 
when the pattern is applied at node u. 

3.2 Syntax 

Definition 1. An XSLT programis a tuple P = (X, A, M°, M®, start, R), where 

— X is an alphabet of input symbols; 

— Z\ is an alphabet of output symbols; 

— M'^ and M® are finite sets of construction and selection modes; 

— start G is the start mode; and 

— i? is a finite set of construction and selection template rules (to be defined 
below) . 

As mentioned at the end of section ^ we distinguish between two types of tem- 
plate rules: constructing and selecting ones. The former are used to create output. 
So, the result of applying these is a forest. The latter are used to fetch data val- 
ues. So, each one returns exactly one domain element. The mode will determine 
the nature of the template: constructing or selecting. 

Definition 2. A construction apply-templates- expression r (at-expression for 
short) is of the form q{p,z), where q G M°, p is a pattern and z is a possibly 
empty sequence of variables in X and domain elements in D. A selection at- 
expression is defined as a constructing one with the restriction that q G M® 
and p only selects single nodes, that is, for every tree t, each assignment of 
variables 7 , and each node u of t, p{t, ^){u) is a singleton set. We denote the set 
of construction (selection) at-expression by AT^ (AT^). 

For instance, the apply-templates expression in the second template of Figure | 
is a constructing one and corresponds in our model to the expression 



display(p, varlD) , 
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with p the pattern 

/ / group [mgr/ employee [@id=varID] ] / group//employee . 

Note that application of this pattern eventually leads to the generation of a 
pair element. So the expression is constructing in the sense that it eventually 
will produce output. 

Definition 3. An attribute expression is an expression of the form a(.) where 
a is an attribute. An atomic test is one of the following: (z) an expression of 
the form x = y where x and y are attribute expressions, variables, or domain 
elements; or, (zz) an expression of the form root, leaf, first-child, or last-child. 
Finally, a test is a Boolean combination of atomic tests. 

During a computation the expressions a(.) will evaluate to the value of the 
attribute a of the current node. Further, root, leaf, first-child, last-child evaluate 
to true whenever the current node is the root, a leaf, the first or the last child 
of its parent. Selection template rules are defined next. Recall that they output 
one domain element. 

Definition 4. Let q e and a G S. A {q, a) -selection template rule is of the 
form 



template q{a, x\, . . . , x„) 
vardef 

yi := ri; . . . ; := 

return 

if Cl then ; . . . ; if Cfc then Zk 

end 

where rz, m > 0, fc > 1; and, 

— all a;’s and z/’s are variables (the former are parameters while the latter are 
local variables); 

— each ri G or is an attribute expression; further, if rj G then every 

variable occurring in it is among z/i, . . . , x\, ... , Xn] 

— all Cj are tests containing only variables in X := {a;i, . . . , Xn, yi, ■ ■ ■ , J/m}; 
and 

— every Zi is a domain element, a variable in X, or a selecting at-expression 
with the restriction that all variables occurring in it should belong to X. 



Definition 5. Let q G and a G X. A {q, a) -construction template rule is of 

the same form as a selection rule only now each Zi is a forest in 

(recall that these are forests where attributes take values in D U A and where 

leaves may be labeled with constructing at-expression) with the restriction that 

each variable occurring in an at-expression occurring at a leaf of Zi should be in 

A. 
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To keep the model total and deterministic we require the existence of exactly 
one {q, (r)-template rule for each mode and each a. Further, to ensure that an 
XSLT program generates tree to tree translations, we require that each zt in a 
(start, (r)-construction template rule is a tree (rather than a forest). 

Example 6. We illustrate the above by translating the program in Figurejinto 
our syntax. The patterns p\ and p2 refer to the patterns in the first and second 
template rule, respectively. In the second template rule display(p2,varID) is the 
tree consisting of one node labeled with display(p2,varID); further, e denotes the 
empty tree. In the last rule, pair[topmgr— >varID; employeelD— >myID] denotes 
the tree t consisting of one node where (e) := varlD and Ag„,p]^oyegjD (e) := 

myID. For readability, we omitted the test ‘if true then’. All modes are construct- 
ing. 

template start (organization) 
return 

result (selecttopmgr(pi)) 

end; 

template selecttopmgr(employee) 
vardef 

varlD := id(.); 
return 

if varlD ^ Bill then display(p2)VarID); 
if varlD = Bill then e 

end; 



template display(employee,varID) 
vardef 

mylD := id(.); 
return 

pair[topmgrID— s-varlD; employeelD^mylD] 

end; 

3.3 Semantics 

To define the semantics we need the following. Let w consist of a sequence of 
variables of X and domain elements. For a function 7 : A i— > D, we denote 
by t()[ 7 ] the sequence of domain elements obtained from w by replacing each 
occurrence of the variable a; in w by 7 ( 0 ;). By a;i\di, . . . , Xn\dn or x\d we denote 
the function that maps each Xi to di. 

We next define the semantics of an XSLT program P on a tree t. Thereto, 
we need the following concept. A local configuration is an element of Nodes (t) x 
(M° U M®) X D*. Intuitively, 9 := {u, q,di, . . . , d„) means that the program has 
selected node u in mode q with values d as parameters. For ease of presentation, 
we define the result of P on 6 , denoted by P*{ 9 ), in a direct and procedural 
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way. The latter has the advantage over the usual definition, in terms of rather 
complicated but formally more correct rewrite relations, that it is more trans- 
parent. The drawback is that it does not deal with the border case when XSLT 
programs get into infinite cycles. However, it should be clear that P*(0) is un- 
defined whenever one of the generated subprocesses computes forever. We defer 
the formal semantics in terms of rewrite relations to the full version of the paper. 
We distinguish between two cases. In both of these, let the label of u be a. 

— Suppose 9 is a selection mode. Then P*(0) G D. Let the (g, (r)-template rule 
be of the form as specified in Definition^ where each is qi{pi, x[) or the 
attribute expression ai(.). 

Intuitively, this template is evaluated as follows. First, the values of the 
variables yi, ... , j/„, are defined. Such a value can be an attribute value of 
the current node or can be defined by invoking an at-rule that will compute 
the desired data value. The output then is determined by Zi where Ci is the 
first test that evaluates to true. 

Suppose the variables j/i, . . . , ym get assigned the domain values ei, . . . , 
Cm, respectively. That is, 

• if Ti is an at-expression, then := qi, ir'[ 7 i]), where 7 ^ maps each 

Xj to dj, for j = 1 , . . . , n, and yj to Cj for _;/ = 1 , . . . , i — 1 , and Vi is the 
node selected by pi, that is, pi{t,^i){u) = {u^}; or 

• if Ti is an attribute expression, then := A^^(u). 

Next, suppose Ci is the first condition that evaluates to true by interpreting 
each yj by e^, Xj by dj, a(.) by A^(u), and root, leaf, first-child, last-child 
by true iff u is the root, a leaf, the first or the last child of its parent, 
respectively. To ensure that the translation is total, we require that at least 
one such Ci existsj Then, Zi determines the output value in the following 
way. If Zi is a constant, a variable, or an attribute expression then P*{6) 
equals the corresponding value. If Zi is a selecting at-expression q'{p,w), 
then P*{6) := P*{v,q' ,w[x\d,y\e]) where v is the node selected by p, that 
is, p{t, [s\d, y\e]){u) := {u}. 

— Suppose 9 is a construction mode. Then P*(0) G . Let the {q, (r)-template 

rule be of the form as specified in Definition^ Suppose the variables yi, ... , 
ym get assigned the values ei, , Cm, as described above, and Ci is the first 
condition that evaluates to true. Then zi determines the output value in 
the following way. Recall that Zi is forest in that is, a forest 

where attributes take values in D U df and where leaves may be labeled with 
constructing at-expression. P*( 0 ) is the forest obtained from Zi by replacing 

• every occurrence of a yj and a Xj as the value of some attribute by the 
data values Cj and dj, respectively; 

• every occurrence q'{p' , w) of an at-expression at a leave of Zi by the forest 

P\ui,q',w[x\d,y\e\) ■ ■ ■ P\ue,q' ,w[x\d,y\e]), 

® Obviously, one could also add an ‘otherwise’ construct rather than having this con- 
dition. 
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where p'{t,[x\d,y\e]){u) = {ui,... , and ui -< . . . < Uf, (here ^ 
denotes document order). Recall that each P^{ui, q' , y\e]) returns 

an attributed forest. 

The initial local configuration is defined as 6*start := (e, start). 

Definition 7. The result of an XSLT program P on a tree t, denoted by P{t), 
is defined as P* {0 start)- 



3.4 Some Remarks 

We conclude this section with some remarks. First, we note that XSLT does not 
make the explicit distinction between constructing and selecting template rules, 
or even, between the variable definition part and the constructing part of a tem- 
plate rule. However, we feel that by making this explicit, programming becomes 
more structured. On the other hand, we did not incorporate everything XSLT 
has to offer. For instance, we refrained from including for-loops. Nevertheless, 
we show in the next section that we have captured a powerful fragment capable 
of simulating most existing XML query languages and even more. 

4 Expressiveness 

We next show that XSLT is capable of computing very expressive structural 
patterns. Thereto, we first say how we view attributed trees as logical structures 
(in the sense of mathematical logic ^Q) over the binary relation symbols E 
and <, and the unary relation symbols (Oa-)a-eu- The domain of t, viewed as 
a structure, equals the set of nodes of t, i.e., Nodes(t). E is the edge relation 
and equals the set of pairs {v,v ■ i) for every v,v ■ i G Nodes(f). The relation 
< specifies the ordering of the children of a node, and equals the set of pairs 
{v-i,v-j), where i < j and v-j G Nodes(t). For each a, Oa is the set of nodes that 
are labeled with a a. The logic MSO* is MSO over the above vocabulary (with 
MSO defined in the usual way, see, e.g., Q) extended with atomic formulas of 
the form a{x) = d, where a is an attribute and d G D. Denote the latter atomic 
formula by p. Its semantics is then defined as follows t ^ ip[u] iff X\{u) = d, 
that is, the attribute a of u has value d. Note that we do not allow atomic 
formulas of the form a(x) = b{y), so we do not allow joins. Note further that no 
quantification over D is allowed. 

Clearly, MSO* can define all XPath matching patterns. The next theorem 
says that XSLT is capable of expressing all unary MSO* patterns. In particular, 
this means that one does not need matching patterns in templates. That is, 
XSLT actually allows to specify rules like 

<xsl : template match="p" mode="q"> 

where p is a matching pattern rather than just a label. It means that a rule can 
only be applied on nodes that satisfy p. The next theorem implies that one can 
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test for p in the body of the template rule and, hence, does not need matching 
patterns. Due to space limitations we omit the proof. We refer the interested 
reader to 

Theorem 8. Let p{x) he an MSO* formula. There exists an XSLT program P 
and a mode such that P*{u,q^) = true ifft\= p[u]. 

To study decidability of type checking, Milo, Suciu, and Vianu defined 
the fc-pebble tree-transducer as a formalism capturing the expressiveness of most 
existing XML que^ languages. Such transducers transform binary trees into 
other binary treesJWe next describe such deterministic transducers with equal- 
ity tests on data values. The fc-pebble deterministic tree-transducer uses up to 
k pebbles to mark certain nodes in the tree. Transitions are determined in a 
unique way by the current node symbol, the current state (or mode), the pres- 
ence/absence of the various pebbles on the current node, and equality tests on the 
attribute values of the nodes the pebbles are located on. Pebbles are ordered and 
numbered from 1 to fc. The machine can place pebbles on the root, move them 
around, and remove them (actually, the use of the pebbles is restricted by a stack 
discipline which ensures that the model does not become too powerful, that is, 
accepts non-tree-regular languages) . There are move transitions and output tran- 
sitions. Move transitions are of the following kind: move-to-parent, move-to-first- 
child, move-to-last-child, move-to-left-sibling, move-to-right-sibling, remain-and- 
change-state, place-new-pebble, and pick-current-pebble. There are two kinds of 
output transitions. A binary output outputs a X-symbol cr, possibly with at- 
tributes defined as an attribute value of a pebbled node, and spawns two com- 
putation branches that compute, independently of each other, the left and the 
right subtree of cr. Both branches inherit the positions of all pebbles on the input 
and do not communicate with each other, that is, each branch moves the pebbles 
independently of the other. In a nullary output, the node being output is a leaf 
of the output tree, again possibly with attributes, and the computation halts. 

It should be clear that, apart from the pebbles, the above described model 
is extremely close to XSLT: XSLT is equiped with modes (states), can do local 
movements and the simple output transitions. Under tte assumption that each 
node has a unique id, XSLT can also simulate pebblesj Indeed, we just use k 
variables x\ up to Xk, where at each time instance Xi contains the id of the node 
on which the i-th pebble is located. The above discussion immediately leads 
to the next theorem which implies that XSLT can simulate most other current 

® When proving properties of XML transformations, restricting to binary trees is usu- 
ally sufficient as unranked ones can be encoded into ranked ones; of course, this is 
not the case when one tries to define a formal model for XSLT which works directly 
on unranked trees. 

^ Actually, this assumption is not necessary as XSLT is equiped with the function 
generate-id(.) which generates a unique id for the current node. Furthermore, this id 
only depends on the current node, that is, when invoked for the same node several 
times it will return the same value. So there is no need to store the node id’s; they 
can be computed on demand. 
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XML query languages, like for instance, XML-QL . We refer the interested 
reader to Q were we show how the XML-QL queries in Q can be expressed in 
actual XSLT. 

Theorem 9. XSLT can simulate k-pebble deterministic tree-transducers with 
equality tests on data values. 

We point out that non-deterministic tree-transducers can be simulated by giving 
a non-deterministic semantics to XSLT in the obvious way. 

5 Discussion 

The present paper shows that the recent additions to XSLT render it into a 
powerful transformation language. We are rather hesitant, however, to accept or 
promote XSLT as the standard XML query language. Our main objection is that 
XSLT is much too procedural for a query language and therefore too difficult for 
the average user. On the other hand, as indicated by its widespread use, XSLT 
is highly adequate for the simple transformations it was intended for (recall that 
XSL was originally intended just for XML to HTML transformations). These 
simple XSLT programs are typical one pass transformations from the root to 
the leaves of the document. Performing joins and doing complicated grouping 
operations seem to require XSLT programs to traverse the input document many 
times in several directions and are therefore more difficult to write, especially 
for people with little programming experience. 
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Abstract. Patterns for matching parts of XML documents are used in 
a number of areas of XML document management: in links between doc- 
uments, in templates for document transformation, and in queries for 
document retrieval. The W3C has defined XSLT patterns as a common 
sub-language for all these applications. We study the equivalence prob- 
lem for XSLT patterns by defining a logic-based data model for XML and 
a semantics for XSLT patterns in terms of Datalog programs. Although 
uniform equivalence of Datalog programs is not sufficient to capture the 
equivalence of programs derived from XSLT patterns, we nevertheless 
show that equivalence can be decided by a variant of the chase pro- 
cess using embedded tuple-generating dependencies. One advantage of 
this approach is that the method can easily be extended to determine 
equivalence when documents are known to satisfy constraints imposed 
by document type definitions. 



1 Introduction 

In structured document representation and processing, the need to refer to or 
select parts of documents arises frequently. This might be in order to specify a 
link from one document to a part of another, to match document elements in 
order to transform them using a stylesheet, or to query documents to find those 
elements matching a given pattern. For XML documents, these requirements can 
be addressed by XPointer XSL and, for example, XQL respectively. 

XPointer, XSLT (the transformation sub-language of XSL) and XQL share a 
common core pattern language, which we will refer to as XSLT patterns. When 
applying an XSL stylesheet to a document, for example, one of these patterns p 
can either be used to find elements x in the document which match the pattern, 
or be applied in the context of some element in order to select other elements. 

Example 1. Consider an XML document d representing a UML statechart di- 
agram. Some of the possible element names in d are CompositeState, State, 
Transition, ActionSequence and Event. The simplest form of XSLT pattern 
is an element name. For example, the pattern State matches all elements in 
d whose name is State. If the same pattern were applied in the context of an 
element e, it would select the child elements of e whose name is State. 

More complicated patterns are built from simpler ones using operators such 
as /, [] and //. Patterns which appear inside the operator [] are known as 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 1152^^^2000. 
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qualifiers. For example, in the context of element e, (i) State/Transition se- 
lects Transition elements which are children of State elements which are chil- 
dren of e, (ii) State [Transition] selects State elements which are children 
of e and have some Transition element as a child, (iii) State [Transition] 
[ActionSequence] selects State elements which are children of e and have 
as children both a Transition element and an ActionSequence element, and 
(iv) CompositeState//State selects State elements which are descendents of 
CompositeState elements which are children of e. □ 

In this paper, we study the equivalence problem for XSLT patterns by con- 
sidering containment between patterns. We say that pattern p2 contains pattern 
Pi, written pi Qp2, if, for all documents d, the set of elements in d matched by 
P2 contains the set matched by p2- Patterns pi and p2 are equivalent, written 
Pi = P2, if Pi Q P2 and p2 C _Pi- The motivation for studying equivalence is 
the possibility of replacing patterns by simpler, equivalent ones when linking, 
transforming or querying XML documents. 

Example 2. Consider the XSLT patterns 

Pi — State [ActionSequence/Event] [ActionSequence], 

P2 = State [ActionSequence/Event] , p^ = State [ActionSequence] , and 
Pi — State. Examples of containments are pi P2 Ps, Pi- It is also easy 
to see that p2 C pp, hence, pi = p2 and the expression [ActionSequence] is 
redundant in pi . □ 

The definition of equivalence of XSLT patterns relies on knowing their seman- 
tics when applied to XML documents. Wadler has recently proposed a formal 
XML data model and given a denotational semantics for XSLT patterns ^3. 
We rephrase his model and semantics in terms of Datalog. In particular, we 
represent an XML document as a set of facts and so-called model rules, and for 
each XSLT pattern p, derive a Datalog program which defines the semantics of 
p. The containment and equivalence of XSLT patterns is then defined by the 
containment and equivalence of their associated Datalog programs. 

Each XSLT pattern in Example J corresponds to a non-recursive Datalog 
program, so testing containment is no harder than testing containment of con- 
junctive queries However, patterns which use the / / operator give rise to 
recursive Datalog programs, where, in general, containment is undecidable 
In Sagiv defined the stronger notion of uniform containment of Datalog 
programs, showed that it is decidable, and gave an algorithm for minimizing a 
Datalog program under uniform equivalence. Given programs Pi and P2 corre- 
sponding to patterns pi and p2 , respectively, if we can show that P2 uniformly 
contains Pi, written Pi C“ P2, then we can conclude that pi C p2- 

Example 3. Let Datalog programs P5 and Pq correspond to the XSLT patterns 
Pn — CompositeState//State//Eveiit and pq = CompositeState//Event, re- 
spectively. In Section H we show that P5 C“ Pg; hence P5 pe- □ 

Unfortunately although showing uniform containment is sufficient to show 
containment, it is not always necessary, even for the restricted class of Datalog 
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programs which correspond to XSLT patterns. In other words, there are pairs 
of patterns p\ and p2 for whose programs Pi and P2 it is the case that Pi Q P2, 
but Pi 2“ P2. 

Example 4 - The symbol * in an XSLT pattern matches any element name. 
Consider the XSLT patterns pr = CompositeState//*/Transition and ps = 
CompositeState/*//Transition, along with their corresponding programs P7 
and Ps- It turns out that P7 = Pg and hence pr = ps, but that P7 2 “ Tg 
and Pg P7. Note that the equivalence only holds because of the use of * in 
P7 and Ps- For patterns pg = CompositeState//State/Transition and pio = 
CompositeState/State//Transition, it is the case that pg ^ pig. □ 

In Sagiv introduced a procedure which can sometimes be used to show 
containment of recursive Datalog programs when uniform containment does not 
hold. The procedure requires finding an appropriate set of tuple- generating de- 
pendencies (tgds), and may not terminate. We show that, for Datalog programs 
Pi and P2 corresponding to XSLT patterns, Sagiv’s procedure need only use a 
fixed set of two tgds and is guaranteed to decide whether Pi Q Pg. 

It may be argued that the scope for the kinds of simplifications suggested in 
the above examples may be limited in practice, and that defining the equivalence 
of XSLT patterns in terms of equivalence of Datalog programs is unnecessarily 
complicated. We believe, however, that when documents satisfy a given document 
type definition (DTD), the potential for pattern simplification will be far greater, 
not least because people authoring or querying documents may not take the 
trouble to find out or understand the constraints imposed on documents by 
the DTD. Mapping XSLT patterns to Datalog programs gives us a well-defined 
framework within which to study equivalence under various DTD constraints. 
Some of these constraints have been identified by Bohm et al. Q, while their 
connection to tgds and query optimization has been described in 

In the next section, we discuss research which is related to the present paper. 
In Section ^ we cover the necessary background on containment of Datalog 
programs. This is followed in Section^by the definition of our logic-based data 
model for XML as well as the syntax and Datalog semantics of XSLT patterns. 
The main results concerning containment and equivalence of XSLT patterns are 
presented in Section Q The final section gives conclusions and directions for 
further research. 

2 Related Work 

In common with the present paper, Neven and Van den Bussche study the trans- 
lation of structured document queries into deductive rules Q. Their queries, 
however, are based on Boolean-valued attribute grammars, and their main con- 
cern is with defining the correct semantics for the deductive rules. They do not 
consider equivalence of queries. 

Maneth and Neven define a document transformation language 
which is based on XSL and uses regular expressions as the pattern language Q. 
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Although they do address the issue of equivalence of selection patterns, regular 
expressions are not sufficient to capture the expressiveness of patterns in XSLT. 

Containment of conjunctions of regular path queries is proved decidable 
in Conjunctions of regular path queries are sufficiently similar to XSLT 

patterns that it is probable that the decidability of equivalence for the latter 
follows from the decidability of equivalence for the former. However, our main 
contribution is not that containment for XSLT patterns is decidable, but that 
the chase procedure using embedded tuple-generating dependencies can be used 
as a decision procedure for containment of Datalog programs derived from XSLT 
patterns. 

Although not the main focus of the present paper, results on query rewrit- 
ing using constraints derived from document type definitions (DTDs) are also 
relevant Bohm et al. Q optimise expressions in the PAT algebra us- 

ing DTD constraints. These constraints are similar to those which we proposed 
independently in where we show that they correspond to tuple-generating 
dependencies when documents are viewed as relational structures. 

Papakonstantinou and Vassalos study rewriting a query expressed in a lan- 
guage called TSL in terms of a set of views They include some rewritings 
based on DTD constraints similar to some of those in Liefke, on the other 
hand, is concerned with using DTD constraints to rewrite queries concerning the 
order of elements in XML documents a property we do not represent in our 
model. 

We are not aware of any work on the equivalence of XSLT patterns in general. 
Wadler has recently given a denotational semantics for XSLT patterns which 
he uses to prove the equivalence of three particular pairs of patterns. We will 
reformulate his semantics in terms of Datalog programs in Section^3 Finally, 
we draw heavily on Sagiv’s results on equivalence of Datalog programs We 
review these in the next section. 



3 Containment of Datalog Programs 

Containment of Datalog programs has been studied extensively by Sagiv Q. 
We summarise his definitions and results in this section, following his notation, 
except that we use either upper-case letters or mixed-case strings as predicate 
names, lower-case letters as variables, and upper-case strings as constants. 

Datalog programs comprise both extensional and intensional predicates. A 
relation q for a predicate Q is a set of ground atoms of Q. If qi,...,qn are 
relations for the predicates Qi, . . . , Qn, respectively, then (gi, . . . , denotes 
their union. 

Let P be a program with extensional predicates Pi, ... , P„ and intensional 
predicates /i, . . . , Im- The input to program P is the extensional database (EDB) 
(ei, . . . , e„), where each is a relation for P^, 1 < i < n. The output computed 
by P, denoted P((ei, . . . , e„)), is a relation for each intensional predicate, which 
is called the intensional database (IDB), although, to simplify notation, we will 
define the output to be both the EDB and IDB, called the database (DB). Also 
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in order to define uniform containment, we need to view the input to P as 
comprising both an EDB (ei, . . . , e„) and an IDB (zi, . . . , im)- In this case, the 
output computed by P is denoted P{{e \, . . . , e„, zi, . . . , im))- 

Let P\ and P2 be programs with extensional predicates Ei, , E„ and inten- 
sional predicates /i, . . . , /m- Program Pi contains program P2, written P2 ^ Pi, 
if for all EDBs (ei, . . . , e„), it is the case that P2((ei, . . . , e„)) C Pi((ei, . . . , e„)). 
Programs Pi and P2 are equivalent, written Pi = P2, if Pi C P2 and P2 '1= Pi- 
Program Pi uniformly contains program P2, written P2 C“ if for all pairs 

of an EDB (ei, . . . , e„) and an IDB (zi, . . . , im), it is the case that 

P2 ( (^1 5 ■ ■ - , , i\, - - - , irn}) Pi ( (^ 1 5 ■ ■ - , , il, - - - , im) ) ■ 

Programs Pi and P2 are uniformly equivalent, written P\ =“ P2, if Pi C“ P2 
and P2 C“ Pi. 

Uniform containment implies containment, but the converse does not neces- 
sarily hold. Also it is known that containment of Datalog programs in general is 
undecidable Q, while uniform containment is decidable Q- 

Example 5. Let Pi be the program 

anc{x, y) : — par{x, y). 
anc{x, y) : — anc{x, z), anc{z, y). 



and P2 be the program 



anc{x, y) : — par{x, y). 
anc{x, y) : — par{x, z), anc{z, y). 

Then Pi = P2, but Pi P2. Although P2 C“ Pi, it can be seen that Pi 2 “ P2 
by taking the input to be the empty relation for par and some nonempty relation 
for anc which is not transitively closed □ 

A DB P((ei, . . . , e„, zi, . . . , im)) is a model of P if 

(ci, • ■ ■ , Cti , il, . . . , im) — ^{{^1^ - - - , ^n, il, - - - , im))- 

Let M{P) denote the set of all models of P. Two programs are equivalent if for 
all EDBs the programs have the same minimal model which contains the EDB. 
Two programs are uniformly equivalent if they have the same set of models. 
Uniform containment can be characterized in terms of containment of models as 
follows: 

P-2 C“ Pi ^ M{Pi) C M{P2). 

Testing M{Pi) C M{P2) and hence P2 C“ Pi can be done by a variant of the 
chase process Q. The following algorithm decides whether P2 C“ Pi by checking 
whether, for all rules r of P2, r Pi. 
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Algorithm 1. Given programs P\ and P 2 , test whether P 2 C“ Pi. 

1. For each rule r of P2, test whether r C“ as follows: 

(a) Replace each variable a; in r by a unique constant 9 {x) not already in r 
or Pi. 

(b) Form a database d from the atoms in the body of r; that is, ifp{xi, . . . , Xk) 
is an atom, then p{Ai, . . ., Ak) is in the EDB, where Ai = 0{xi), 1 < z < 
k. 

(c) Apply the rules of Pi to the database d. If the head predicate of r, 
with variables replaced by their corresponding constants, is inferred, then 
r C“ Pi; else not. 

2. If r C“ Pi for each rule r in P2, then P2 C“ Pi; otherwise P2 2“ Pi- 

□ 



Examples using the above algorithm are given in Section ^ 

When uniform containment between programs does not hold, Sagiv has 
shown that Algorithm^can sometimes still be used to show containment when 
constraints in the form of tuple-generating dependencies are present B]. 

A tuple- generating dependency (tgd) Q is a formula of the form 

^xBy[il)i{x) il)2{x,y)] 

where x and y are vectors of variables and both iIji and 4’2 are conjunctions of 
atoms. As is common, we will write tgds without the quantifiers. 

A DB d satisfies a tgd r if for every instantiation 9 of the universally quan- 
tified variables which makes the left-hand side of r comprise ground atoms of 
d, the right-hand side of r can also be be instantiated to ground atoms of d by 
extending 9 to an instantiation of all the variables of r. A DB d satisfies a set T 
of tgds if d satisfies each tgd in T. The set of all DBs satisfying a set T of tgds 
is denoted by SAT{T). 

Program Pi uniformly contains P2 over SAT(T), written P2 Qf;jix{T) 
if P2{d) C Pi{d) for all DBs d G SAT(T). Program P preserves T if P{d) G 
SAT(T) for all DBs d G SAT(T). 

The procedure for showing containment of programs in the presence of tgds 
outlined below includes generating the so-called preliminary DB for a program 
P and DB d. This is the DB which includes d and all atoms obtained by applying 
those rules of P whose bodies comprise only EDB predicates to d. 

In order to show that P2 C Pi in the presence of a set T of tgds, it suffices 
to show that the following four conditions, the first two of which show that 
P2 Pi^ satisfied: 

1. SAT{T) n M(Pi) C M(P2). 

2. Pi preserves T. 

3. For all EDBs d, programs Pi and P2 have the same preliminary DB. 

4. All the preliminary DBs satisfy T. 
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The first step can be performed by a modified version of Algorithm Q which 
applies both Pi and T to the body of each rule of P 2 - Applying a set of tgds to 
the body of a rule is similar to applying a rule, except that existentially quantified 
variables on the right-hand side of a tgd give rise to null values, denoted by Si 
for some i, in the atoms added to the DB. 

Example 6. The DB {anc{A,B),par{A,C)}, where A, B and C are constants, 
satisfies the tgd 

anc{x, y) par{x, z). 

Applying the tgd to the DB results in the atom par{A,So), where Sq is a null 
value, being added to the DB. □ 

As stated by Sagiv Q, the above procedure has a number of drawbacks. 
Firstly, it is not clear how to find a suitable set of tgds for a pair of programs. 
Secondly, the procedure for testing steps (1) and (2) may not terminate if the 
answer is negative. However, in Section J we show that, for Datalog programs 
derived from XSLT patterns, step (3) is always true, as well as that a fixed set of 
two tgds ensures both that steps (2) and (4) always hold and that the procedure 
for step (1) always terminates. 

4 XML and XSLT Patterns 

Wadler has described a data model for XML and a denotational semantics for 
XSLT patterns ^3. In this section, we adapt these to a logic-based setting. In 
the first subsection, we present the XML data model in such a way that an 
XML document corresponds to a Datalog program. In the second, we present 
the syntax of XSLT patterns as defined by Wadler. In the third subsection, we 
define the semantics of XSLT patterns so that each pattern can be modelled as 
a Datalog program. 

4.1 XML Data Model 

An XML document comprises a number of nodes, represented by the unary 
predicate isNode. Because we study the equivalence problem for only a subset 
of XSLT patterns in this paper, we will simplify the XML data model accordingly. 
Essentially the only nodes appearing in an XML document we are interested in 
are those which are element nodes; we do not consider XSLT patterns which 
refer to nodes which are attributes, text, comments or processing instructions. 
There is, however, a distinguished node called the root node whic h is_^ ifferent 
from the document element node which contains all the other nodes Hence, 
each node is either the root node or an element node, as indicated by the unary 
predicates: isRoot and isElement. 

isNode(x) : — isRoot(x). 
isNode{x) : — isElement{x) . 

^ One reason for this definition, is in order to be able to define the pattern in XSLT. 
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The following predicates relate nodes to other nodes in the document: par{x, y) 
is true if node x is the parent of node y in the document, and root{x, y) is true 
if X is the root of the document and y is a node. 

root{x,y) : — isRoot{x),isNode{y). 

In general, the predicate name is used for the names of nodes. Because we have 
only elements in our model, name{x, y) is true if element x has name y. 

Example 7. Consider an XML document representing a statechart diagram which 
has a StatechartDiagram element d which in turn contains two State elements 
Si and S 2 , with S 2 containing a Transition element. From now on, we will 
abbreviate element names by using only the upper-case letters in the names, 
so StatechartDiagram will be abbreviated as SD and Transition as T, for 
example. The parent of element node d is the distinguished root node r. The 
EDB representing this document is {isRoot(r), isElement(d), isElement(si), 
isElement{s 2 ), isElement{t), name{d,SD), name{s\,S), name{s 2 ,S), 
name{t, T), par{r, d), par{d, si), par{d, S 2 ), par{s 2 ,t)}. □ 

The XML data model imposes a number of constraints on documents. Each 
node has at most one name and at most one parent. If we define the predicate 
anc as the reflexive, transitive closure of par\ 

anc{x,x) : — isNode{x). 
anc{x, y) : — par{x, y). 
anc{x, y) : — anc{x, z), anc(z, y). 

then it must be the case that the root is an ancestor node of every node, that is, 
isRoot{x) A isNode{y) anc{x, y). 



4.2 Syntax of XSLT Patterns 

We now turn to the definition of the abstract syntax of XSLT patterns ^3, 
although we consider only a subset of possible patterns in this paper. The syntax 
of a pattern p is given by the following grammar: 

p ::= /p \ //p \ p/p \ p//p \ pLpI \ n \ * 

where n denotes an element name which is represented as a string. We do not 
consider selection patterns p\p, @n, text () , comment () , pi (n) , pi () , id(p) , 
id(s), ancestor(p), ancestor-or-self (p) , ‘ ’ or ‘ The only qualifier (in 
square brackets) we consider is one which is itself a selection pattern. In general, a 
qualifier may contain Boolean connectives, equality tests for the values of nodes, 
and tests regarding order of nodes. 

In fact, the above syntax is more permissive than that actually allowed. For 
example, the patterns /p and / !p can appear only at the beginning of a complete 
pattern or the beginning of a qualifier. 
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4.3 Semantics of XSLT Patterns 

Below we give a Datalog semantics for the subset of XSLT patterns defined 
above. As stated in the introduction, a pattern p can be used either for matching 
elements x, denoted by matchp{x) below, or for selecting elements y in the 
context of elements x, denoted selectp{x,y) below. 

Given a pattern p, we can produce a Datalog program representing the se- 
mantics of matchp{x) or selectp{x, y) by recursively decomposing p, generating a 
Datalog rule for each sub-pattern in p. In what follows, predicate names selectp 
and selectq, for p ^ q, are considered to be different. 

matchp{x) : — root{y,x),anc{y, z), selectp{z,x). 
select /p{x,y) : — root{z,x), selectp{z,y). 
select / /p{x,y) : — root{z,x),anc{z,w), selectp{w,y). 
selectp^ /p^{x,y) : — selectp^{x, z), selectp,^{z,y). 
selectp-^/ /p^{x,y) : — selectp^{x, z),anc{z,w), selectp^{w,y). 
se^ectpj [p 2 ] (a;, y) : — selectp^{x,y), selectp^{y, z). 
selectn{x, y) : — par{x, y), name{y, n). 
seledt{x,y) : — par{x,y). 

The final program for a pattern is given by the rules generated by the decom- 
position, along with the rules for isNode, root and anc, which we call the model 
rules, defined in Section^J 

Example 8. Consider the pattern SD/CS [S] //CS used for selection. The corre- 
sponding Datalog program (assuming left-to-right decomposition) is 

selectsD/cs[S]/ /cs{x,y) : - selectsD{x,z),selectcs[S]/ /cs{z,y). 

selectcs[S]/ /cs{x,y) : - selectcs[S]{x,z),anc{z,w),selectcs{w,y). 
selectcs[S]{x,y) : - selectcs{x,y), select s{y, z). 
selectsD{x, y) : — par{x, y), name{y, SD). 
selectcs{x, y) '■ — par{x, y), name{y, CS). 
select s{x, y) : — par{x, y), name{y, S). 



□ 

Since we do not allow alternation in patterns, we can always replace all select 
atoms by their definitions to get a single select rule, along with the model rules. 
For example, the six rules of Examplejcan be replaced by the single rule 

selectsD/cs[S]//cs{x, y) : - par{x, z),name{z, SD),par{z, v),name{v, CS), 

par{v, u), name{u, S), anc{v, w), 
par{w, y), name{y, CS). 

From now on, we will assume that programs derived from select patterns com- 
prise only a single select rule. 
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5 Containment of XSLT Patterns 

In this section, we study the containment problem for XSLT patterns. Let pi 
and p2 be XSLT patterns. From the definition of matchp in terms of selectp 
given in Section ^3 it is clear that the program for matchp-^ is equivalent to 
that for matchp^ if and only if the program for selectp-^ is equivalent to that 
for selectp^ . So from now on, the meaning given to a pattern p will be taken 
to be the program P derived for selectp. We will say that P is the program 
corresponding to p. 

For patterns p\ and p2, we say that pi contains p2, written p2 Q Pi, if and 
only if Pp2 C Ppj, where Pp^ is the program corresponding to pattern pi. As 
a shorthand, we will usually write Pi instead of Pp.. Patterns pi and p2 are 
equivalent, written pi = P2, if Pi C p2 and p2 Q Pi- 

Containment and uniform containment coincide for non-recursive Datalog 
programs, so we can use Algorithmjfrom Section 3 to determine containment 
of XSLT patterns which do not use the // operator. 

Example 9. Referring back to Example Q let pi = S [AS/E] [AS] and p2 = 
S [AS/E] . We will show that pi = p2 by showing that Pi = P2- Program Pi 
is 

select s[as/e]IAS] {x, y) : - par{x, y),name{y, S),par{y, v),name{v, A 5 ), 

par{v, u), name{u, E),par{y, w), name{w, AS). 

while P2 is 

select s[AS/E]{x,y) : - par{x,y),name{y, S),par{y,v),name{v, AS), 

: — par{v, u), name{u, E). 

For the purpose of showing containment and equivalence, we now assume that 
predicates selectp and selectq, for arbitrary XSLT patterns p and q, are the 
same, and refer to them both simply as select. 

We first show that Pi ^ P2. Pi comprises only a single rul(| so we form a 
DB from the atoms in the body of the rule by mapping each variable to a unique 
constant. This gives DB as {par{X,Y),name{Y, S),par{Y,V), name{V, AS), 
par{V,U),name{U, E),par{Y,W),name{W, AS)}. Applying the rule of P2 to 
this database allows us to infer select{X, P), the head of the rule comprising Pi. 
We conclude that Pi Q P2. 

We now show that P2 C Pi. The DB from the atoms in the body of the 
only rule in P2 is {par{X,Y),name{Y, S),par{Y,V),name{V, AS),par{V,U), 
name(U,E)}. We can apply the rule of Pi to DB by mapping x to X, y to 
Y, u to U, V to V and w to V, thus inferring the instantiated head of the rule 
in P2. We conclude that P2 Q Pi; hence Pi = P2 and pi = p2. □ 

XSLT patterns which use the // operator give rise to recursive Datalog 
queries, where, in general, there is a distinction between containment and uni- 
form containment. If we can show uniform containment using Algorithm^ then 
we know that containment also holds. 



2 



The model rules are unreachable. 
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Example 10. Let us consider the XSLT patterns ps = CS//S//E and pe = CS//E 
from Example! We will show that P 5 C“ Pq. Program P 5 comprises the rule 
r5 

selectcs//S//E{x, y ) : —par{x, z), name{z, CS), anc{z, u),par{u, v), name{v, S), 
anc{v, w),par{w, y), name{y, E). 

along with the model rules, while Pq comprises the rule rg 

selectcs/ / e{x, y) '■ — par{x, z), name{z, CS), anc{z, w),par{w, y), name{y, E). 

along with the model rules. Recall that the model rules for anc are 

anc(x,x) : — isNode(x). 
anc(x, y) : — par{x, y). 
anc{x, y) : — anc{x, z), anc{z, y). 

Consider rule rg of Pq. The DB d from the body of tq is {par{X, Z), name{Z, CS), 
anc{Z,U),par{U,V), name{V, S),anc{V,W),par{W,Y),name(Y, E)}. We now 
apply the rules of Pq to d. The second anc rule of Pq allows us to add anc{U, V) 
to PQ{d). Using the third anc rule, we get anc{Z,V), and then anc{Z,W) in 
PQ{d). Now, using rg, we get sdect{X, Y) in PQ(d). We conclude that ri C“ Pg. 
Since the other rules of Pq are identical to rules in Pq, we have that Pq C“ Pq. 

□ 

As we claimed in the introduction, showing uniform containment is not al- 
ways necessary in order to show containment, even for the restricted programs 
which correspond to patterns. This is illustrated in the following example. 

Example 11. Consider the XSLT patterns p-j = CS//*/T and pg = CS/*//T 
from Example ! To simplify the subsequent explanation, we will instead use 
the patterns pj = *//*/* and pg = */*//*, although the same results hold. 
Program P 7 comprises the rule r^ 

select / /i,/i,{x,y) : — par{x, z),anc{z,u),par{u,v),par{v,y). 

while Pg comprises the rule rg 

select^/^/ /^{x,y) : — par{x, z),par{z,u),anc{u,v),par{v,y). 

each augmented with the model rules. It is not hard to see that P 7 = Pg if 
we view them as regular path queries over a tree structure, all of whose edges 
are labelled with the symbol p, representing the relation par. Program P 7 cor- 
responds to the regular expression p ■ p* ■ p ■ p, while Pg corresponds to the 
regular expression p ■ p ■ p* ■ p. However, P 7 2“ -Ps- The DB d from Pj is 
{par{X, Z),anc(Z,U),par{U,V),par{V,Y)}. By applying the second anc rule 
from Pg, we can derive anc{U, V). However, there is no way to derive par{Z, U) 
which is needed in order to derive the instantiated head of rule T 7 . DB d is a 
counterexample to the claim that P 7 C“ Pg, since Piid) includes select{X, Y) 
while Pg(d) does not. A similar argument shows that Pg 2” P?- C 



On the Equivalence of XML Patterns 1163 



Recall the procedure from SectionHfor showing the containment of Datalog 
programs using a set T of tuple-generating dependencies (tgds). We will prove 
below that, for programs derived from patterns, the procedure always terminates 
and is a sound and complete method for deciding containment. We first show that 
three of the steps in the procedure are always satisfied, starting with step ( 3 ). 
We assume we are dealing only with recursive programs. 

Lemma 1 . Let P\ and P2 be recursive programs derived from XSLT patterns. 
For all EDBs d, P\ and P2 have the same preliminary DB. 

Proof. Recall that the preliminary DB is the DB which includes d and all atoms 
obtained by applying those rules of the program whose bodies comprise only 
EDB predicates to d. In the case of a recursive program P derived from a pattern, 
the only such rules are model rules which are the same for every program. □ 

We will show that using the set T comprising the two tgds ri and T2 de- 
fined below in the containment procedure of Sectionals sufficient to prove the 
containment of any two programs generated from XSLT patterns. The tgd t\ is 

par{x, z) A anc{z, y) anc{x, w) A par{w, y) 



while T2 is 

anc{x, w) A par{w, y) par{x, z) A anc{z, y). 

We now prove that step ( 4 ) of the procedure is always satisfied by T. 

Lemma 2 . Let P be a recursive program derived from an XSLT pattern, T = 
{D) T2} be the set of tgds defined above, and d an EDB. The preliminary DB of 
P and d satisfies T. 

Proof. Let the preliminary DB d' of P include par{X,Z) and anc{Z,Y), the 
left-hand side of tgd n. Then d' must also include anc{X, Z) by the second rule 
for anc. For d' to include anc{Z, Y), d must include par{Z, Y). Since d C d', d' 
includes the instantiated right-hand side of ri, namely, anc{X, Z) and par(Z, Y)' 
hence d' satisfies ti. 

A similar argument holds for T2, so we conclude that d' satisfies T. □ 

Step ( 2 ) of the procedure requires that we show that program P preserves the 
set T of tgds. In general, it is not known whether there is a proof procedure for 
showing that P preserves a set of tgds. However, if we can show that P preserves 
T non-recursively, then we can conclude that P preserves T. Applying a program 
P non-recursively to a DB d, denoted P^{d), means applying it only to the 
ground atoms of d. The P preserves T non-recursively if (d, P^{d)) G SAT(T) 
for all d S SAT(T). Once again, this can be shown using a variant of the chase 
process. 

Lemma 3 . Let P be a recursive program derived from an XSLT pattern, and 
T = {ti, T2} be the set of tgds defined above. Then P preserves T. 
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Proof. Consider the tgd ti . We first instantiate the left-hand side of ti by replac- 
ing each variable with a distinct constant not already in P. This gives par{X, Z), 
which becomes part of the EDB d, and anc{Z, Y), which becomes part of P"'{d). 
Next we look for a way in which ti could be violated by P. This happens if it is 
possible for the left-hand side of ti to be generated by P without the right-hand 
side being generated. So we need to consider all ways in which anc{Z, Y) can 
be produced when P is applied non-recursively to d. This can be in one of two 
ways: by applying the second or third rule for anc. 

Consider the second rule. In order for anc{Z, Y) to be produced, par{Z, Y) 
must be in d. Now, since d satisfies T, we apply the tgds of T to d. This pro- 
duces nothing new since there is no anc atom in d. Next we apply P non- 
recursively to d to get P'^{d). Since d = {par{X, Z),par{Z, T)}, we get P^{d) = 
{anc{X, Z),anc{Z,Y)}. Finally, we need to check whether (d, P"(c?)) satisfies 
Ti . This is indeed the case since the instantiation of the left-hand side of ti can 
be extended such that the right-hand side of n becomes a subset of (d, P'^{d)), 
namely, {anc{X, Z),par(Z,Y)}. 

Consider the third rule for anc in P. In order for anc{Z, Y) to be pro- 
duced, anc{Z, W) and anc{W, Y) must be in d, for some constant W. So d = 
{par{X, Z),anc{Z, W),anc{W, F)}. Applying the tgds of T to d adds anc{X, Sq) 
and par(So, W) followed by anc{So, di) and par{5\, Y) to d, for some null values 
So and di. Applying P non-recursively to d yields, among others, anc(A, di), 
which, along with par {Si, Y) gives an instantiated right-hand side of ri. 

A similar argument shows that P preserves T2, so P preserves T. □ 

Before proving that step ( 1 ) of the procedure is necessary for containment to 
hold, we consider again the programs of Example^] 

Example 12. Consider the programs P7 and Pg from Example^] Recall that 
the database d from P7 is {par{X, Z),anc{Z,U),par{U,V),par{V,Y)}. Using 
tgd T2, allows us to add par{Z,Si) and anc{Si,V) to d. Now Pg can derive 
select{X,Y)\ hence SAT{T) C M{P%) C M{Pi). The preceding lemmas then 
allow us to conclude that P7 Pg and P7 C Pg. □ 

Lemma 4. Let P\ and P 2 be recursive programs derived from XSLT patterns, 
and T = {ri,T2} he the set of tgds defined above. If P2 C Pi, then SAT{T) n 
M(Pi) C M(P2). 

Proof. (Informal sketch) Let ri and r2 be the non-model rules in Pi and P2, 
respectively. The crucial part of the proof is showing that if a maximal chain s 
of par and anc atoms in ri “contains” a chain t of par and anc atoms in V2, 
applying the tgds in T and the model rules to the DB formed from t will produce 
a chain of par and anc atoms to which there is a containment mapping from s. 

For chain s to contain chain t, there must be at least as many par atoms 
in t as in s. In addition, there must be as many name atoms associated with 
variables in par atoms in t as there are in s, and the names used in these atoms 
in t must be equal to the associated names in s. If there are more par atoms in 
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t than in s, then we can apply the second anc rule to produce a chain in DB 
with the same number of par atoms as in s. We apply the rule only to those par 
atoms which are either not associated with name atoms or are associated with 
name atoms which are not needed for the containment mapping from s. If there 
are the same number of par atoms in s and t, then t' = t. 

Now if there are more anc atoms in t' than s, we can use the tgds in T along 
with the third anc rule to produce a chain t" in DB which has both the same 
number of anc atoms as in s and in the same positions in the chain. On the 
other hand, if there are fewer anc atoms in t' than s, we can use the tgds and 
the first anc rule to produce t" . □ 

We can also show that it is sufficient to apply the tgds in T only a number 
of times which is quadratic in the number of atoms in P. This, along with the 
preceding lemmas and results of Sagiv Q, give us the following theorem. 

Theorem 1. Sagiv’s procedure provides a sound and complete method for de- 
ciding containment of Datalog programs derived from XSLT patterns. 

6 Conclusion 

We have defined a logic-based model for XML and a semantics for XSLT pat- 
terns based on a translation to Datalog. This provided us with a framework 
within which to study the problem of equivalence of XSLT patterns by studying 
the equivalence of the corresponding Datalog programs. Although equivalence 
is undecidable for Datalog programs in general, the simple form of programs 
derived from XSLT patterns suggested that the decidable property of uniform 
equivalence might suffice. However, we showed that not every containment be- 
tween such programs is also a uniform containment. Nevertheless, we proved 
that the procedure defined by Sagiv which, in general, can only sometimes 
be used to show containment of programs using tuple-generating dependencies 
(tgds) and the chase process is in fact a sound and complete decision procedure 
for programs derived from XSLT patterns. 

This framework will allow us to study the equivalence of broader classes of 
XSLT patterns, as well as equivalence of patterns in the presence of constraints 
imposed on documents by document type definitions (DTDs). For example, it 
may be the case in a DTD D for UML statechart diagrams that an Action 
(A) element can only appear as part of an ActionSequence {AS) element. This 
constraint can be expressed by the tgd r 

name{x, A) name{y, AS) A par{x, y) 

which in turn allows us to show using the chase that the (abbreviated) XSLT 
patterns AS/A and */A are equivalent on databases (documents) satisfying r 
and hence on those satisfying D. Similar constraints include those in which an 
element must have another element as a child or as a descendent. 

An example of a more complicated constraint in a DTD for statecharts 
might be that the only path from a Transition element to an Action is via 
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a TransitionLabel element and an ActionSequence element. On documents 
which are valid with respect to this DTD, the (abbreviated) patterns T//A and 
T/TL/AS/A are equivalent; in other words, the Datalog program corresponding 
to the former pattern is bounded. 

Future work involves devising algorithms for deciding equivalence for wider 
classes of XSLT patterns and under various classes of DTD constraints, as well as 
determining the computational complexity of the associated decision problems. 
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Abstract. In this paper we present XML-GL^'^'^, an extended version of 
the graphical query language for XML documents XML-GL. XML-GL 
allows to extract and restructure information from XML specified WWW 
documents. XML-GL’"'^'^ also allows to represent XML simple links and 
generic recursive queries, thus permitting to query whole XML specified 
WWW sites in a simple and intuitive way. 



1 Introduction 



XML was born as a simplification of SGML a general 

document markup language initially conceived for document bases; following a 
recommendation of the World Wide Web Consortium, XML is now spreading out 
as a standard for the representation of semistructured documents on the Web. 
Indeed, unlike HTML tags, which are mainly designed to represent hypertext 
presentation features, XML tags can be appropriately defined by the document 
writer to represent information semantics, by giving a formal description of data 
content. Accordingly, a host of researchers is now working with the objective 
of defining appropriate syntaxes and semantics for querying XML documents 

XML was initially conceived as a document representation standard, thus 
little attention was given to the definition of links between documents, which 
are, in contrast, the main distinctive feature of the WWW and of hypermedia 
in general. Some proposals have been made for XML extensions but 

none of the XML query languages defined to this moment addresses the problem 
of querying several documents related to one another by XML links. 

In this paper we present XML-GL’’®'^, an extended version of XML-GL, a 
graph-based query language for extracting information from XML documents 
and for restructuring such information into novel XML documents 
The current version of XML-GL allows to query XML specified WWW doc- 
uments: we extend XML-GL by allowing to represent XML simple links, and 
recursive queries through IDREFS and XML simple links. 
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In order to achieve this, we first introduce a syntactic extension of XML- 
GL which supports XML link specification; then, we provide a semantics for 
this new version, in particular allowing for the specification of generic recur- 
sive queries, by translating XML-GL’’®'^ into the graph-based, logical language 
G-Log whose expressive power allows recursion on any type of binary 

relationship between objects. We believe that our work has an interest in two 
respects: first of all, we are here persisting with our purpose of adopting graph 
based query language for making query formulation easier for the end user; this 
is ever more interesting in the semistructured and XML context, where infor- 
mation is very naturally represented as graphs or trees. Second, our translation 
into G-Log makes immediately available for XML-GL’’®'^ some results on G-Log 
which allow the definition of parametric semantics. This semantics is 
based on the notion of graph bisimulation, and defines different levels of match- 
ing of the query graph to the instance graph, which correspond to stricter or 
looser requirements on topological similarity. 

2 XML-GL 

In this section we present a simplified version of the language XML-GL, which 
excludes specific constructs for computation. Our objective in extending this 
version of XML-GL is to query whole XML WWW sites, thus in the next section 
we add constructs to represent XML links and support recursion through such 
links. 



2.1 The XML-GL Data Model 

The Data Model of XML-GL is quite intuitive, and dictated by the formal struc- 
ture of XML itself. With XML-GL, graphical notations and constructs are in- 
troduced to the end of representing exactly those concepts which are present in 
the XML formalism. Since a (set of) XML document(s) is often associated with 
a DTD, which dictates its syntactic structure, we also represent DTD’s graph- 
ically: we depict XML DTD’s (Fig.^a), documents, and queries (Fig.^b) by 
means of XML graphs. 

An XML graph is a directed labeled graph {N, A), where: 

— iV is a (finite) set of labeled nodes, representing XML elements. Nodes in N 
are partitioned into two disjoint sets: E is the set of element nodes and P is 
the set of property nodes. Nodes in P are further partitioned into two disjoint 
sets: attribute nodes and content nodes. Nodes in E are labeled by the name of 
the element they represent, and sometimes by the URL of the document they 
refer to. The special label ANY can be used as a node label. Nodes in P are 
labeled by a string denoting a type-name and optionally by a string denoting 
a constant value. Property nodes do not have outgoing arcs. In Fig.^^^ 
example of XML element is “Gompany” . The element “Gompany” has an 
attribute node: “ID” and three content nodes: “Found_year” , “Name” and 
“Type”. 
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— ^ is a set of labeled arcs (n, A, n'), where A is the arc label and n, n' G N. 
Arcs in A are partitioned into two disjoint sets: the set C of containment 
arcs and the set R of reference arcs. Arcs in R are labeled by the name of the 
ID REF attribute, while all arcs in C share the same label CONT, which may 
be omitted. The graph (TV, C), i.e. the projection of the XML graph on its 
containment arcs, is acyclic. Arcs are represented as arrows connecting nodes, 
labeled in case of reference arcs. Reference arcs may be connected to element 
nodes of any type, including the element nodes labeled ANY. Cardinality and 
optionality are represented as annotations to the corresponding reference 
or containment arc, in a similar way as in the Entity-Relationship model. 
Cardinality (1:1) is taken as default, when not explicitly represented. 

— For every node n in E, a total order is defined on the set of element and 
content nodes directly reachable from n (children nodes). For each given 
node, the order of its children is represented by marking the first outgoing 
arc with a small trait and ordering the other outgoing arcs counterclockwise. 

— A set AORC 2*^ is defined, which identifies sets of containment arcs which 
are in mutual exclusion. A set of containment arcs outgoing from an element 
in mutual exclusion is denoted by a segment labeled XOR crossing them. 

The following topological constraints apply to each XML graph representing 
an XML DTD: property nodes cannot have a label denoting their value; refer- 
ence arcs can only be directed to nodes labeled ANY; and no element node is 
replicated. 

The following topological constraints apply to XML graphs that represent 
XML documents: no node labeled ANY is allowed; mutual exclusion and cardi- 
nality constraints do not appear in instance graphs; and each element node in 
the graph may have at most one ingoing containment arc. Moreover, if a docu- 
ment is associated to a DTD V , then it must conform to V. For example, the 
DTD of Figja represents the ownership relationship between companies. Each 
company is represented by ID, foundation year, name and type and is linked to 
its owned companies. 



2.2 Query Language 

The typical structure of an XML-GL query on a set of XML documents is a 
pair of sets of graphs. The graph(s) on the left side indicates information to be 
extracted from the document collection and properties such information must 
verify. The graph(s) on the right side indicates which elements retrieved in the 
left-hand part should appear in the result, and dictates how to construct or 
restructure the information to be produced as output. Accordingly, an XML-GL 
query consists of four parts: 

1. The extract part identifies the scope of the query, by indicating both the 
target documents and the target elements inside these documents. 

2. The match part (optional) specifies logical conditions that the target ele- 
ments must satisfy in order to be part of the query result. 
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3. The clip part specifies the sub-elements of the extracted elements that satisfy 
the match part to be retained in the result. 

4. The construct part (optional) specifies the new elements to be included in 
the result document and their relationships to the extracted elements; the 
same query can be formulate with different construction parts, to obtain 
results formatted differently. The construct part allows both the creation 
of new elements, the definition of new links, and the restructuring of local 
information to a given element. 

Formally, an XML-GL query is a triple {LHS, RHS, M), where LHS, RHS are 
two disjoint sets of XML-GL graphs, called the left hand side and right hand 
side of the query, respectively and M is a correspondence between nodes in LHS 
and nodes in RHS, called binding. 

Visually, the left-hand-side and right-hand-side of an XML-GL query are 
displayed side by side and separated by a vertical line. The correspondence of 
nodes in M is denoted either by labeling corresponding nodes in the LHS and in 
the RHS with the same name or by drawing unlabeled non-directed edges (called 
binding edges) between corresponding nodes. The left-hand-side graph(s) conveys 
the extract and match parts, while the right-hand-side graph(s) expresses the 
clip and construct parts. 

Additional notations and specific topological constraints are needed to specify 
queries by means of XML graphs: new types of nodes, arcs and labels are defined. 

— Constructor nodes are special nodes for building new elements. They are 
further distinguished into list nodes (denoted by triangles) and index (or 
grouping) nodes (denoted by rectangles containing horizontal lines). Both 
types of nodes may have an optional label. List and grouping nodes appear 
only in the RHS. 

— Anonymous nodes, unlabeled, may appear both in the LHS and RHS, and 
are equivalent to nodes with the ANY label; they stand for elements of any 
type. 

— Kleene star arcs are containment arcs in the LHS or RHS labeled by an 
asterisk. They represent the transitive closure of the containment relation, 
i.e., paths of any length between two elements. 

— GROUP_BY arcs (grouping binding) are labeled by the string GROUP_BY. 

— Predicate labels are labels that can be applied to a property node in the LHS 

of the query; they are further distinguished into compare-to-value predicate 
labels (e.g. > 5 or = “S'arS”), and compare-to-property predicate labels 

(e.g., “>”, “<” ). Gompare-to-property labels apply to property nodes shared 
by two or more elements in the LHS. 

— Nodes and arcs in the LHS can be dashed to represent negative conditions. 
Solid arcs of the LHS may only connect solid nodes, whereas dashed arcs may 
connect solid and/or dashed nodes. For example, a dashed arc between two 
solid nodes requires the absence of a containment or reference relationship 
between two elements. 

— Mutual exclusion and cardinality constraints cannot appear in the LHS 
graphs. 




Querying XML Specified WWW Sites: Links and Recursion in XML-GL 1171 



— Property nodes in the LHS may be pointed to by arcs coming from two dif- 
ferent element nodes: this notation is used for a compare-to-property predi- 
cates label to represent a join between elements, and the related comparison 
predicate. 

— An unlabeled binding edge may connect RHS and LHS nodes according to 
the binding correspondence M . 

An XML-GL query is simple if its LHS and its RHS graph consist of a single 
connected component. Otherwise an XML-GL query is complex. 

An example of simple XML-GL query is depicted in Fig. Qb, finding all 
the company elements that don’t produce flowers and have the foundation year 
greater than 1999. In the result the company name and type are retained. 




Fig. 1. XML-GL representation of an XML DTD (a) and simple XML-GL query 

(b) 

2.3 Operational Semantics of XML-GL 

In this section we describe the operational semantics of XML-GL and the al- 
gorithm for evaluating XML-GL queries. The operational semantics of a simple 
XML-GL query is based on the extract-m atch-c lip-construct paradigm, and de- 
scribed by the following general algorithm The most significant part of the 

algorithm is the extract-match procedure, strongly based on the formal notion 
of matching defined as follows: 

Definition 1. (Node Match) Let D = (No, Ajj) be an XML document graph, 
L = (Nl,Al) be the LHS graph of an XML-GL query and nd,nj G Njy, 
ni G Nl, then Ud type- matches n/ (denoted Ud ~ ni), iff they are both 
elements, or content nodes or attribute nodes, and either node-label (n^) = 
node-label(n/) or node-label (n/) =“ANY” and Ud matches ni (denoted Ud = 
ni), iff any of the following conditions holds: 

1. Ud~ni and content-label (n^) = content-label (n/) or 

2. predicate-label (n/) is a compare-to- value predicate label, and 
predicate-label(n/)(content-label(rid)) = true or 

3. predicate-label (n/) is a compare-to-property predicate label, and there are 
two element nodes e^, G Nd and other two ones e/, e( G Nl such that 
6d«e/, e'^wej, and {ed,CONT,nd)G Ad, {ej, CONT, nj) G Ad, 
{ei,CONT,m)GAL, {e\,CONT,m)GAL and 
predicate-label(n/)(content-label(rid), content-label(n(;)) = true. 



1172 Barbara Oliboni and Letizia Tanca 



Definition 2. (Graph Match) Let L = {Nl, Ai) be a LHS graph of an XML- 
GL query Q; let D — {Nd, Ad) be the input document graph. 

Let (j> : Nl Nd and ip : Al — > Ad be two mappings between the two graphs. 
Then the subgraph {(p{Ni,),ip{Ai,)) of D is called a match of L in D iff the 
following conditions hold: 

1. for each n G Nl (piji) = n. 

2. for each arc (ni, A, 712) € Al, X ^ with ni,n2 G Nl, 

ip{ni, A, 77-2) = A, (p{n 2 )). 

3. for each arc (ni, Uk) G Al there is a sequence of arcs 

(cp(ni), CONT, n'2),(n2, CONT, CONT, cp(nk)) in Ad- 

The query evaluation algorithm takes as input the simple query and the 
document graph and gives as output another document graph. The algorithm 
relies on an intermediate data structure called result table, which records the 
OIDs of the instances of the RHS nodes that will appear in the query result. 

Procedure SimpleQuery {Query, InDocument) 
if {ExtractMatch{Query.fhs, Key, ResultTable)) { 

C/ip(Query.rhs, ResultTable); 

Construct{Query.rhs, ResultTable); 
output(OutDocument); } 
else output) “No match found”); 

EndProcedure; 

The procedure SimpleQuery takes as input the query and the input document 
graph and returns the query result as an XML graph. It starts from an empty 
result table and populates it with the data of the result, by performing three 
steps: 

1. Extract-Match step. Procedure ExtractMatch takes as input the LHS of a 
query, its key node J and the (initially empty) result table. It finds all the 
possible matches and updates the result table by recording the OIDs of the 
key nodes of the matches; it returns a boolean value that states if at least 
one match has been found (^^Q, ^Q^Q). 

2. Clip step. Procedure Clip takes as input the RHS of a query and the result 
table, which has been populated by procedure ExtractMatch. It returns the 
result table updated with the values of the OIDs of the non-invented nodes. 

3. Construct step. Procedure Construct takes as input the RHS of a query and 
the result table, which has been populated by procedures ExtractMatch and 
Clip. It returns the result table updated with the values of the OIDs of 
the invented nodes. For each invented node of the RHS the result table is 
updated according to the type of node. Next, the output document graph is 
constructed starting from the query-result table. 

Since a complex query is equivalent to multiple simple queries, complex query 
evaluation is obtained by computing a set of simple queries, each composed of 
one LHS graph and one RHS graph, and then by combining their result. We call 
such queries components of the complex query. 

^ The set of LHS nodes connected to the RHS by a binding edge, which will be the 
ones “transferred” to the RHS. 
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3 XML-GL™^: Querying Web Sites 

In this section we introduce some notations which allow the expression of generic 
queries to whole XML-specified WWW sites. In order to represent simple links, 
we add to set A of XML-GL arcs the ffref arcs, which are arcs labeled by the 
string “Href” . They may connect an XML element to any node and represent a 
simple link. 



3.1 XML Links in XML-GL”®'^ 



XML Linking Language (XLink) allows to insert elements into XML 

documents in order to create and describe links between resources. XLink pro- 
vides a framework for creating both basic unidirectional links and more complex 
linking structures, but in this paper we consider only simple links. A simple link 
is a link that associates exactly two resources, one local and one remote, and 
implicitly provides a single traversal arc from the local resource to the remote 
one. This could represent, for example, the name of a product appearing in text 
that is linked to information about the product. A simple link may be declared 
as an XML element or as a set of attributes in another XML element. A sample 
declaration for an element named xlink:index is the following, showing beside an 
XML document using it: 



<! ELEMENT xlink: index ANY> 
<!ATTLIST xlink: index 



href CDATA 
role NMTOKEN 
title CDATA 

show (embed I new I replace) 



#REQUIRED 

#IMPLIED 

#IMPLIED 

#IMPLIED 



actuate (onLoad I onRequest) #IMPLIED > 



<xlink : index> 

href ="/products/Ulysses .xml" 
r ole= " product " 
title="Info about Ulysses" 
show= "replace " 

actuate="onRequest"> Ulysses 
</xlink : index> by J. Joyce. 



In this document we have, in an index of books, the title “Ulysses” , which 
is a simple link to another XML document containing information about that 
book. A sample declaration for an element that uses the link attributes is: 



<! ELEMENT productlink ANY> 

< ! ATTLIST productlink 
xlink: type (simple) 
xlink: href CDATA 
xlink: role NMTOKEN 
xlink: title CDATA 
xlink: show (embed I new I replace) 
xlink : actuate (onLoad I onRequest) 



#FIXED "simple" 

#REQUIRED 

#FIXED "product" 

#IMPLIED 

#FIXED "replace" 

#FIXED "onRequest" 



> 



In this case we do not have an XML element representing a simple link, but the 
information about the link is annexed to a normal XML element, so that the 
XML element “productlink” contains its attributes and the link attributes. Note 
that in this case the link attribute contains the information about the link type 
and this attribute is fixed to “simple” . The following example shows an XML 
document using this declaration: 
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<productlink 

href =" /product /Ulysses . xml" 

title="Info about Ulysses"> Ulysses </productlink> by J. Joyce. 

We represent the simple links by an arc labeled with “Href” . The Href arc starts 
from the link element and points to an anonymous node. In FigureOeach DTD 
represents a document type, and the corresponding documents may be linked 
by simple links. In the DTDl the link is represented by the ProductJist ele- 
ment, which contains its attribute Typejname and the link attributes xlink:type, 
xlink:role, xlink:title, xlink:show, xlink: actuate and the Href axe, which points to 
an element ANY. In DTD2 the links are represented by Made_by and Compo- 
nent elements. Each link element contains the link attribute role, title, show and 
actuate and has an Href arc which points to an element ANY. This represen- 
tation is consistent with a link from documents of type DTDl to documents of 
type DTD2 through ProductJist: in this case the link attributes are annexed to 
the element ProductJist. We represent the XML link as an arc labeled Href that 
points to an ANY element. Note that, as is also the case with IDREF arcs, the 
DTD cannot provide information about which element type is referred to by the 
i/re/ attribute. 

The representation is also consistent with a link from documents of type 
DTD2 to documents of type DTDS through MadeJ>y towards Company. The 
element MadeJoy is a simple link and has the link attribute and the arc labeled 
Href which points to an ANY element. In DTD2 there is also another link, and it 
is represented by the element Component: through this link each product can be 
linked to the products that compose it. Again, this cannot appear at the DTD 
level, where link destination element types cannot be specified. An interesting 
remark is that queries which involve Href and IDREF arcs must necessarily be 
blind, that is, they cannot take advantage of a complete information about the 
documents’ structures, even when the DTDs are known. 




Fig. 2. An example of site DTDs 



3.2 Some Examples of Recursive Queries 

From the definit ion of XML -GL of SectionHwe can notice that the initial version 
of the language allows some form of recursion by means of the Kleene 

star arcs which, in practice, express the transitive closure of the contains relation. 
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However, while this is enough when querying single documents or even sets of 
documents which are related by join conditions, it becomes too restrictive when 
we want to traverse XML-specified WWW sites. Moreover, note that in XML, 
whenever we want to define a symmetrical relationship between two elements, 
we are obliged to use ID REF attributes because the containment relationship is 
directed; the recursive extension will also be useful in order to traverse sequences 
of ID REF related elements. Accordingly, we extend the XML-GL semantics with 
recursion on any kind of relationship, including ID REF and LINK arcs. The first 
query of Fig. Jon the DTD of Fig. Ja finds all the companies owned by a certain 
company and the second query defines as allies the pairs of companies where the 
first refers to the second via the relationship “involvedJn” and vice-versa. 





Fig. 3. Example of recursive query through idrefs 

The semantics of queries like the first in Figure Jis intuitively understand- 
able: the leftmost graph of the LHS represents the base recursion step, and defines 
a relationship “involvedJn” between two companies, if one is owned by the other. 
The second graph of the LHS defines the recursive rule: whenever one company 
is related to another one by “involvedJn”, and is at the same time owned by a 
third company, then the latter is also related by the relation “involvedJn” with 
the first. This is a typical complex query, and is based on the general XML- 
GL principle that a RHS element with multiple bindings coming from the LHS 
expresses union. Accordingly, a definition as that of Figure J appears as most 
natural, but is not captured by the algorithm of the Section^J which does not 
perform recursive calls to its procedures. In order to give a formal semantics 
to such kinds of queries, we rely on the translation of XML-GL”®'^ to G-Log 
which has all the expressive power needed for recursive computations. 

While the query in Figurejis a recursive query through an ID REF arc, the 
query in Figure J on the DTD of Fig. J is a recursive query through a simple 
link. We define a new node with label “composed” and a new arc with label 
“Href” . The leftmost graph of the LHS represents the base recursion step and 
defines a new link between two products, if one is composed by the other. The 
second graph of the LHS is the recursive rule. Thus the final result is the new 
element “composed” which is directly linked to all its components. Note that in 
both the queries of Figures J and J the ROOT nodes and their outgoing arcs 
with label are reported in the GLIP part, because the existing links must be 
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kept in the result of each recursive step, so that each step can be applied to the 
result of the previous step. 




Fig. 4. Example of recursive query through links 



4 Some Basic Notions on G-Log 

In this section we give a quick review of the basic definitions on G-Log, and 
add some simple extensions which allow us to reason about XML-GL while not 
affecting the G-Log semantics as defined in We refer to Generative 

G-Log, a reduced version of G-Log with the same expressive power 

In G-Log, directed labeled graphs are used as the formalism to specify and rep- 
resent schemata, instances and programs. The nodes of the instance graphs stand 
for objects and the edges indicate relationships between objects. We distinguish 
two kinds of nodes: printable nodes, also called slots, depicted as ellipses, indicate 
objects with a representable value; non-printable nodes, depicted as rectangles, 
indicate abstract objects. A G-Log schema contains information about the struc- 
ture of the database and includes the (types of) objects that are allowed, how 
they can be related and what values they can take. We add to the set of ob- 
ject labels of Generative G-Log the special label “DUMMY” . A G-Log schema, 
representing the same information as the running example, is shown in FigH 
A G-Log instance is a directed labeled graph where printable nodes’ values are 
specified; note that missing information is modeled by allowing the instance to 
lack some of the nodes defined at the schema level. G-Log queries (rules) are 
also represented as (set of) graphs. Like Horn clauses, rules in G-Log represent 
implications. To distinguish the body of the rule from the head in the graph P 
representing the rule, the part of P that corresponds to the body is colored red, 
and the part that corresponds to the head is green. Rules in Generative G-Log 
can also contain negation in the body: solid lines represent positive information 
and dashed red lines represent negative information. A query is a set of rules 
defined over a source schema 5i and whose result instance has target schema S 2 ■ 
Intuitively, a G-Log rule is “applied” by “embedding” its red part as a subgraph 
into the input instance; wherever we find an embedding, we extend that part 
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of the instance with a piece of graph matching the green part. The concept of 
embedding defined in the sequel extends in order to deal with DUMMY 

nodes and DUMMY arcs in the red part and with predicates defined on slots. 
The algorithm itself is the same, and can be found in Examples of G- 

Log rules are the ones of FigureJ obtained as translations of the first XML-GL 
rule of Figure 5 Since this paper is black and white, we use thin lines for red 
nodes and edges and thick lines for green ones. 




Fig. 5. The G-Log schema correspondent to the DTD of Fig^a 



An embedding i of a subgraph P = {Np, Ep) in an instance / = (TV/, Ej) is 
a total mapping i : Np Nj such that: 

— Vn G Np : if label{n) ^ “DUMMY”, then label{i{n)) = label{n); 

-\/nGNp : if labelln) = “DUMMY”, then label{i{n)) G Np, 

— Vn G Np : if n has a print label, then print(i(n)) = print{n)] 

— \/{n,arcJabel,n') G Ep : if arcJabel ^ “DUMMY”, 
then {i{n),arcJabel,i{n')) G U/; 

— \/{n,DUMMY,n') G Ep : then 3 arcJabel : (i{n), arcJabel, G Ej] 

— \/{n, arcJabel, n') G Ep such that label(n), label(n') are slot labels: 

if label{arcJabel) is a comparison predicate then (print{i(n)) label(arcJabel) 
print{i{n'))) is TRUE. 

Thus, in a G-Log rule a DUMMY entity can be mapped to any node and 
a DUMMY arc can be mapped to any arc. It is easy to observe that this defi- 
nition is extraordinarially similar to the definition of XML-GL match given in 
Section^H The semantics of a G-Log program P can be described as a relation 
SemG-Log{P) between G-Log instances: 

SemG-Log{P) = {{I, P) '■ P is the result of the application of P to /} 

where the application of P to / consists in recursively applying the rules of P, i.e. 
by embedding all the red parts of the rules of P into /, and extending / with the 
green parts of these rules, until no more extensions can be made. The semantics 
of G-Log is described as a relation because it is non-deterministic: given an initial 
instance L, the application of a program may yield different resulting instances. 
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5 XML-GL^^^ to G-Log 

In an analogous way to the definition of G-Log semantics, we define the execution 
of an XML-GL’’®'^ query Q on a set of XML valid documents as an application 
SemxML-GL"'^ (Q), from a (set of) XML documents, represented as XML graphs, 
to a unique resulting XML document, i.e. 

SemxML-GL^<= {Q) ■ 2® — ^ T> 

where T> is the set of all possible XML document graphs. Note that, differently 
from the G-Log semantics, we require the semantics of XML-GL’’®® to be deter- 
ministic, as in the case of XML-GL. In order to formally specify the semantics 
of XML-GL’’®® we define a correspondence between XML-GL’’®® and G-Log. We 
define both the correspondence between an XML document graph and a G-Log 
instance, and between an XML-GL’’®® query and a G-Log program. 

Let V be the domain of XML document graphs and X be the domain of 
G-Log instances. Then, 

r : 2® — >X 

is a function that associates to a set of XML document graphs a G-Log instance. 

Let Q be the domain of XML-GL’’®® queries and V be the domain of G-Log 
programs. Then, 

is a function that associates to an XML-GL’’®® query a G-Log program. The /i 
function maps each XML-GL element into a G-Log element and each XML-GL 
arc into a G-Log arc. Moreover, since XML-GL arcs are not labeled, it creates 
a label for each G-Log arc. The fi function takes into account the order of 
XML-GL elements, thus by translating from XML-GL into G-Log we allow to 
compute queries with an ordered semantics. In fact the algorithm for evaluating 
of XML-GL queries does not take into account ordered semantics. For a formal 
description of functions r and n see 

We are also interested to the inverse transformation of this function that 
associates to a G-Log instance a single XML-GL’’®® document graph, defined as: 

T~^ : I — >V 

Note that is well defined because r is a one-to-one function 

Now we explain the diagram of Fig.H The right part of the diagram repre- 
sents the XML-GL’’®® semantics: starting from a set of XML-GL’’®® documents 
(Di, £> 2 , . . . , Dn ) the application of an XML-GL’’®® query Q yields a resulting 
XML document graph D. 

The upper left part of the diagram represents the G-Log semantics: given an 
initial G-Log instance / the application of a G-Log program P returns a set of 
resulting final G-Log instances (/(, . . . , /(j). Since XML-GL is a deterministic 

language, we want to keep this feature also in XML-GL’’®®. Function choose 
takes care of getting rid of the non-determinism introduced in G-Log by new 
node invention. Function choose selects the instance which corresponds to the 
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Fig. 6. Translation of XML-GL’’®'^ into G-Log and vice-versa 



result of the XML-GL’’®® query: it takes as input the set of resulting G-Log 
instances (/(, , /^) and appropriately chooses one instance /' on the basis 

of the constructor nodes: 



If the constructor node is an element node, then the function chooses the instance 
/' = {N, E) where N has the highest cardinality; if it is a list node, then the 
function chooses the instance where N has the lowest cardinality; finally, if it is 
a group by node, then the function chooses the instance where |iV| equals the 
number of different values that the “group by” attribute assumes in the resulting 
document, and groups values accordingly. Now the instance I' corresponds to the 
result of the corresponding XML-GL’’®® query, but still contains a set of service 
nodes ( “EX-PTR” and “GLIP” nodes) that we add in the translation from XML- 
GL’’®® to G-Log. We eliminate such nodes by using the clear function: 



The semantics of XML-GL’’®® SemxML-GL'^ (Q) applied to a set of documents 
(Di,D2, . . . , Dn) is thus defined as the result obtained by transforming 
{Di , I?2, ■ ■ ■ , Dn) and Q via functions r and p respectively, into a G-Log instance 
and program, and by applying first Semc-Log (m(Q)) and subsequently functions 
choose and clear to the G-Log instances obtained, and finally by transforming 
the instance Ip into an XML-GL’’®® document graph D via . 

Note that so far, by using the choose function, we have taken care of the 
non-determinism introduced by new object invention. To take care of the non- 
determinism caused by recursive XML-GL’’®® queries containing negation, we 
consider the correspondent G-Log programs, construct the dependency graphs in 
order to check if they are stratified, and accept only XML-GL’’®® programs that 
give stratified G-Log programs 



choose : 2 ^ 



J 



clear : X — > T 
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Fig. 7. From XML-GL’’“ to G-Log: translation of the first query of Fig.J 



Now, we state a theorem establishing that the semantics of XML-GL’’®'^ de- 
fined through the commutative diagram reduces to the semantics of XML-GL 
as defined in 

Theorem 1. The commutative diagram in Fig.^is correct on XML-GL, i.e. 

T~^{dear{choose{SemG-Log{KQ))))) = SemxML-GL{Q) 

if Q is an XML-GL query and / = ^(Di, . . . , Z3„). 

The proof of this theorem is made by induction on the number of 

nodes and on the number of graphs, and based on the similarity between the 
concept of matching in XML-GL and embedding in G-Log. 

6 Conclusions 

We have presented XML-GL’’®'^, an extended version of the graphical query lan- 
guage for XML documents XML-GL, which allows to extract and restructure 
information from XML specified WWW documents connected by simple links. 
XML-GL’’®'^ also allows to represent generic recursive queries, which should allow 
for querying whole XML specified WWW sites in a simple and intuitive way. The 
translation of XML-GL™'^ into G-Log is in itself interesting for us, because we 
want to extend to XML-GL some results obtained on the positive fragment of 
G-Log, where a new semantics has been imposed based on the notion of bisim- 
ulation In a future work we will investigate the applications of such 

results, which are related to the possibility of graduating graph matchings in 
order to obtain more or less flexible semantics. A precise definition of a general 
XML-GL’’®'^ evaluation algorithm, which is here still quite abstract, will also 
constitute our future work. 
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Abstract. XML is rapidly emerging, and yet there still exist numerous 
HTML documents on the Web. In this paper, we present a heuristic ap- 
proach for converting HTML documents to XML documents. During the 
conversion process, we eliminate all the HTML elements in an HTML 
document from the resulting XML document since these elements are de- 
signed for the display of data exclusively, but retain the character data 
of each element along with the implicit hierarchy among the data. The 
proposed conversion approach extracts the data hierarchy of HTML doc- 
uments as closely as possible with no human intervention. The approach 
can be adopted to construct the data hierarchy of an HTML document 
and to collect data in HTML documents into an XML repository. 



1 Introduction 

Since Extensible Markup Language (XML) was introduced in 1996 and became 
the official W3C Recommendation in 1997, it has been emerging as a de facto 
standard in electronic data exchange quickly. At present, there are still a large 
number of new and existing HTML documents, either dynamically created via 
CGI-like technologies or statically created, on the Web. It is worth to migrate 
existing HTML documents to XML documents to avoid inefficiency and addi- 
tional complexity for managing documents in two different formats. Migration 
of dynamic HTML documents to XML can be done easily by modifying the re- 
spective CGI-like modules. It is, however, more time consuming to migrate static 
HTML documents to XML unless conversion tools are provided. 

In this paper, we present a heuristic approach, called Html2Xml, to convert 
HTML documents to XML documents. We consider the following two issues: 

— First, in the resultant XML document, it is desirable to just retain data 
and exclude HTML tags that are contained in the source HTML document 
since the primary role of HTML tags is to merely define the display, i.e., the 
“look-and-feel,” of data. 

— Second, the explicit or implicit data hierarchy of the source HTML document 
should be determined and preserved in the resultant XML document. 

Consider the body block of the HTML document, Utah County Demographic 
Analysis 1996 (UCDA), as shown in Figure^ A ccord ing to the container-content 
constraint specified in HTML grammar, Figure^^Jshows a typical hierarchy of 
the body block of UCDA. In Figure^^J the hierarchy of the data, such as the 
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<B0DV> 

<H1>Utah County Demographic Analysis 1996</H1> 

<P> 

Utah County has a population of 317,880 — the 
<B>second highest</B> in the state (1996). It also 
has the fourth highest population density, at 160 
people per square mile. An estimated 99,606 people 
liue in Prouo, the county's largest city (1996). 

By 2020, over 53S,000 people are projected to liue 
in the county. Utah County boasts the second 
highest auerage household size (3.5 people per 
household), as well as the state's youngest median 
age (22). 

</P> 

<H2XA HREF="oren.htnl''>0ren</AX/H2> 

<UL> 

<LI>Population: 79,736</LI> 

<LI>Growth Rate: 2.20%</LI> 

</UL> 

<H2XA HREF="alpine .html">Alpine</AX/H2> 

<UL> 

<LI>Population: 5,16K/LI> 

<LI>Growth Rate: 4.60%</LI> 

</UL> 

<HR> 

<ADDRESS>Gomments to 

<A HREF="webmaster .htnl”>webmaster</A> 

</ADDRESS> 

</B0DV> 

J 









Fig. 1. Body block of utali.htm 
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population and growth rate of a city 
in Utah County, is interleaved with 
HTML tags such as Bs, ULs, and Lis. 
As a result, the data content of the 
first paragraph (P) yields three leaf 
nodes in the hierarchy since it is 
divided into three parts by B. Be- 
cause of the separation, the associ- 
ation between a city name and its 
population and growth rate is not 
clearly shown in the figure. We be- 
lieve the hierarchy in Figure 
depicts the relationship amon^uie 
data “better” than that of Fig- 
ure since in Figure pop- 
ulatior^9,736 is tied wiH^ts city 
“Orem” and population 5,161 is tied 
with its city “Alpine” according to 
the container-content relationship. 



_ O 
ulQ hr 

^ A 

o -Ou6“i 

1 'webmaster' 

o 0 O 

'Growth Rate: 

5,161’ 4.60%’ 



'Utah County Demographic Analysis ! 996' 

DESCRIPTION QT ' 

'Utah County has i 
population of ^ 

3 1 7,880- the ^ p., 

second largest ...' Orem' 



'HREF= O 
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'Comments 
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(a) The document hierarchy (DOH) gener- (b) The desired data hierarchy 
ated by the HTML grammar (DAH) 

Fig. 2. Two different hierarchies of the HTML document in Figure^ 

Our Html2Xml approach is based on the notion of data hierarchy (DAH). 
The DAH of an HTML document iJ is a tree representation of the data in 
H, with the exclusion of most of the HTML elements in H. Also, data in a 
DAH are identified by their hierarchical relationships with other data without 
using HTML elements. In this regard, the notion of DAH distinguishes itself 
from other approaches where manipulation of HTML elements is in- 

dispensable in the process of locating a particular data item. Furthermore, our 
Html2Xml approach does not require any knowledge of the structure of a source 
HTML document beforehand, and we generate the XML representation of all 
the data, rather than a selected portion, in an HTML document with no human 
intervention, which is required in Q. 

We proceed to present our results as follows. In Section^ we include prelim- 
inary definitions that are used for further discussions in this paper. In Section^ 
we introduce our approach for converting HTML documents to XML documents. 
In Section^ we give the concluding remarks. 
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2 HTML/XML Documents 

There are two major constructs in XML as well as in HTML documents: elements 
and character data (data in short). An element is delimited by its start-tag and 
end-tag, unless it is an empty element, and text that do not start with ‘<’ are 
charaeter data. Moreover, an element is identified by its name and accompanied 
with an attribute list of zero or more attributes, each of which is of the form 
attribute name = value. (For a data item d, we consider d itself as the name 
of d.) An element contains eontent that appears between its start- and end- 
tags. For some non-empty HTML elements, the end-tag is implicit, whereas a 
non-empty XML element is always ended with an end-tag. The content of an 
HTML/XML element is either another element (i.e., elements can be nested) or 
character data. We call the former element content and the latter data content. 
Also, given an element e and its immediate content c, we say that e immediately 
contains c, denoted by e <— c, and e is called the immediate container of c or 
c is the immediate content of e. For instance, the assertion BODY <— UL <— LI 
<— ‘Population: 5,161’ holds for the hierarchy in Figure according to the 
HTML grammar. Empty elements are non-container elements. 

Recall that a content is either an element or data, whereas a container is 
always an element. When an HTML document H is converted to an XML doc- 
ument X, data that encompass other data in H, such as Orem and Alpine in 
Figure^^J are converted to elements in X. Besides the container-content con- 
straint, we use child element to denote an immediate element content and parent 
element to denote an immediate container in an XML document. Also, through- 
out this paper whenever we say “an element e is removed,” we mean that the 
start- and end-tags of e are removed but the data content of e is retained. 

An HTML/XML document can be perceived as a tree, called document hier- 
archy (DOH), where a node denotes an element or data component, and edges 
are determined by the container-content relationships among nodes. If each node 
in a DOH D exclusively represents an HTML/XML data or an XML element, 
we call D a data hierarchy (DAH), denoted DAHo. 

Definition 1. Given an HTML/XML document D, the document hierarchy 
(DOH) of D is a tree, denoted DOHd = (V, E, g), where (i) a node in V denotes 
an element e or a character data d in D and is labeled by the name of e or d, 
respectiveljJ For any node n and its child nodes n\, U2, ■ . •, Um, Uj appears 
before in the left-to-right, top-to-bottom manner in D if 1 < j < fc < m. 
The root node Vr in V is the BODY element if D is an HTML document, or the 
first element appeared after the prolog block if D is an XML document; (ii) E 
is a finite set of directed edges; and (iii) g : E —>■ V x V is the edge definition 
function such that g{e) = (?;i, V 2 ) A V 2 ^ vi. □ 

According to Definition^ the hierarchy shown in Figure^^Jis the DOH of 
utah.htm, where the name of each leaf node is surrounded by ‘ To reference 
an element or data w in a hierarchy where v belongs, we define the context of v. 

^ Since we guarantee one-to-one relationships between D and DOHd, we interchange- 
ably use the nodes in DOHd and the elements/data in D, as well as D and DOHd. 
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Definition 2. Given a set S of elements or data that are hierarchically struc- 
tured, the context of an element or data t; in S' is defined as Xy = Ny, if v is the 
root node of the hierarchy; otherwise, Xy = Xyi.Ny, where Ny is the name of v 
and Xy! is the context of the predecessor of v in the hierarchy. (The dot ‘.’in 
Xy' .Ny is the dot operator which is the separator of Xyi and Af^.) □ 

The context of a node v in a. DOH is the concatenation of the names of v 
and its ancestors along the path from the root node, and each distinct name is 
delimited by from its adjacent names. Furthermore, using an ordered list of 
context of the leaf nodes in a DOH, we can represent the DOH as a string. We 
adopt the convention A.{B,C) for {A.B, A.C), where {A.B, A.C) is an ordered 
list of context. In addition, if sibling nodes share the same name, we append an 
index number to their names, such that node[l] denotes the first node with the 
name node, according to their order of app earance in the source document. 

Consider the hierarchy in Figure Using the context of each leaf node, 
the data in the subtree rooted at Alpine can be expressed as follows: 

(‘Utah County Demographic Analysis 1996’. ‘ Alpine’. ‘HREF= “alpine.html”’, 
‘Utah County Demographic Analysis 1996 ’.‘Alpine ’.‘Population: 5,161’, 

‘Utah County Demographic Analysis 1996’. ‘ Alpine’. ‘Crowth Rate: 4-d0%’) = 
‘Utah County Demographic Analysis 1996 ’.‘ Alpine’. ( 

‘HREF= “alpine.html”’, ‘Population: 5,161’, ‘Crowth Rate: 4-60%’) 

3 Construction of the Data Hierarchy of an HTML 
Document 

We now present our approach for constructing the data hierarchy (DAH), which 
captures the hierarchical relationships among the data contents, of a given 
HTML document D. The construction process of DAHu includes (i) the exclu- 
sion of HTML elements from D and (ii) the refinement of the container-content 
relationships among the data in D. 

3.1 Exclusion of HTML Elements 

Among the defined HTML elements, the role of some elements is to define the 
block structure of data (called type 1), whereas others are to define the cosmetic 
style of the rendered data in a Web browser exclusively (called type 2). 

We group HTML elements into type 1 and type 2 based on whether they form 
blocks of data such that one block is distinguishable from another hierarchically. 
Table^shows the grouping which follows the widely-supported HTML 3.2 Q. 
Note that the primary role of text-level elements is to define the style of data, 
and they do not contribute to the formation of a hierarchical block with the 
exception of A. (A is considered as type 1 since any data d appeared in a linked 
document from another HTML document D are subordinate to D and A is a lead 
to d.) Also, we include into type 2 head-related elements, as well as all the non- 
container elements among the rest of the HTML elements. Head-related elements 
are type 2 elements since no data is presented in the head block, and all empty 
elements are excluded from type 1 as well since they contain no data. Form- 
related and Java applet-related elements are also excluded from type 1 since they 
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Table 1. Two groups of HTML elements, type 1 and type 2 



HTML elements 


type 1 


type 2 


head content 




TITLE, META, ISINDEX, BASE, 
LINK, SCRIPT, STYLE, META 


body 

content 


headings 


HI, H2, H3, H4, H5, H6 




block-level 


UL, OL, DIR, MENU, LI, 
DL, DT, DD, P, DIV, TR, 
TABLE, TH, TD, CAPTION, 
CENTER, BLOCKqUOTE 


ISINDEX, HR, XMP, LISTING, 
PLAINTEXT 


text-level 


font 




TT, I, B, U, STRIKE, BIG, 
SMALL, SUB, SUP 


phrase 




EM, STRONG, DEN, CODE, SAMP, 
KBD, VAR, CITE 


special 


A 


IMG, APPLET, FONT, BR, 
BASEFONT, SCRIPT, MAP 


form 




FORM, INPUT, SELECT, 
OPTION, TEXTAREA 


client-sid 


e image maps 




MAP, AREA 


Java applet 




APPLET, PARAM 


address 


ADDRESS 





f META with name attribute^ “keywords” and < BODY > are considered as type 1, 
while other METAs, < HTML >, < HEAD >, and <! > are treated as type 2 elements. 



are used to query data rather than to present data. Among the elements that do 
not appear in Tabled exclude HTML and HEAD from type 1 but retain BODY 
as type 1 to ensure that the resulting DAH of an HTML document is a tree. 

Note that table-related elements were not included in the earlier version of 
HTML specification and were added later to present data in a tabular form. 
They are the most versatile among the HTML elements in organizing data hier- 
archically and are treated as type 1. We emphasize HTML tables since they are 
very capable in presenting data hierarchically, and most of the data generated 
dynamically through CGI-like programs are presented in HTML tables. 

Given an HTML document D, we first remove the HTML elements of type 2 
from D and the resulting document is called an approximated document. For 
example, after B is removed from utah.htm, the content of P is restored as a 
paragraph in the approximated utah.htm, and HR is also removed hereafter. 

3.2 Edge Definition Function of DAH 

During the process of defining edges, we apply four hierarchy resolution rules to 
D which provide the mechanism for refining the hierarchy of D. The first rule 
describes how to handle an anchor A and its data in our Html2Xml approach. 

Rule 1. Given an ordered list of container-content relationships (p <— Ci, p <— 
A <— C 2 , p <— G 3 ), where p is the parent of C\, A, and C 3 , A is an anchor element, 
and Ci (1 < f < 3) is a data item, the edge definition function g of DAH yields p 
^ C ^ HREF, where HREF is the name and value pair of the HREF attribute 
in A, and C = concat{concat{C\, C 2 ), ^3 J Hereafter, A is removed. □ 

^ Concat(si, S 2 ) = trim(si+ s -I-S 2 ), where si and S 2 are strings, s is a space, -|- is a 
string concatenation operator, and trim removes any leading and trailing spaces. 
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’Utah County i' 
Demographic 
Analysis I166'0 



’Utah County has a 
population of Q 
317,880 

'HRnF= O 
'’orem.html" 




o 

’Alpi 

O ^^'HREF=0 

'Population: (j "alpinc.html"’ 

79,736' 'Growth Rate: 

2.20%’ 



ADDRESS 

O 

k 

f \ 

I \ 'Comments to \ 
, Oli Q webmaster’ I 

•/ / \ 'HREF= O 

'Population: 'Growth Rate: 

5,161’ 4.60%' 




DESCRIPTION O -V. 

'U,.hCo,Dt,h„. LlO „0 

population of Q / * ‘-'y 'Alpine' J f 

O 



O v^'HREF=0 

'Population: (j "alpine.hlmr" 

’Growth Rate: ^ 

2.20%’ 



79,736’ 



\ ’HREF- O 
"webmasler.html"’ 

'Growth Rate: 

4,60%' 



(a) Modified DOH after Rule 1 is ap- 
plied 



(b) Modified DOH after Rule2_^ ap- 
plied to the DOH in Figurel 



Fig. 3. Evolving DOHs 

By RuleH we restore the data that might have been fragmented by A, and retain 
the HREF attribute of A as a placeholder for the data in the linked document. 

Consider the ADDRESS element in utcih.htm as shown in Figure whose 
content is separated into three parts. By RuleO we obtain two edges such that 
ADDRESS <— ‘Comments to webmaster’ <— ‘HREF="webmaster.html" Also, 
H2[l] ^ A[l] ^ ‘Orem’ yields H2[l] v- ‘Orem’ <- ‘HREF="orem.html" ’, 
and H2 [2] ^ A[2^- ‘Alpine’ yields H2 [2] <— ‘Alpine’ ^ ‘HREF="alpine . 
html" ’. Figure^^jshows the modified DOH after Rule 1 has been applied to 
the approximate^rtcih.htm. 

Next, we refine the hierarchy of the nodes at the same level in the current 
DOH. In this process, we adopt the precedence spectrum as shown in FigureO 
where items on the left of have higher precedence than that on the right. 

We place headings higher than other body content elements since they are 
headings of the text blocks that appear next to the headings, and HI has higher 
precedence than H6. Since the roles of OL, DL, DIR, and MENU are similar to that 
of UL, they have the same precedence. (In fact, DIR, MENU, and UL are treated 
the same in many Web browsers.) The roles of DIV, CENTER, and BLOCKQUOTE 
are similar, and hence we place them at the same precedence level. (In fact, 
CENTER is identical to DIV whose ALIGN attribute value is CENTER.) All these 
elements, along with ADDRESS, have the same precedence as P and TABLE since 
none of these elements is subordinate to one another. Since LI is used as a 
content of UL, OL, DIR and MENU, DT is used as a content of DL, and CAPTION is a 
content of TABLE according to the HTML specification, we place these elements 
at the next level in the precedence spectrum. DD is placed at the next level for 
a similar reason. TR, on the other hand, should have the same precedence as 
CAPTION according to the HTML specification; however, we place it at a level 
lower than CAPTION since we consider the content of CAPTION as the title of the 
entire table. The respective precedence of TR, TH and TD are obvious according 
to the container-content specification of these elements. 



High 

HI »H2 »H3 »H4 »H5 »H6 » 



( P, UL, OL, DL, DIR, MENU, 
ADDRESS, DIV, CENTER, 
BLOCKQUOTE, TABLE 



/LI,DT, \ ^/DD,^ (THA 

'A CAPTION ^"‘*^\^TR J \ TD J 



Fig. 4. Precedence among HTML elements 
Rule 2. Given a set of sibling elements ei, . . ., e„ which are located from left 
to right in an HTML document, for any two sibling elements e, and Cj (1 < f < 
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j < n) such that Ci <— ci and ej <— C2, applying the edge definition function g 
to ei, . . Cn yields (i) C\ <— Cj <— C2, if Cj is ADDRESS and Ci ^ Cj, (ii) ci <— 
DESCRIPTION ^ C2, if Cj is P and Ci ^ e^-, (iii) 6 i <— ej ^ C2, if Ci is CAPTION 
and Cj is TR, or (iv) ci ^ C2, if ej is neither ADDRESS, P nor TR and 6i » Cj. 

For an element e with more than one element on the left of e which has higher 
precedence than e, we retain only the edge between the element of the highest 
precedence and e if e is ADDRESS; otherwise, we retain the edge between e and 
the nearest element to e. Hereafter, any empty HTML elements are removed. □ 

By RuleH the contents of a set of sibling elements are refined, if neces- 
sary. Note that we treat ADDRESS separately since it has a unique role, such 
as authorship and contact details for the source HTML document. We rename 
P elements as DESCRIPTIONS until the construction of an XML document X is 
completed since they play special roles during the construction of X. We will 
discuss CAPTION and TR in details i n the next section. 

Consider the DOH in Figure and apply Rule 2 to the child ele- 
ments of BODY. Since HI » P, ‘uSh^ounty Demographic Analysis 1966’ 
<— DESCRIPTION ^ ‘Utah County has a population of . . . ’ by RuleHii). 
Consider P and H2 [1] . Since H2 P but P appears before H2 [1] , the con- 
tents of these elements are not rearranged. However, since HI ^ H2, ‘Utah 
Coun1^ Demographic Analysis 1966’ ^ ‘Orem’ <— ‘HREF="orem.html" ’ by 
Rule Ijiv). Now, compare H2[l] and UL[1]. Since H2 ^ UL, (‘Orem’ ^ 
LI[1], ‘Orem’ ^ LI [2] ) by Rule^iv), and eventually (‘Orem’ ^ LI [1] «— 
‘Population: 79,736’, ‘Orem’ <— LI [2]^^^ Growth Rate: 2.20°/o’). H2 [2] 
and UL[2] are processed similarly. Figure shows the modified DOH after 
Rule 2 has been applied. Note that ADDRES^s retained and LI [1] (LI [3] , re- 
spectively) cannot be resolved against LI [2] (LI [4] , respectively) since LI [1] 
and LI [2] (LI [3] and LI [4] , respectively) have the same precedence. 

Rule 3 . Given a container-content relationship ei <— 62 <— 63, where 62 is nei- 
ther ADDRESS, a table-specific element, nor DESCRIPTION attached by P, the edge 
definition function g of DAH produces e\ <— 63. □ 

By now, the hierarchies of all the sibling elements in the DOH should have 
been refined. Any remaining HTML elements in the DOH, with t he e xception 
of ADDRESS and table-specific elements (to be discussed in Section can be 
safely removed since they do not contribute to the determination of the data 
hierarchy of the given HTML doc ument . 

Consider the DOH in Figure After applying Rule 3 , LI[1], LI [ 2 ] , 

LI [3] , LI [4 ] , and BODY are removed^nd the resulting hierarchy is as shown in 
Figure which is the resulting DAH for utai.htm since no HTML table is 
contained in utah.htm. 

Rule 4 . If a DOH which is modified by RuleHis a forest, then < ^ ni, t <— ri2, 
. . t ^ Uk, where t is the content of the TITLE element of the source HTML 
document and ni, . . ., are the root nodes in DOH. □ 

Rule O^iisures that the resulting DAH is a tree. The content of the TITLE 
element is chosen to be the root in the DAH since it is the only required element 
in an HTML document H and provides an indication regarding what H is about. 
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(a) The source code of (b) HTML Table 1 (c) HTML Table 2 

HTM L Tabl e 1 as shown in with heading rows with a heading row 

Figure^^J & columns 

Fig. 5. Two typical types of HTML tables 

3.3 Edge Definition Function for Table-Specific Elements 

Among the table-specific elements, TR determines the number of rows, and TH 
and TD determine the number of columns in an HTML table (tables in short). THs 
are used for declaring table headings and IDs for asserting data of table cells. 
The data contents of TD elements are called table data. In contrast, the data 
contents of TH elements are column or row headings that are not considered as 
table data. However, data of either element is rendered in a Web browser. 

There are a few popular types of HTML tables with respect to headings: (i) 
tables that have at least one heading row at the top and at lea^ one heading 
column on the left, such as HTML Table 1 as shown in Figure^^^n Q. We call 
this type of tables column-row-wise, (ii) Tables that contain at least one heading 
row at tiptop without heading columns, such as HTML Table 2 as shown in 
Figure^^jP"!- We call this type of tables column-wise. In a column-wise table, 
the heading rows yield the schema of the table, (iii) Other than these two types 
of tables, we notice that a large number of tables do not make use of table- 
related elements other than TABLE and TD. We, however, draw from our analysis 
a conclusion that the creator of this type of tables often implicitly designates 
the first row as a heading. Hence, we treat this type of tables as column-wise. 

Two attributes of TH and TD, ROWSPAN and COLSPAN, play significant roles in 
determinating theduta hierarchy of a table. Consider the source code of a ta^ 
shown in Figure^^j It has four rows (i.e., four TRs) as rendered in Figure^^^ 
(The source cod^nown in the figure is the original code which includes E^md 
BR before the approximation of the table is performed.) Note that the first TR 
contains three TH elements, implying that the row is a heading which includes 
three cells (i.e., three columns). The second row, on the other hand, contains two 
TH elements, implying that there are two heading cells, whereas each of the last 
two TRs contains one TH and three TDs, implying that there is one heading cell 
on the left followed by three data cells in each row. Apparently, the numbers of 
columns of the first two rows are not equal, nor with that of the last two rows. 
It is not clear which cell in one row belongs to the same column with a cell in 
another row until we take ROWSPANs and COLSPANs into consideration. When a 
TH or TD includes R0WSPAN=“n” (C0LSPAN=“n”, respectively), the associated cell 
is supposed to span n rows downward (n columns to the right, respectively). 
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Fig. 6 . A pseudo-table T and its corresponding DAH 



We introduce the notion of pseudo-table since the properties of a pseudo- 
table are easy to understand and the mapping from a pseudo-table to a DAH is 
straightforward. A pseudo-table can be used to express either a column-row-wise 
table or a column-wise table with the table-specific elements mentioned above. 
Definition 3. A pseudo-table T = {(oip, . . ., ai^n), («2,i, • • «2,n), • • (am,i, 

• • -5 o,m,n)} with column headings Ci, . . .,Cn and caption C, is a two-dimensional 
table, where each column heading Ci {1 < i < n) or table data Oij (1 < * < to, 
^ Cl 3 Cl n) may be null. If a column heading or table data o is null, then the 
name of the object representing o is the empty string. Data values of rows i and 
j of the first column in T are different if * yf j. □ 

Recall that the hierarchy of HTML elements and data in a DOH is determined 
by their container-content relationships. The hierarchy of a pseudo-table, how- 
ever, is defined over its caption, column headings and table data. Since column 
headings and table data may be null in a pseudo-table, we consider a special case: 
given the container-content relationships o\ <— 02 *— 03, where Oi (1 < i < 3 ) is 
either a column heading or table data, oi <— 02 <— 03 is reduced to oi <— 03 if 
the name of 02 is the empty string. 

Rule 5. Given an n-ary pseudo-table T = {(aip, . . ., ai_„), (02,1, . . ., 02, n), 

• • •, (om,i, • • •) Om.n)} with column headings C\, . . .,Cn and caption C, the edge 

definition function g yields Vr <— Ci <— <— Cj <— Oij (1 < f < to, 2 < j < n), 

where Vr is labeled C if C is not empty, or is labeled “Table”, otherwise. □ 

Since the caption of a pseudo-table T provides a short description on what 
the table is about, we choose the caption as the name for the root node of T 
(and hence the corresponding DAH). If CAPTION is missing, the root node of 
the corresponding pseudo-table is named “Table” simply to indicate the corre- 
sponding DAH is an HTML table. Furthermore, according to RuleH a DAH 
contains subtrees rooted at oi.i, . . ., 0^,1 with the constraints Vr <— Ci <— 
0 ‘i,i (1 < i C to). This is because each row in T can be uniquely identified 
from the other rows by the first column (i.e., ai,i) in T (see Definition^. Fig- 
ure H shows the transformation between a pseudo-table and its corresponding 
DAH according to RuleH (Rule H indeed states how to construct the hierar- 
chy of the components in a pseudo-table in order to obtain the corresponding 
DAH.) FigureH(FigureH respectively) shows how to map a column- wise HTML 
(column-row-wise, respectively) table to a pseudo-table. 

Colspan and Rowspan. An HTML table may not have the same number of 
THs or TDs in each row, and COLSPANs and ROWSPANs play an important role in 
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Fig. 7. Mapping from a column-wise HTML table to a pseudo-table 
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Fig. 8. Mapping from a column-row-wise HTML table to a pseudo-table 



mapping such an HTML table to a pseudo-table. If a TH or TD contains COLSPAN 
= “n” , the particular cell of the TH or TD is to be expanded to n— 1 more columns, 
starting from the current cell in the current row. Hence, at the current row, we 
insert n— 1 cells to the right of the current cell and replicate the data content 
of the current cell n— 1 times to the new cells. If a TH element contains ROWSPAN 
= “n”, the particular cell of the TH element is to be expanded to the next n— 1 
rows. For that we insert n— 1 cells beneath the current TH cell in the current 
column, and push the data content h of the current cell all the way down to the 
(n— l)th new cell, rather than replicating h to the underneath rows n— 1 times. 
As a result, h appears at the (n— l)th new cell, and each of the cells above the 
(n-l)th new cell in the same column is left as the empty string. This is necessary 
for retaining the correct association among the table data across all the rows in 
a column. On the other hand, if ROWSPAN is contained in a TD, we insert n— 1 
new cells underneath the current TD cell, and replicate the data content of the TD 
to the inserted cells since each table data in different rows of the same column 
is meant to represent a data entry with the same content. After COLSPANs and 
ROWSPANs are processed, the corresponding table conforms to the specification of 
a pseudo-table as stated in RuleH 

Consider the table in Figure and suppose the cell at the Ah row and 
the jth column is denoted by ceHOTTb Note that “Not available” appears across 
the last three column spaces of the forth row of the table due to C0LSPAN=“3” 
in cell(4, 2) (the source code is not included in this paper due to page limit), 
and hence we replicate “Not available” of cell(4, 2) to the next two inserted cells 
cell(4, 3) and cell(4, 4), in its corresponding pseudo-table as shown on the left in 
Figure^ 

In the following example, we demonstrate the process of c onstru cting the 
DAH (via the pseudo-table) of the HTML table shown in Figure^^J 
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Cups of coffee consumed by each senator A test table with merged cells 



Name 


Cups 


Type of Coffee 


Sugar‘d 




Average. 

height 


Average. 

weight 


Red 

eyes 


T. Sexton 


10 


Espresso 


No 


J. Dinnen 


5 


Decaf 


Yes 


Males 


1.9 


0.003 


40% 


A. Soria 


Not available 


Not available 


Not available 


Females 


1.7 


0.002 


43% 



Fig. 9. The pseudo-tables of the HTML tables in Figures^^Jand^^J 



Consider the source code in Figure 
R0WSPAN=“2”. Thus, the null data of 



The first and third TH both contain 
rst TH is pushed down to the next 



row in the corresponding pseudo-table T. At a glance, it may look like that this 
action has no effect to the table since the pushed-down value is a null data. 
Indeed, with this action, the pushed-down null data is inserted into cell( 2 , 1 ) in 
T and subsequently the TH with height {weight, respectively) is moved to the 
new location which is cell( 2 , 2 ) (cell( 2 , 3 ), respectively) in T. This is desirable 
since the correct association among “height,” “weight,” and other table data 
are now in place in T. In addition, the second TH contains COLSPAN = “ 2 ” and 
subsequently its data content “Average” is replicated once to the right in the 
same row in T, and “Red eyes” , which is originally in the third TH, is moved to 
the forth column and then pushed onto the forth column of the next row in T 
since ROWSPAN = “ 2 ” . 



I^kO 



should 

Also, 



Recall that EM and BR, as shown in the source code in Figure I 
have already been removed after the approximation of the table by 
there are two heading rows in T and each Q (1 < i < 4 ) is determined by the 
concatenation of the data contents of the two rows in the Ah column. As a result. 
Cl is the empty string, C2 = Average .height, C3 = Average .weight, and C4 
= ‘ Red eye^ . Furthermore, the caption of T is the caption of the HTML table 
in Figure 



We map 




The resulting pseudo-table T is as shown on the right in Figure^ 
le resulting pseudo-table T to the DAH. Since T contains the 
caption C, ‘A test table with merged cells’, C forms the root node of the DAH 
according to RuleH Next, consider Ci. Since Ci is empty, we skip Ci in the 
hierarchy Fr <— Ci <— <— . . . and create two child nodes of C by using 

(Males) and 02.1 (Females). The rest of the cells Oij (1 < * < 2 , 2 < j < 4 ) 
in the last two rows of T yield nodes and edges in DAHt as follows: ^ 



C2 <— «1.2; 0 - 1,1 ^ C3 <— 01^3; ^ Ci ^ 014; 02,1 ^ C2 ^ 02,2; 02,1 

<— C3 <— 02,3; 02,1 ^ C4 ^ 02,4. We render the resulting DAH in Web View 
B, as shown under “[R 00 T=E:\Table 5 .xml]” in the left pane of Figure 
Note that the association of a table data D with another can be conceived 
by examining the context of D. For instance, ‘A test table with merged 
cells '.Males. Average. height. ‘ 1 . 9 ’ captures the data hierarchy of “ 1 . 9 ”. 



3.4 DAH to XML 

According to the XML recommendation an XML document consists of three 
consecutive blocks: (i) a prolog, (ii) a data block of one or more XML elements, 
and (iii) an optional miscellaneous block. The major components of a prolog 
include an XML declaration, followed by a document type declaration (DTD). 
A DTD provides the grammar of a class of XML documents, and the second 
block (i.e., data block), where the actual data are contained, must conform to 
the grammar. The optional third block contains miscellaneous data such as com- 
ments which is not the primary focus of this paper. 
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Fig. 10. DAH of the HTML table in Figure^^J rendered in WebView 



An XML document X is well-formed if X contains an XML declaration and 
all the markups are properly nested with no overlap. Furthermore, a well- formed 
XML document X is valid if X includes the DTD with which X complies. Viola- 
tions of these constraints are treated differently. If an XML document X violates 
the well-formedness constraint, fatal error is invoked and a normal process on 
X must terminate, whereas a violation of the validity constraint is only consid- 
ered as an error, and the document can still be processed normally. Thus, our 
emphasis in generating XML documents is on well- formed XML documents. 

The well-formedness property of the resulting XML document X converted 
from an HTML document is guaranteed by our Html2Xml approach using a 
stack machine S |^. In our Html2Xml approach, the processing thread enters 
a new element whenever it processes a new node n in a DAH. For n, there are 
two cases to be considered: (i) n is a child node of the previously processed node 
riQ, or (ii) n is a sibling node of uq. In case (i), the stack symbol of n is pushed 
on S, on top of the stack symbol of no, and in case (ii) the stack symbol of no 
is first popped and then the stack symbol of n is pushed onto E. Moreover, if n 
is a leaf node in the DAH, no stack operation is performed but the name of n is 
appended to X as the data content of the element whose stack symbol is still at 
the top of E. With that we guarantee that X is well-formed. 

Document Type Declaration. DTD can be internal, external, or both. In 
our Html2Xml approach, we generate external DTDs. Using a stack machine 
E (as discussed earlier), an external DTD D for an XML document X is cre- 
ated while X is generated. At the beginning of the process, D is initialized by 
the text declaration <?xml encoding="UTF-8"?>, where "UTF-8" can be re- 
placed by other encoding names such as "UTF-16" or "IS0-10646-UCS-4". As 
the nodes in a source DAH are processed and elements are identified for X, 
element declarations are appended to D. An element declaration is of the form 
<! ELEMENT Name contentspec>, where Name is the name of the element e 
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that is appended to X and contentspec is the placeholder for the content spec- 
ification of e. In our Html2Xml approach, during the process of generating X, 
contentspec is replaced by (i) (EMPTY), if e is an empty element; (ii) (#PCDATA), 
if e contains a data content; or (iii) the list of the names of children of e, if e 
has child elements. We discuss further updating contentspec when e has child 
elements. 

Given a node with name node in a DAH, there may exist more than one 
child node with the same name, such as cnode [1] , cnode [2] , . . ., as discussed 
in Section^ If so, cnode in contentspec of < ! ELEMENT node contentspec> can 
be immediately followed by an occurrence symbol ‘?’, or ‘-P’, which denotes 
that the preceding content particle, i.e., node, of the respective symbol may occur 
once or more times (-p), zero or more times (*), or at most once (?). Note that the 
implications of these three symbols are not distinct. For instance, if cnode occurs 
just once, either <! ELEMENT node (cnode) ?>, <! ELEMENT node (cnode) *>, 
<! ELEMENT node (cnode) +>, or even <! ELEMENT node (cnode) > is a valid 
declaration. In our Html2Xml approach, (cnode) will be appended to the re- 
sulting XML document if cnode occurs just once in the source DAH, or (cnode) * 
will be appended if cnode occurs more than once. 

Along with the update of contentspec in an element declaration, we need 
to consider attribute list declarations of an element e as well if e accompanies 
any attribute. When an element e is found to accompany attributes of the form 
attci = attrV ali (i > 1), this information is added after the element declaration 
of e in the DTD as <!ATTLIST e attvi AttType DefaultDecl> for each attri, 
where AttType is CD AT A which denotes that the corresponding attribute is of 
string type, and DefaultDecl is #IMPLIED which denotes that no default value 
is provided for the attribute. Note that attci may appear more than once with 
different values vah, val 2 , ■ ■ ., vain (1 < n). In such a case, (attrVak) is first 
bound to (vah), then to {vah \ vah) when vah is identified, and so forth while 
the DAH is processed. Fiventually A attrVak) is bound to | vah I • • • I vain)- 

Applying algorithm Dah2Xm|to the DAH in Figure^^Jyields the resulting 
XML document X as shown below. 

<?xml version=" 1 . 0" ?> 

<!D0CTYPE UtahCountyDemographicAnalysisl996 SYSTEM 
"UtahCountyDemographicAnalysisl996 .dtd"> 
<UtahCountyDemographicAnalysisl996 AddressDescription=" Comments to 
webmaster" AddressLink="webmaster .htm"> 

<DESCRlPTlON>Utah County has a population of 317,880 — . . . </DESCRIPTI0N> 
<0rem Link="orem.htm"><Population: 79 ,736/XGrowthRate : 2 . 20°/,/></0rem> 
< Alpine Link=" alpine .htm" XPopulation; 5, 161/XGrowthRate : 4 . 60“/o/X/Orem> 
</UtahCountyDemographicAnalysisl996> 



® Algorithm Dah2Xml is not included in this paper but can be found in 
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Also, the resulting DTD D of the DAH is shown below. 

<?xml encoding="UTF-8"?> 

<! ELEMENT UtahCountyDemographicAnalysisl996 (DESCRIPTION, Orem, Alpine) > 
<!ATTLIST UtahComityDemograph.icAnalysisl996 AddressDescription CDATA #IMPLIED> 

<!ATTLIST UtahCountyDemographicAnaIysisl996 AddressLink CDATA #IMPLIED> 

< ! ELEMENT DESCRIPTION (#PCDATA) > 

<! ELEMENT Orem (PopuIation:79 ,736 , GrowthRate : 2 . 20°/,) > 

<!ATTLIST Orem Link CDATA #IMPLIED> 

<! ELEMENT Population: 79 ,736 (EMPTY) > 

< ! ELEMENT GrowthRate : 2 . 20°/. (EMPTY) > 

<! ELEMENT Alpine (Population: 5, 161 , GrowthRate : 4. 60°/,) > 

<!ATTLIST Alpine Link CDATA #IMPLIED> 

<! ELEMENT Population: 5 , 161 (EMPTY) > 

< ! ELEMENT GrowthRate : 4 . 60°/. (EMPTY) > 

Recall that ‘Utah County Demographic Analysis 1996° is the root node 
of the DAH. It forms the root element of X and D is named after it by de- 
fault. Since ADDRESS is treated as an attribute list of its parent element in A, 
the subtree rooted at ADDRESS is converted to the AddressDescription and 
AddressLink attributes of the root in X. In addition, DESCRIPTION, Orem, and 
Alpine are attached to X as the immediate contents of the root since they are 
child nodes of the root in the DAH. Note that the child node of DESCRIPTION in 
the DAH is a leaf node, and hence the contentspec of the DESCRIPTION element 
is declared as (#PCDATA) in D, and the contentspec of any leaf node is (EMPTY) . 
Also, each HREF node is converted as an attribute to its parent element. 

As another example, the XML document and its DTD of the DAH as shown 
in the left pane of Figure^] where table-specific elements are involved, are 
<?xml version=" 1 . 0" ?> 

<!D0CTYPE ATestTableWithMergedCells SYSTEM "ATestTableWithMergedCells . dtd" > 
<ATestTableWithMergedCells> 

<Males> 

< Aver age ><height>l . 9</heightXweight>0 . 003< /weight ></Average> 
<RedEyes>40°/,</RedEyes> 

</Males> 

<Females> 

< Aver age ><height>l .7</heightXweight>0 . 002< /weight X/Average> 
<RedEyes>43°/,</RedEyes> 

</Females> 

</ATestTableWithMergedCells> 

<?xml encoding="UTF-8"?> 

<! ELEMENT ATestTableWithMergedCells (Males, Females) > 

<! ELEMENT Males (Average, RedEyes)> 

<! ELEMENT Average (height, weight) > 

<! ELEMENT RedEyes (#PCDATA)> 

<! ELEMENT height (#PCDATA)> 

<! ELEMENT weight (#PCDATA)> 

<! ELEMENT Females (Average, RedEyes) > 

3.5 Implementation of the Html2Xml Approach 

Portions of the proposed conversion approach, which includes the approximation 
(discussed in Section^^ table-specific elements (discussed in Section^3, 
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have been implemented as a Java class using JDK 1.1.7. The Java class generates 
the data hierarchy of any given HTML table T in the lexical form whose repre- 
sentation is similar to the ordered list of the data context in T. For rendering 
and querying DOHs and DAHs graphically, WebView Q can be used. 

4 Concluding Remarks 

We have presented a heuristic approach to convert HTML documents to XML 
documents. XML is rapidly emerging but there are still numerous existing HTML 
documents. It is desirable to convert these HTML documents to XML documents 
rather than to obsolete them or maintain documents of two different specifica- 
tions. During the process of conversion, we eliminate all the HTML elements in 
a source HTML document from the resultant XML document. The approach for 
constructing the data hierarchy, as a part of our conversion approach, can be used 
for extracting the data hierarchy of an HTML document. Our approach can be 
used by existing wrappers and integrators (in data warehousing systems), which 
frequently access large number of HTML tables for extracting hierarchically 
structured data to automate the data acquisition process for XML repositories. 
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Abstract. This paper describes a new kind of specification of an active database 
system application based on the Dynamic Relation Nets, which are themselves 
derived from high-level Petri nets. We introduce the capability of a Dynamic 
Relation Net to describe both static and dynamic aspects of a system, and show 
how such a formalism may be used to specify FCA-rules. This model uses the 
graphical advantages of Petri nets as a visual interface with the user and inherits 
the precision of formal languages based on the set theory by describing 
unambiguously management rules of information systems. The derived tool, 
namely NetSpec, provides the designer with the ability to focus on the design 
rather than the implementation, since there is no imperative code to produce 
while in the design phase of an application. 



1 Introduction 

An active database system extends a pre-existing database model (generally relational 
or object-oriented) with some variant of a common paradigm of computation: event- 
condition-action (ECA) rules. An event represents some occurrence in the 
database; this may be either an access or modification to a specific data item managed 
hy the database or an external occurrence such as the state of a clock. The occurrence 
of such an event triggers the checking of a condition: this is a boolean-valued query 
over the database having no side effects. If this query returns true, an action will he 
performed: this can be any operation expressible in the database [1]. 

A number of designs and implementations of active databases now exists [2]. A 
designer or programmer might wish to see the aspects of active rules formally 
defined, essentially to see how far the available formal definition methodologies are 
able to characterize them [3]. These aspects include the following criteria: underlying 
data model, partial correctness, total correctness, transactional properties, structure of 
events, and implementation environment. Concurrently, a large number of formal 
methodologies currently in use can he evaluated, according to at least six 
criteria: modularization, abstraction of data model, tool support, executable model, 
temporal description capability, and relevant experience. Such methodologies are 
algebraic specification [4], denotational semantics [5], set-theoretic modeling [6][7], 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 1 197-1209, 2000. 
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higher-order logic [8], constructive logics [9], temporal logics [10], Petri nets [11], 
process algebra [12], and statecharts [13]. 

Three objectives are achieved in this paper: present general considerations about 
ECA-rules, discuss analysis of Dynamic Relation Nets and their potential forward the 
modeling of ECA-rules, and introduce our own system prototype. 



2 ECA-Rules 



In an active database system, ECA-rules usually take the form: 

on event 
if condition 
then action 

An event happens instantaneously at specific points in time. Eor example, in a 
relational model, database events are relative to actions such as insert, delete, and 
update. Temporal events are related to a clock, and may be absolute or relative. 
Einally, explicit events are those events that are detected along with their parameters 
by application programs. All of these types of events are primitive events and can be 
combined together with event operators to form composite events [14]. 

A condition is a simple query over the database. In other words, a condition returns 
a boolean value, that is true if the query has produced a set containing at least one row 
of data. 

An action is executed if the condition is satisfied. The action part of the rule 
usually inserts, deletes, or updates data. 

If the event part of the rule does not exist, we call such a rule pattern-based, and if 
the condition part does not exist, we call such a rule event-based. 

ECA-rules are usually processed using the following algorithm, derived from the 
recognize-act cycle of expert systems [15]: 

initial match //execute rule conditions 
repeat until no rule conditions produce tuples 

perform conflict resolution //pick a triggered rule 
act //execute the rule's action for all tuples 
//produced by the condition 
match / /test rule conditions 
end 

In the match phase, rule patterns are matched against data to determine which rules 
are triggered and for which instantiations. The entire set of triggered rule 
instantiations is named the conflict set, and one instantiation is chosen from this set 
using a conflict resolution strategy. In the act phase, the selected rule’s action is 
executed for all tuples of the selected instantiation, then the cycle repeats. 

The choice of which rule to execute when multiple rules are triggered is named 
conflict resolution. In many active database systems this choice is made more or less 
arbitrarily: random [16], numeric priorities [17], partial order [18], based on coupling 
modes [19], concurrent execution [20]. 

Each time a rule is fired, there is an instantiation associated with that execution: a 
data item, or combination of items, that matches the rule’s pattern. At execution time, 
the values of the instantiated items can be referenced in the rule’s action through the 
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use of variables specified in the rule’s pattern. That is, at run-time, variables are 
bound in the pattern and passed to the action. 

Coupling modes [21] determine how rule events, conditions, and actions relate to 
database transactions. Generally, rule conditions are evaluated and actions are 
executed in the same transaction, but it is not always the case. Associated with each 
rule is an E-C coupling mode and a C-A coupling mode, where E, C, A denote the 
events, conditions and actions respectively. Each coupling mode is either immediate, 
indicating immediate execution, deferred, indicating execution at the end of the 
current transaction, or decoupled (detached), indicating execution in a separate 
transaction. For each of the combinations of coupling modes, it is relatively easy to 
construct an active database application for which the behavior seems most 
appropriate [22]. 



3 Dynamic Relation Nets 

By using an homogeneous formalism, the power of the Dynamic Relation Net (DRN) 
approach resides in the integration of both static and dynamic aspects of an 
information system. So, describing bag constraints, markings and transitions, 
precisely and fully describes both structure and behavior of the system. Abstraction of 
this new formalism is guaranteed by a purely formal description of the system 
behavior by using a semantics based on Z [6]. However, notice that the Z syntax 
never appears on the net itself and that the annotations are limited to sets of 
elementary constraints. We will no more discuss the use of Z in DRN in this paper, 
but the reader may find some additional informations in [23]. 

In practice, a DRN is a graphical tool where places (also named bags) depicted as 
circles, are used to represent availability of resources, transitions depicted as bars or 
rectangles, model the events, and edges indicate the relationship between places and 
transitions. Tokens in places and their flow regulated by firing transitions add 
dynamics to the DRN. 

Initially, a DRN is defined by a tuple ( P, T, E, N, W, D, Cj, Cm, Mq ) where: 

- P, T, and E are finite and disjoined sets of places (bags), transitions, and edges, 

- N:E^(PxT)(j (Tx P) is a function mapping each edge to an input node and 
to an output node, 

- lT:£'^<u(*}isa function associating a weight to each edge, 

- D : E { production L , consumption \ , information "i , negative 
information [ } is a function associating a type to each edge, 

- Ct'T-^E associating a formula to each transition, also named a transition 
constraint, 

- Cm is a formula, named a marking constraint, 

- Mg : P Xis a function mapping each place to a set expression, satisfying the 
marking constraint. 

Some special considerations must be understood from this definition of a DRN, 
which imply tokens, constraints, and edge types and weight. As in high-level Petri 
nets, tokens are distinguishable, structured, and updatable. That is, tokens are defined 
by attributes of various types (Fig. 1 shows an example). 
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bag B 

Fig. 1. An example of a token definition. Tokens residing inside bag B have three attributes, the 
types of which are integer, real, and string of characters. Each attribute is named as a field in a 
structure of a classical programming language. We will further reference individual attributes 
by expressions B.i, B.r, and B.s 




Constraints in a DRN are expressions (Cm and Cj) based on token attributes. They 
can be instantiated and evaluated (see Fig. 2). Marking constraints apply to bags. 
Transition constraints apply to transitions. Possible constraints are: 

- a key constraint, for which two or more tokens cannot reside inside the same bag if 
one or more of their attributes values are equal (the keys themselves which are 
underlined to be recognizable, i.e. (i, r, s)), 

- a bag constraint, for which a token can take place into a bag only if one or more of 
its attribute values are adequate, 

- a marking constraint, which is a global constraint over the entire net, and can 
express interactions between different bags at any time, 

- a transition constraint, for which a token is removed from a bag only if its 
attributes have correct values, 

- a transition constraint, for which a new token is produced into a bag with new 
attribute values. 

New edge types are information depicted as ■{ and negative information depicted as 
[. An information edge allows to check the presence of a token inside a bag without 
any consumption, while negative information allows to detect the absence of a token 
inside a bag. These detections are based on constraints against token attribute values, 
so the negative information edge cannot be compared to the inhibitor edge of classical 
Petri nets. Examples of these edges are shown in Fig. 3. 

The last interesting feature of a DRN is the capability to annotate an edge with a 
weight denoted *, meaning that a finite set of tokens can circulate over such an edge 
at the time the transition is fired (set-oriented firing). It is important to notice that we 
cannot know anything about the cardinality of such a set at design time. However, it 
will be the greatest possible at execution time, as shown in Fig. 4. 
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Fig. 2. Assuming bag A retains tokens (x), bag B retains tokens (y), bag C retains tokens (z,t) 
with a constraint key on z, and a bag constraint such as (C.z>C.t). Initial marking is (all 
attribute types are integers): bag A contains tokens (1), (2), and (3), bag B contains token (3), 
and bag C contains nothing. Let transition T constraint be defined by 
{A-.x<A)A(B-.y>0)A{C+.z=B—.y)/\{C+.t=A—.x). According to the meaning of the different 
constraints, (1) will be removed from A and <3> will be removed from B and (3,1) will be 
produced into C, or (2) will be removed from A and <3> will be removed from B and (3,2) will 
be produced into C, depending on the first choice done in the selection of a token from A. 
Notice that both tokens (3,1) and (3,2) cannot he produced into hag C because of the constraint 
key on z, and that (3,3) cannot be produced because of the bag constraint on C 

bag A ■)fO bags 

transition T 

Fig. 3. Assuming the same definitions of bags A and B, a transition constraint such as 
(AT.x=B~.y), and an initial marking of (1) into A, then (1) will be not be removed from A but 
will only be checked and the transition will be crossed if and only if no token equal to (1) exists 
inside bag B 



bag A 0~H 

transition T 

Fig. 4. Assuming the same definition of bag A, an initial marking of (-1), (0), (1), (2), and a 
transition constraint such as (A*-.x>0), the set of two tokens {(1),(2)) will he removed from A 
at the time the transition is fired 



4 Specifying ECA-Rules with Dynamic Relation Nets 

Although DRNs have not primarily been created to model ECA-rules, we can easily 
use them to do that. If conditions and actions are obviously recognizable in 
constraints, events are worth receiving some particular explanations. 



4.1 Events 

Constraints in a DRN extend the definition of an event, which becomes relative to a 
specific marking of the net: the existence (or absence) of a token inside a bag may be 
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considered as an event, and attribute values too. In a DRN, we can also easily detect 
composite events [24], as shown in Fig. 5, where t represents the time of an event 
occurrence. 



^2 O — *'Ke7V£2 Cy^ E1AE2 

T2 

Fig. 5. Detection of composite events in a DRN. Disjunction of two events El and E2, denoted 
E1VE2 occurs when El occurs or E2 occurs: Tl: (ElVE2)+.t = El-.t and 
T2: (ElVE2)+.t = E2—.t. Conjunction of two events El and E2, denoted E1AE2 occurs when 
both El and E2 occur, irrespective of their order of 
occurrence: Tl: (ElAE2)+.t = MAK(El-.t, E2-.i). Sequence of two events El and E2, denoted 
E1;E2 occurs when E2 occurs provided El has already occurred ; this implies that the time of 
occurrence of El is guaranteed to be less than the time of occurrence of 
E2: Tl: {ET,E2)+.t = MAX(Fi-.f, E2-.t) and T2: El~.t < E2-.t 




E2 



Tl 

HO 

El -,E2 



4.2 Conditions 

A condition in a DRN can be modeled with a transition constraint. Such a constraint 
checks for the existence of tokens (consumption and information edges) or the 
absence of tokens (negative information edge). For example, the two first anded terms 
of the constraint of the transition T in Fig. 2 show a condition. Furthermore, bag and 
key constraints can also model a condition: the act phase of the ECA-rule cannot be 
executed if these constraints are not satisfied. We will see in the next paragraph that a 
part of a condition might also appear inside the action itself. Note that variables, i.e. 
token attributes, are bound while in the evaluation phase of a condition, to be passed 
to the act phase as parameters. 



4.3 Actions 

An action, specified hy a transition constraint, is executed if all conditions return a 
true value. It consists of two phases: the consumption of all tokens referenced in the 
conditions (only those circulating over consumption edges), and the production of 
new tokens. In the latter case, a production constraint allows us to determine new 
token attribute values. These new values may be specified as constants of various 
types, or by using the binding capability between conditions and actions. 

A new feature of DRNs is that the new attribute values can be reevaluated 
themselves to satisfy some constraint. If this second “condition” returns a false 
boolean value, the transition cannot be crossed and the act phase will not be executed, 
as shown in Fig. 6. 
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bag A 



Fig. 6. Condition inside a production constraint. Assuming bag A retains tokens (x,y), and a 
new token receives attribute values (3,2) by any way. If the production constraint contains 
A+.x=A+.y (which is obviously false), the transition cannot be crossed. 



5 Implementation Issues 

We have decided to implement our complete system NetSpec on the basis of a layered 
architecture, that means, to use an existing non-active DBMS (in our case DB2) and 
to add a monitor layer that is responsible for providing active capability [25]. 

As shown in Fig. 7, the application layer allows to design a DRN with a graphical 
tool, to store its definition, then to analyze and translate its definition to a set of 
executable programs (formally the job of the DRN compiler). A run-time library (the 
situation monitor layer), independent of the application itself, is responsible for 
providing rule processing (rule ordering based on conflict resolution). 



5.1 Special Considerations 

However, special considerations must be understood if we want to model ECA-rules 

by the way of NetSpec: 

- Events are not managed as in the definition of ECA-rules because the existence 
(the absence) of a token, as well as its attribute values, can be specified directly in 
the condition. So, ECA-rules supported by NetSpec are pattern-based only, 

- The act phase of the recognize-act cycle operates only for one tuple rather than for 
all of those, to avoid a set-oriented firing of transitions [26] as in Petri nets, 

- DRNs do not allow to specify a conflict resolution strategy: a transition may be 
fired as soon as it has been triggered. So, the design of a transition constraints is 
very important if we want to obtain a deterministic behavior of the net. With 
NetSpec, conflict resolution is implemented by using numeric priorities, of three 
different types: fixed priorities (the match phase checks the rule conditions in a 
specific order), rotating priorities (a triggered rule will receive the lowest priority 
for the next match phase), and iterative priorities (a triggered rule will receive the 
highest priority for the next match phase, allowing an equivalent of set-oriented 
firing. We can also specify no conflict resolution, since NetSpec now supports 
multitasking (all transitions are modeled by concurrent processes), 

- Finally, the only coupling mode supported when using conflict resolution is the 
deferred one. In fact, immediate C-A coupling mode may cause problems (causally 
dependent constraints), and detached C-A coupling mode is reserved for 
multitasking mode. Practically, on the match and act phases, queries of types delete 
(for consumption) and insert (for production) are generated, but will be executed at 
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the end of the transaction, in that order, to avoid token duplication in the case of an 
update of attribute values. 



These restrictions are not developed in this paper, because our purpose is first to 
show that DRNs have enough potential toward the design side of an ADBMS -based 
application. 

Application 



Application Layer 




- 






User Interface 
Design, Storage, 
Analysis, Translation 
Monitor/DBMS 




User 

Interface 






• Polling 

Situation Monitor . . , 

• Aperiodic Checking 

• Rule Processing 



NetSPEC 



DBMS 






(non-active) 







Fig. 7. The layered active database architecture of NetSpec 



5.2 Dynamic Relation Net Compiler 

The main job of the situation monitor layer is to provide rule processing. In fact, the 
main difficulty is for the DRN compiler, to order the evaluation of all constraints over 
the net [27]. 

For a transition, the input part (from bags to a transition) will be evaluated first, 
beginning with variables circulating over edges of weight e <, i.e. variables well 
known. For one tuple of the result, variables circulating over edges of weight * are 
evaluated (the result is a multiset). Last, this multiset is checked for its cardinality. 
The output part (from a transition to bags) is then computed to generate new token 
attribute values. These values are optionally checked for compatibility (condition into 
an action) and finally, bag constraints and key constraints are evaluated. If all of these 
constraints are satisfied, the transition can be crossed and the update of the net is done 
by the way of insert and/or delete queries. Last resort, if a marking constraint over the 
entire net is specified, it will be checked and the transaction will be committed if this 
constraint is satisfied, or canceled (rollbacked) if not. 
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As an example, consider the DRN shown in Fig. 8. For this DRN, bags A, B, C, D 
contain tokens (x), (y), (z), (t) respectively. The instantiations of tokens are (1) (2) for 
A, (2) for B, (1) (1) (2) for C, and (1) for D. The constraints of this net are: 

- A-.x = B~.y 

- A-.x = C*-.z 

- card(C*-) > 1 

- D+.t = sum(C*-.z) + A-.x 

- a key constraint on D, relative to the z attribute 

- a bag constraint on D: t mod 2=1 

- a marking constraint: card(£)) < 1 




Fig. 8. An hypothetical DRN with several consumption edges, a production edge, a *-weighted 
information edge and a negative information edge 

The processing phases of this ECA-rule will be: 

- A-.x = B~.y is evaluated and gives A-.x = ( 1) since B does not contain (1) 

- A-.x = C*-.z is evaluated and gives the greatest set C*- = {(1),(1)} 

- card(C*-) > 1 is evaluated and gives TRUE, since it is equal to 2 

- D+.t= sum(C*-.z) +A-.X is computed and gives D+.t= (3) (1 + 1 + 1 = 3) 

- bag constraint on D is evaluated and gives TRUE, since 3 mod 2=1 

- key constraint on D is evaluated and gives TRUE, since bag D does not contain (3) 

- so, (1) is removed from A and removed 2 times from C, and (3) is produced into D. 
B remains unchanged 

- marking constraint over the net gives FALSE, since card(£)) is now equal to 2, so 
the whole transaction is canceled 



5.3 Code Generation Example 

From a DRN specification, either created by the way of the graphical tool or 
directly written in the native language of NetSpec, the compiler creates two 
executable files. The former of these two files is a script that contains commands used 
to create the database itself. With a relational data model, bags are implemented by 
tables, each record of which (row) keeps one token, which attributes are columns of 
the row. For example, the bag A of Fig. 3 will be created by: 

CREATE TABLE A ( INT PK A, INT X, PRIMARY KEY(PfC A) ) 
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Notice that the primary key PK_A is automatically inserted by the compiler to 
avoid duplication of tokens having no key constraint and receiving same attribute 
values at run-time. So, such tokens can be distinguished without ambiguity inside 
database queries. This primary key is invisible for the designer and is reserved for 
internal use only. 

Transition constraint queries can also be created as views at this time. These views 
are relative to the input part of such a constraint (only those generating well known 
variables): 

CREATE VIEW V ( PK_A,X ) 

AS SELECT PK_A, X FROM A 

WHERE ( X NOT EXISTS IN SELECT Y FROM B ) 

The latter of the two files created by the compiler provides functions used for rule 
processing. For the example developed in Fig. 8, the non-optimized code (and so not 
very powerful!) of the transition T will be: 

begin 

crossed 4— FALSE 

DECLARE CURSOR Cl AS SELECT * FROM V 
OPEN Cl 

while —lEOF (Cl) and -^crossed 
FETCH Cl INTO :pk_a, :x 

SELECT COUNT (*) INTO -.count FROM C WHERE Z=-.x 
if count > 1 then 

SELECT SUM(Z) INTO : sum FROM C WHERE Z=:x 

t e- sum + X 

if t mod 2=1 then 

SELECT COUNT (*) INTO -.count FROM D WHERE T= : t 
if count = 0 then 

DELETE FROM A WHERE PK_A=-.pk_a 
DELETE FROM C WHERE Z=-.x 
INSERT INTO D VALUES (: t) 

SELECT COUNT (*) INTO -.count FROM D 
if count = 0 then 
COMMIT WORK 
crossed e- TRUE 
else ROLLBACK WORK fi 
fi 
fi 
fi 

endwhile 
CLOSE Cl 
end 
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6 Conclusion 

In this paper, we have described the implementation of our approach in active 
database systems, based on the Dynamic Relation Nets. Our system, NetSpec, 
automatically generates the imperative code of the computational part of an ADBMS 
based application, by the way of a new modeling language that makes abstraction of 
classical programming. 

However, NetSpec has enlightened some problems that do not exist in the DRN 
theory. First of all and the most important one, a DRN may have concurrent 
transitions whose constraints are not exclusive. Such a configuration introduces a 
non-deterministic behavior of the net. NetSpec uses priorities to resolve conflicts 
between triggered transitions, as many of the existing ADBMS. However, the 
“programming style” has a possible influence on the model, because the designer can 
choose its priority type. 

Another problem is the necessity to build a coherent development tool, especially 
with a debugger (see Fig. 9). In fact, the fired transitions of a DRN introduce the same 
consequences of the fired ECA-rules in ADBMS: transitions (as ECA-rules) behavior 
may be complex and not easily understood. The designer of an application must be 
able to directly influence the transition firing, to solve terminations and deadlocks. 
This is an objective of our future directions. 

We have highlighted three main qualities for a processing model: processing 
abstraction, dynamic behavior and graphical representation. We have defined a model 
closely related to high-level Petri Nets. Dynamic Relations Nets allow within a unique 
graphical representation the specification of data, processing, events and constraints. 
Annotations of the net use a set based abstract language. Constraints arise from three 
levels: from places (related to the notion of abstract type), from markings (we can 
then express global constraints between places), and from transitions (in order to 
specify processing as state transformations). 




Fig. 9. A sample screen of the NetSpec prototype development tool 
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The definition of DRNs is now complete. We have not developed here a true 
method huilt around DRNs. A reverse design study gave hirth to new ideas especially 
related to valid schema transformations, allowing a gradual materialization from an 
abstract model to an operational one, as with the B method. In fact, the non- 
deterministic behavior remains a critical aspect: a DRN must satisfy some properties 
so the implementation (for example with NetSpec) fits the initial specifications. 
Therefore, we will concentrate on applying proof tools related to Z and B to our 
model. Our future works will be based on a set of tools designed to build and to 
validate a general method usable on non obvious applications. We hope to create a set 
of consistent design tools, dedicated to processing specifications. 
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Abstract. In this paper we take steps towards a systematic design of 
active features in an active database. We propose having declarative spec- 
ifications that specify the objective of an active database and formulate 
the correctness of triggers with respect to such specifications. In the pro- 
cess we distinguish between the notions of ‘invariance’ and ‘maintenance’ 
and propose four different classes of specification constraints. We also 
propose three different types of triggers with distinct purposes and show 
through the analysis of an example from the literature, the correspon- 
dence between these trigger types and the specification classes. Finally, 
we briefly introduce the notion of k-maintenance that is important from 
the perspective of a reactive (active database) system. 



1 Introduction and Motivation 

Many commercial database systems (such as Oracle, Sybase, IBM’s DB2-V2, 
etc.) and the database standard SQL3 incorporate active features - namely con- 
straints (also referred to as integrity constraints) and triggers. Due to these active 
features explicit update requests to the database may have several consequences 
from the request being refused (as it may violate ‘integrity constraints’), to the 
request being fulfilled with slight changes (as modified through ‘before triggers’), 
to additional changes triggered by cascade deletes and inserts used in the pro- 
cessing of some constraints and/or firing of ‘after triggers’. 

Although originally, integrity constraints were thought of as declarative con- 
straints about database states and defined which database states were valid and 
which were not, with the presence of cascade operations in the SQL3 constraints 
and the use of after triggers to maintain the integrity of the data, there is cur- 
rently little tradition (except in and few other cases) of using or following 

standard software engineering practices of separating specification from imple- 
mentation when designing and developing active databases. This means that 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 1210^^^2000. 
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often active database developers do not even specify what the purpose of the ac- 
tive features of their database are. Thus there is no way to verify the correctness 
of the active features. We believe this is one of the reasons why many companies 
balk at using the active features of a database. 

Our goal in this paper is to take steps towards developing a systematic approach 
to the design of active databases. In the process we will develop several language 
constructs that can be used in specifying the purpose of an active database; 
formulate the correctness of the procedural triggers with respect to declarative 
specifications; and develop guidelines that match the procedural aspects with 
the declarative aspects. 



One major hindrance in this pursuit has been the multitude of syntax and seman- 
tics (and their complexity) associated with the various different implementation 
of active rules I 



and the complexity of their semantics. In this paper 
we will follow the SQL3 standard (and the DB2-V2 implementation) to some 
extent and make certain simplifications. 



1.1 The Declarative Notions 

The basic goal of the active features of a database is to constrain the evolution 
of the database. Based on analyzing a large class of active database examples, 
we have identified four kind of constraints: state invariance constraints; state 
maintenance constraints (or quiescent state constraints); trajectory invariance 
constraints; and trajectory maintenance constraints. 

In the above constraints there are two dimensions: (i) state vs trajectory (ii) in- 
variance vs maintenance. Intuitively, in state constraints we are concerned about 
the integrity about particular states, while the trajectory constraints focus on 
the trajectory of evolution of the database. On the other hand, invariance con- 
straints worry about all states of the database, while the maintenance constraints 
focus only on the quiescent states. 

Definition 1 (State Constraints). A state constraint 7s on a data- 

base scheme R, is a function that associates with each database r of i? a boolean 
value 7s (r). A database r of i? is said to satisfy js if Jsir) is true and is said to 
violate 7s if 7 s(*") is false. In the former case, it is also said that 7s holds in r. A 
database r is said to satisfy a set of state constraints if it satisfies each element 
of the set. □ 

Definition 2 (Trajectory Constraints). A trajectory constraint on a data- 
base scheme R, is a function that associates with each database sequence T of R 
a boolean value A database sequence T of i? is said to satisfy 7* if 7t(T’) 

is true and is said to violate 74 if 7t(T’) is false. In the former case, it is also said 
that 7t holds in T. A database sequence T is said to satisfy a set of trajectory 
constraints if it satisfies each element of the set. □ 

Often static integrity constraints are expressed through sentences in proposi- 
tional logic or first-order predicate calculus while we need temporal operators to 
express trajectory constraints. We further discuss this in Section H 
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1.2 The Procedural Features of an Active Database 

In SQL3 (and DB2-V2) the active features are: Constraints; Before triggers; and 
After triggers. 

The constraints in DB2-V2 are of the kinds: NOT NULL constraints, column 
defaults, unique indexes, check constraints, primary key constraints, and foreign 
key constraints. Among these, the NOT NULL constraints, unique indexes, check 
constraints, primary key constraints and some of the foreign key constraints 
(with NO ACTION or RESTRICT in the action part) refuse updates that violate 
the constraints. These correspond to the state invariance constraints mentioned 
in the previous section. 

On the other hand column default constraints and the foreign key constraints 
with CASCADE or SET NULL in the action part accept the updates but make 
additional changes. The former correspond to the state invariance constraints, 
while the later correspond to the state maintenance constraints. 

The before triggers act on the update request directly (instead of the updated 
database) and modify it if necessary while the after triggers are triggered by 
the update request and can either refuse the update (through a rollback) or 
force additional changes. Here, the former can implement state and trajectory 
invariance constraints, while the later can implement any of the four types of 
constraints. 

From the above analysis, it seems that certain specifications such as a state 
maintenance constraint can be implemented in multiple ways, through a DB2- 
V2 constraint or through after triggers. But the trigger processing architecture 
treats DB2-V2 constraints very differently from after triggers. Thus it becomes 
very difficult to formulate and verify the correctness of the DB2-V2 (or SQL3) 
active features with respect to specifications mentioned in Section 

We propose a different class of active features that are close to the SQL3 features, 
but that are distinct in terms of their goals. Our class consists of three kind of 
procedural features (triggers): refusal triggers, wrapper triggers, and maintenance 
triggers. 

Intuitively, the refusal triggers when triggered refuse the update that caused the 
triggering. Thus refusal triggers can express not only after triggers with refuse 
actions, but also NOT NULL constraints, unique indexes, check constraints, 
primary key constraints, and foreign key constraints with NO ACTION or RE- 
STRICT in the action part. The wrapper triggers, wrap the update request by 
additional changes and thus can express both before triggers and column default 
constraints. The maintenance trig ger^ tiiggei additional updates and thus can 
express both after triggers with similar purpose, and foreign key constraints with 
CASCADE or SET NULL in the action part. 



^ In Section Jwe will further divide maintenance triggers to two classes: short-term 
and long-term. This becomes necessary when we need to worry about reactive re- 
sponse to update requests. 
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Our division of the triggers into the above three classes makes them distinct in 
terms of what they set out to achieve. This is different from the active features 
in DB2-V2 and SQL3 where there is overlapping of goals making it difficult in 
designing active databases and formulating their correctness. 

2 Actions, Events, and Triggers 

In this section we describe the necessary mechanism for reasoning about actions 
and events which we will then use to formulate correctness of triggers with 
respect to declarative specifications. 

2.1 Actions and Effects 

Intuitively, an action when executed in a world changes the state of the world. 
In databases, an action can take several meanings; from the basic insert, delete 
and update actions to SQL update statements. In this paper by an action we 
will usually refer to an uninterruptable transaction. 

To specify the effects of a n actio n on a database we borro w constructs f rom the 
specification language A and our earlier work in In the 

following by a fluent we will mean a database fact, and by a fluent literal we 
will mean either a database fact or its negation. Effects of actions are specified 
through effect axioms of the following form: 

a( A) causes f(Y) it pi(Ai), . . . (2.1) 

where a(X) is an action and f{Y),pi{Xi), . . . ,p„(A„) are fluent literals (n > 0). 
pi(Xi), . . . ,pn{Xn) are called preconditions. The intuitive meaning of is 
that in any state of the active database execution in which pi{Xi), . . . 
are true, the execution of the action a{X) causes f{Y) to be true in the resulting 
state. A word of caution is needed regarding the safeness of variables in 

the causal law . The preconditions pi(Ai), . . . will be evaluated as 

regular queries in the database and a{X) is an action that could be invoked 
by a user or an active rule. Thus, variables appearing in Y or in any negated 
fluent in the preconditions must also appear in one of the positive fluents in 
the precondition. If there are variables in X that do not appear in any of the 
positive fluents in the preconditions these arguments must be ground at the time 
of the invocation of the action, otherwise there will be an error in the execution. 
Moreover, the variables are schema variables, and intuitively an effect axiom 
with variables represents the set of ground effect axioms where the variables are 
replaced by ground terms in the domain. 

Two effect axioms with preconditions pi, ... ,p„ and qi, ... ,qm respectively are 
said to be contradictory if they describe the effect of the same action a on 
complementary /s, and {pi, . . .,Pn} n {^, . . . ,^} = 0 

A state is a set of fluent names. Given a fluent name / and a state a, we say that 
/ holds in (T if / G cr; holds in cr if / ^ ct. A transition function is a mapping 
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(p of the set of pairs (a, a), where a is an action name and cr is a state, into the 
set of states. 

A collection of effect axioms (EA) for various actions in our world - with no 
contradictory effect axioms in them, define a transition function from the set of 
actions and the set of database states to the set of database states. 

For every action a and every state a, 

<?(a, cr) = (cr U cr') \ a", 

where cr' (cr") is the set of fluent names / such that EA includes an effect proposi- 
tion describing the effect of action a on f (respectively, ->/) whose preconditions 
hold in cr. 

We now show how the effect of simple actions such as insert, delete and update 



can be specified using effect axioms. 

insert{R{t)) causes R{t) (2.2) 

delete{R{t)) causes ~^R{t) (2.3) 

update{R{t), R{t')) causes i?(f') if R{t) (2.4) 

update{R{t), R{t')) causes ~^R{t) ii R{t) (2.5) 



We now show how we can specify the effect of actions corresponding to more 
complex transactions: 

Example 1. Consider another transaction 02 from 

UPDATE parts 
SET qonorder = qonhand, 
qonhand = qonorder 
WHERE partno = ‘P207’; 

Its effects can be described in our language through the following effect propo- 
sitions: 

02 causes parts{P207 , Descr, qonhand, qonorder) if 

parts{P207 , Descr, qonorder, qonhand) 

02 causes ^parts{P2Q7 , Descr, qonhand, qonorder) if 

parts{P2Q7 , Descr, qonhand, qonorder) □ 

To reason about the effect of a sequence of actions on a database cr, we need to 
extend the function <P, to allow sequence of actions as its first parameter. This 
extension is defined as follows: 

— <?([], cr) = cr, and 

- ^([a|o], cr) = ^( 0 ,^( 0 :, cr)). 
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2.2 Events and EGA Rules 



Triggers (or active rules) in active databases are normally represented 

as a triple consisting of events, conditions and actions. In most active database 
architectures, the sequence of actions that have been executed since the last 
evaluation point are evaluated to decide on what events have taken place. These 
events together with the valuation of the condition with respect to the current 
database state determine whether a particular EGA active rule should be trig- 
gered or not. 



Different active databases allow different event sets and have different ways of 
evaluating the events. In the simplest case, the events can be the set of inserts 
and deletes explicitly performed by the last action. On the other hand, in Star- 
burst ^ 



events are defined in terms of the net effects of a sequence of 
transitions. To allow the flexibility of defining a set of events and computing 
them from a sequence of actions we use the notion of event definitions from 



An event definition proposition is an expression of the form: 

e(A) after a{W) ii ei(Yi), . . . , em(Ym), qi(Zi), . . . , qn(Zn) (2.6) 

where e(A), ei(Yi), . . . , em(Tm) are event literal^ and qi{Zi), . . . ,qn{Zn) are 
fluent literals. This proposition says that the execution of the action a{W) or- 
dered in a state in which each of the fluent literals qi{Zi) is true and each of the 
event literals CjfYj) is true generates the event literal e{X) if the event literal is 
positive, or removes the event from the set of current events if the event literal 
e{X) is negative. If the execution is ordered in a state in which some of the qi{Zi) 
or CjfYj) does not hold then has no effect. Each of the (schema) variables 
appearing in A or in a negated event or fluent literals, has to appear either in 
W or in a positive event /fluent literal. 

The default assumption is that the event persists from one state to another, 
with two possible exceptions: either the event is consumed by an active rule 
(see below), or the event is removed by an action based on the specification 
of an event definition. For example, if we have an expression ~^ei after ai, 
the execution of the action ai will cause the event ci not to be present in the 
resulting state. Hence, the meaning of “an event is true in a given state” is: the 
event was induced (i.e. generated) in some state prior to the given one and the 
event persisted, or the event was induced by an execution of an action in the 
previous state. 

Example 2 (Events in Starburst). In Starburst net effects (or events) are ex- 
pressed in words through the following conditions: 

— If a tuple is inserted and then updated, it is considered an insertion of the 
updated tuple. 

^ Like fluent literals, an event literal is an event or its negation. 
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— If a tuple is updated and then deleted, it is considered as a deletion of the 
original tuple. 

— If a tuple is updated more than once, it is considered as an update from the 
original value to the newest value. 

— If a tuple is inserted and then deleted, it is not considered in the net effect 
at all. 

These four premises can be encoded through event definitions as follows: 



e_add(H) 
^e_add{G) 
e_del{G) 
^e_upd{G, F) 
e_upd{G, I) 
~^e_upd{G, F[) 
^e_add{G) 



after upd{G, H) if e_add{G) 
after upd{G, Ff) if e_add{G) 
after del{F) ii e_upd{G,F) 
after del{F) ii e_upd{G,F) 
after upd{F[, I) if e_upd{G, FI) 
after upd{H, I) if e_upd{G, H) 
after del{G) if e_add{G) 



(2.7) 



In the above example, at the first glance it appears that our notation is more 
verbose than the original rules. For each of the first three rules we needed two 
event definition propositions. This is because we assume that events have iner- 
tia. This assumption actually cuts down in writing individual event definition 
propositions encoding the persistence of each event due to actions that do not 
affect it. For example we do not need to explicitly write: 



e_add{H) aiter del{G) ii e_add{H),H^G 



We characterize events using the function S whose input is a set of events, 
a state, and an action and the output is a set of events. More formally, let 
a, a) = { e : there is an event definition proposition of the form e after a 
if Ci, . . .Cmj q_i, ■ ■ ■,q_n where ei, . . . , e™ hold in E and qi, . . . ,qn hold in a }; 
and let E~ (E, a, a) = { e : there is an event definition proposition of the form 
after a if ei, . . .e™, qi, . . . , where ei, . . . , hold in E and qi, ... ,qn 
hold in (T }. E{E, a, a) is then defined as follows: 

E{E, a, a) = {EU E~^{E, a, a)) \ E~{E, a, a) 

To be able to compute events with respect to a sequence of actions we extend 
S as follows: 

— E{E, (j, []) = E, and 

- S{E, (7, [a|a]) = E{S{E, a, a),<P{a, a), a). 
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2.3 Characterizing Database Evolution Due to EGA Rules 

As mentioned in Section we have three kinds of triggers: wrapper triggers, 
refusal triggers and maintenance triggers. We represent each of them through 
EGA rules but distinguish them by the action part. In wrapper triggers the action 
part is a wrapping function u which maps an action sequence and a database 
state to an action sequence. Intuitively, for a single action a, by w(a, a) = a' we 
mean that a' is the action obtained by wrapping a with u in state a. In refusal 
triggers the action part is the special action REFUSE and in maintenance 
triggers the action part could be an arbitrary sequence of actions. Thus an EGA 
rule is a triple (e, c, a), where e is an event in our language, c is a temporal 
formula about the database history, and a is either a wrapping function, the 
special action REFUSE, or a sequence of actions. Often we will represent a 
single action as the EGA rule (0, True, a). 

In this subsection our goal is to give a formal characterization of the evolution 
of a database due to a sequence of actions in presence of a set of EGA rules. In 
our characterization we strive to keep a balance between not making the seman- 
tics too complicated and at not losing expressibility. We now give an intuitive 
description of our characterization. 



Intuitively, after the action sequence (with necessary modifications due to wrap- 
per triggers) is executed the set of events corresponding to that sequence of 
actions are evaluated. Then the EGA rules that match with the events are iden- 
tified. We assume (as in many implemented systems that there is a 

total ordering among the EGA rules with the condition that refusal triggers 
have higher priority than maintenance triggers. Using this total ordering a pri- 
ority list of the identified EGA rules is created. Then the condition parts of the 
EGA rules in the priority list are evaluated in the order of their priority and if 
the condition evaluates to be true, the action part is executed. Since the action 
part may trigger additional EGA rules, an important concern is how these EGA 
rules are assimilated into the already existing prioritized list of EGA rules. Two 
straightforward approaches are to view the list as a stack where newly triggered 
EGA rules are pushed onto the top of the stack, or to view the list as a queue 
where newly triggered EGA rules are put at the end of the queue. In both cases, 
among the newly added rules, the wrapper triggers have the highest priority, the 
refusal triggers have the second highest priority and the maintenance triggers 
have the lowest priority. 



So after the execution of the action part of the currently considered EGA rule, 
the newly triggered EGA rules are put into the priority list and the evaluation 
of the EGA rules in the modified list are again done based on their priority. This 
loop of executing the action part of the currently chosen EGA rule, updating the 
list of EGA rules, and evaluating the list to find the next EGA rule, continues 
until the list is empty. During the execution when faced with a trigger whose 
action part is REFUSE, the database is rolled back. 

We now formally define the function a, List), where ct is a database state, 
a is a sequence of actions and List is a prioritized list of EGA rules that are 
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yet to be processed, and the output of the function is a sequence of database 
states. Once we define this function, the evolution of a database state a due to 
an action sequence a, can then be expressed by a, [ ]). (For lack of space 
we only consider the simple case where there are no triggers with REFUSE in 
their action part.) 

Definition 3. [Evolution due to Actions and Triggers] 



1. >F((t, a, List) = (T if (T is a state, a is an empty sequence, and List = [ ]. 

2. >F((j, a. List) is an empty list if a is undefined. 

3. >F((j, a. List) = a oT if 

(a) a' = <L{u>{a), a), where uj is the composition of the wrapping functions of 
the before triggers triggered by the events in ct, a). (If there are no 
before triggers triggered by the events in S"(0, a, a) then uj is the identity 
function; i.e., Va.w(a) = a). 

(b) Listi is the list obtained by adding the new EGA rules triggered by the 
events in S"(0, ct, w(a)) to List and adjusting the priorities, 

(c) eca is the EGA rule with the highest priority in the priority list Listi, 

(d) a' is the action part in eca, 

(e) List 2 = Listi \ {eca}, and 

(f) 'L{a' ,a' ,List2) = T. □ 

Because of the second condition above, when <?(w(a), a) is undefined we obtain T 
as an empty list, and then L'{a, a. List) is a sequence of length one with a as the 
only element. Rollbacks can be accounted for by having an additional parameter 
in 'L which stores the initial state, where the database should be rolled back to 
when a trigger with REFUSE in its action part is triggered. 

2.4 Correctness of ECA Rules 

Our next step is to formally define when a set of ECA rules are correct with 
respect to invariant and maintenance constraints. For state maintenance con- 
straints, intuitively, the correctness means that the ECA rules force the database 
to evolve in such a way that the final state that is reached is a state where all the 
state maintenance constraints are satisfied. For state invariant constraints, intu- 
itively, the correctness means that the ECA rules force the database to evolve 
in such a way that the state invariance constraints are satisfied in all states of 
the trajectory. 

Since our ultimate goal is to be able to use this definition to verify the correctness, 
we add another dimension to the definition: the class of exogenous actions that 
we consider; where exogenous actions are the actions that outside users are 
allowed to execute on the database. It should be noted that the action part of 
the ECA rules may have actions other than the exogenous actions. 

We now formally define correctness with respect to state invariant and mainte- 
nance constraints. 
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Definition 4. Let Fsi be a set of state invariant constraints, L'sm be a set of 
state maintenance constraints, A he a, set of exogenous actions, and T be a set 
of EGA rules. We say T is correct with respect to Fgi U Fsm and A, if for all 
database states a where the constraints in Fst and Fsm hold, and for all action 
sequences a consisting of exogenous actions from A, 

— all the states in the sequence tf'(cr, a, [ ]) satisfy the constraints in Fgi\ and 

— the last state of the evolution given by a, [ ]) satisfies the constraints in 

r □ 

To expand the Definitionjto define correctness with respect to trajectory con- 
straints we need to consider a larger evolution window where the database evolves 
through several exogenous requests each consisting of a sequence of (exogenous) 
actions. For this we use the notation a a to denote the last state of the evolution 
given by a, [ ]). We use the notation to denote the last state of the 

evolution given by a 2 , [ ]), and similarly define cr(^ai,...,ai)- 

Definition 5. Let Fgi be a set of state invariant constraints, Fgm be a set of state 
maintenance constraints. Fa be a set of trajectory invariant constraints, Ftm be 
a set of trajectory maintenance constraints, A be a set of exogenous actions, and 
T be a set of EGA rules. We say T is correct with respect to FgiU Fsmhi F^U Ftm 
and A, if for all database states a where the constraints in Fsi and Fgm hold, 
and for all action sequences oi, . . . , consisting of exogenous actions from A, 

— all the states in the sequences 

F{a, ai, [ ]), 02, []),•••, [ ]) Satisfy the constraints 

in Tsi; 

— all the states Caj, . . . , satisfy the constraints in Fgm] 

— the trajectory obtained by concatenating F(a,ai,[ ]) with F{aa^,a 2 ,[ ]), 

. . . , [ ]) Satisfy the constraints in Fu] and 

— the trajectory a, cfa ^, . . . , cr(o,i,...,a„) satisfies the constraints in Ftm- ^ 



Example 3. Gonsider the relational Schema: 

Employ ee{Emp^, Name, Salary, Dept^) 

Dept{Dept^, Mgr 

We have two state maintenance constraints: 

(i) If (e, n, s, d) is a tuple in Employee then there must be a tuple (d' , m') in 
Dept such that d= d' . 

(ii) If (d,m) is a tuple in Dept, then there must be a tuple {e' ,n' , s' ,d') in 
Employee such that d = d' and m = e' 

The only allowable exogenous action is del{Employee{E , N, S,D)). 

The set of maintenance triggers that can be shown to be correct with respect to 
the above maintenance constraints and exogenous actions consists of the follow- 
ing trigger. 
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• For any Delete (e, n, s, d) from Employee, if {d, e) is a tuple in Dept, delete that 
tuple from Dept and delete all tuples of the form (e', n' , s' , d') from Employee, 
where d= d' . □ 

We can now make the formal claim that the above maintenance triggers are 
correct with respect to the above mentioned state maintenance constraints and 
exogenous actions. 



3 Elaborating on Our Abstractions 

In Section defined state constraints and trajectory constraints as boolean 

functions on database states and sequences of database states respectively. Our 
next concern is how to represent such functions parsimoniously. One approach is 
to use logical constructs. In this section we introduce several language constructs 
that we proposed to use in specifying state and trajectory constraints and show 
their use through examples. 

We star t with a description of the mail order business active database from 
To save space and to make it readable without knowing the syntax of 
triggers in DB2-V2, we describe the triggers of this active database in words, 
and not in the syntax of DB2-V2. 



3.1 The Tables 



The five tables that are mentioned in the database in 
are: 



liSWI 



and their attributes 



Cust(C#, Cname, Caddr, Baldue, Creditlmt) 

Suppl(S#, Sname, Saddr, Amtowed) 

Inv(It^, Iname, S^, Qonhand, Unitsalpr, Qonorder, Unitorderpr, Orderthresh- 
old, Minorder) 

Purch(Orddate, Ordtime, S#, It#, Qordered, Dtrecvd, Qrcvd, Unitpr) 
Sales(Sldate, Sltime, C#, It#, Qsold, Unitpr, Totalsale) 



3.2 A Subset of the Triggers 

Due to lack of space we only consider two of the eight triggers given in 

and identify the state and trajectory constraints corresponding to these triggers. 

— (PTl: a wrapper trigger) 

When inserting into the Purch table modify the tuples (to be inserted) so 
that for any It#, the values for S# and Unitpr are the values for S# and 
Unitorderpr for that It# in the Inv table. (Note that because of the con- 
straints associated with the Purch table that allow Orddate and Ordtime to 
get the current date and time by default. It# and Qordered are the only 
pieces of information required to do insertions into the Purch table.) 

— (PT2 - a maintenance trigger) 

After inserting an order for an It# to Purch, update the Inv table by in- 
creasing the Qonorder (in the tuple with that It#) by Qordered. 
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The Corresponding Constraints. We first list the constraints in a high level 
language that we developed and then explain the meaning of the constructs in 
this language. 

— (Cl) ForAll /t#. Inv.S=ff = Purch.S^f is invariant 

— (C2) ForAll Inv.Unitorderpr = Purch.Unitpr is invariant 

— (C3) newtuple Purch requires Orddate = Currentdate and Ordtime = 
Currenttime 

— (C4) ForAll It#. Purch.Sum{Q ordered) — Purch. Sum{Qrcvd) 

= Inv.Qonorder is maintained 

Among the above constraints, the first two are state invariant constraints, the 
second is a trajectory invariant constraint, and the third is a state maintenance 
constraint. These constraints can be specified in first-order logic with temporal 
and aggregate constructs. We specify them using such constructs below with the 
assumption that all free variables are universally quantified and all the existen- 
tially quantified variables are denoted by underscores . 

- (Cl’) (/nu(/t#, _, ^i, _, _, _, _, _, _) A Purch{_, _, S 2 , It#, _, _, _, _)) 

^ (S'! = S 2 ) 

- (C2’) {Inv{It#, _, _, _, _, _, UOPi, _, _) A Purch{_, _, _, It#, _, _, _, UP 2 )) 

{UOPi = UP 2 ) 

- (C3’) {^Purch{OD, OT, S#, It#, A 

nexttime {Purch{OD, OT, S#, It#, _, _, _, _))) => 
nexttime [OD = date A OT = time) 

- (C4.1’) Ri{It#,Sum_Qord) = /t#C/Sum Qordered(Purch) 

(C4.2 ) R 2 #t# , Sum_Qrcvd) — it^Qsum Qrcvdi.P^'^^h) 

(C4’) {quiescent A R\{It#, SumjQord) A R 2 {It#, SumjQrcvd) A 
Inv{It#, _, _, _, _, Qonorder, _, _, _)) {SumjQord— Sum_Qrcvd = Qonorder) 

The first order formulas (Cl’) and (C2’) are low level representations of the state 
invariant constraints (Cl) and (C2) respectively. The temporal formula (C3’) is 
a low level representation of the trajectory invariant constraints (C3) and the 
temporal operator nexttime in (C3’) has the usual FTL (future temporal logic) 
^3^3 meaning. Next we have the formulated. 1’), (C4.2’) containing grouping 
aggregation expressions using the notatioij from the text book and 

® In this notation the general form is: Gi,G2,...,g„0Fi Ai,F 2 A 2 ,...,Fm (F), where F is 

any relational-algebra expression, Gi , . . . , Gn constitute a list of attributes on which 
to group, each Fi is an aggregate function, and each Ai is an attribute name. The 
meaning of the operation is defined as follows. The tuples in the result of expression 
F are partitioned into groups such that: 

(i) All tuples in a group have the same values for Gi, . . . , Gn. 

(ii) Tuples in different groups have different values for Gi , . . . , Gn . 

The groups now can be identified by the values of the attributes Gi , . . . , Gn of the 
relation, and for each group (51 ,...,(?„), the result has a tuple (<71 ui ,..., Um ) 

where, for each i, Ui is the result of applying the aggregate function Fi on the multi- 
set of values for the attribute Ai in the group. 
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(C4’) which are a low level representation of the state maintenance constraint 
(C4). Note the difference between (C4’) and (Cl’-C2’). Since the former is a 
maintenance constraint, we use the proposition quiescent in the left hand side 
of the implication, meaning that the implication only holds in quiescent states. 
On the other hand the implications in (Cl’-C2’) must hold in all states. 

Proposition 1. Let DB be the schema declaration in Section^H and the only 
allowable exogenous action is ‘Insert into Purch with Dtrecvd and Qrcvd as null, 
and Qordered as a positive value’. Then in the context of DB the set of triggers 
{PT1,PT2}, is correct w.r.t. the set of constraints {Cl, C2, C3, C4}, and the 
above mentioned exogenous action. □ 



4 Interrupting Exogenous Updates 



So far we have (implicitly) assumed that if new exogenous update requests come 
in when the active database system is in the midst of processing EGA rules due 
to a previous exogenous update, the new requests are kept in hold until the 
processing (due to the previous update) comes to an end. Such an assumption 
is perhaps acceptable when the exogenous updates are not that frequent and/or 
trigger processing is not that time consuming, and there is no guaranteed quality 
of service requirement. 

With the popularity of e-commerce where updates to the database would often be 
due to e-transactions over the web, companies may require a guaranteed quality 
of service requirement. In particular, they may require immediate response to 
requests. In such a case, it may be a good idea to partition maintenance triggers 
to two kinds short term and long term, with the idea that in order to give reactive 
response to new update requests, processing of long term maintenance triggers 
may he postponed in favor of processing the new update request. 

The formulation of correctness in such a case becomes tricky, and we have made 
a small start in that direction. In this we only consider condition-action triggers, 
and consider all triggers to be long term. Before we get to our definition of 
correctness in such cases, we have the following notation. Let T be a set of 
condition-action triggers, and cr be a database state. By St{(j) we denote the 
action of the trigger which has the highest priority among the triggers whose 
conditions are satisfied in a. We also have the following additional notations: 



- H°(a) = 

- 



and (Ty = a. 

= “t( 4+^) and 4+1 



<?>(Hf(a),4). 



Definition 6 (k- Maintenance). Let T be a set of condition-action triggers, 
T be a set of long term maintenance constraints, 5 be a set of states, and A be 
a set of allowable exogenous actions. 

By Closure{S, T, A) we denote the smallest set of states that is a superset of S 
and that satisfies the properties that if cr G 5, then for an exogenous action a 
from A, <?(a, a) G S, and <?(S't(ct), a)) G S. 
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We say T k-maintains the maintenance constraints F from S and A, if for each 
state a in S, the sequence satisfies F. □ 

Intuitively, the notion of k-maintenance means that the active database system 
will get back to consistency (with respect to T") if it is given a window of oppor- 
tunity of processing k triggers without any outside interference in terms of new 
update requests. 

An important aspect of such a notion of k-maintainability is that in reactive 
(active database) systems, if we know that our system is k-maintainable, and 
each transition takes say t time units, then we can implement a transaction 
mechanism that will regulate the number of exogenous actions allowed per unit 
time to be On the other hand, given a requirement that we must allow m 
requests (exogenous actions) per unit time, we can work backwards to determine 
the value of k, and then find a set of triggers to make the system k-maintainable. 

5 Conclusion and Future Work 

In this paper we have taken several steps towards the systematic design of active 
features in an active database. The main steps that we have taken are identi- 
fying a few constructs for specification, classifying triggers into distinct classes 
based on their purpose, linking the trigger classes with the specification classes, 
formulating correctness of triggers with respect to a given specification, elabo- 
rating our formulation through examples and briefly introducing the notion of 
k-maintainability. 

Due to space limitations we were not able to detail our formulation (especially, 
the prioritization used in defining F and the differentiation between row and 
statement triggers) and show the design methodology with respect to a large 
example. In the full version we will show how our formulation in this paper can 
be used in systematically developing the triggers for the complete example in 
starting from a specification which is not given in Our main 

future work will be to develop composition methods and theorems so that given 
sets of triggers Ti and T2 that are correct with respect to specifications Si and 
S2 respectively, we can construct triggers that are correct with respect to S'iUS'2. 
We also plan to identify additional specification constructs with matching trigger 
sub-classes, and further elaborate on our notion of k-maintainability. 
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Abstract. On top of a simple kernel (Horn Clause Interpreters with 
LD-resolution) we introduce Fluents, high level stateful objects which 
empower and simplify the architecture of logic programming languages 
through reflection of the underlying interpreter, while providing uniform 
interoperation patterns with object oriented and procedural languages. 
We design a Fluent class hierarchy which includes first-class stateful ob- 
jects representing the meta-level Horn Clause Interpreters, file, URL, 
socket Readers and Writers, as well as data structures like terms and 
lists, with high-level operations directly mapped to iterative constructs 
in the underlying implementation language. Fluents melt naturally in 
the fabric of Logic Programming languages and provide elegant com- 
position operations, reusability, resource recovery on backtracking and 
persistence. The Web site of our Kernel Prolog prototype, 
ittD : / /WWW . DinnetcorD . com/KDroroe/Main . ntmj allows the reader to 
try out online the examples discussed in this paper. 

Keywords: Logic Programming Language Design and Implementation, 
Interoperation of Declarative and Stateful Languages, Meta- 
Programming and Reflection 



1 Introduction 

Despite significant syntactic, semantic and implementational variation^Logic 
Programming languages share a common kernel: Horn Clause Resolutio'^ a se- 
mantically and operationally well understood calculus. As it is the case with 
pure functional programming languages, this calculus allows reasoning with ref- 
erentially transparent, stateless entities. 

However, the resolution process as such, is obviously not stateless, as it pro- 
ceeds in time, step by step. If we want to preserve the ability to reflect in the 
object language the resolution process provided by the underlying interpreter, 
even simple abstractions like the sequence of alternative answers computed by 
the interpreter, will require non-trivial additional programming language con- 
structs. While implementing reflection mechanisms, a careful language designer 

^ The most commonly used variation is Prolog’s LD-resolution which combines a 
depth-first search rule with a left-to-right selection rule. 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 1225^^^2000. 

© Springer-Verlag Berlin Heidelberg 2000 



1226 Paul Tarau 



will be quickly faced with the need to pass Occam’s razor to keep in check the 
explosion of redundant ontology. 

Evolving algebras Q have shown that programming languages can be seen 
as a combination of a basic, terminating step and some form of iterative closure 
operation. Linear logic has provided a more accurate description of the state 
of the proof process, with emphasis on seeing formulas as resources, with special 
notation indicating if they are unique or reusable. 

Independently, the same need for state representation with minimal new on- 
tology arises from the need for simplified interoperation of declarative languages 
with conventional software and operating system services which often relay on 
stateful entities. 

Through constructs ranging from plain file or socket streams in C, to lazy list 
streams in languages like Scheme, iterators in Java or C++, monadic constructs 
QQ in Haskell or in A-Prolog, declarative I/O in Mercury Q, share the need 
for abstracting away the nature of the stepping process in a (finite or infinite, 
actual or generated as needed) sequence. Moreover, in the case of a declarative 
language implemented in a procedural or object oriented language, a uniform re- 
flection mechanism is needed, for consistent modeling of stateful external objects 
providing native services. 

This paper will introduce a concept of first class fluents on top of Horn 
Clauses with LD-Resolution to provide reflection of the underlying interpreter 
and interoperation with external stateful components, in a uniform way. 

When seen from inside an Interpreter, other Interpreters will appear as in- 
stances of Fluents (Sources) producing a stream of answers. Through a set of 
suitable abstractions, they will be put to work as reusable components cooper- 
ating through independent resolution processes. 

We will also describe a set of Fluent constructors which create Fluents from 
conventional data structures like lists, strings, files, terms and clauses and then 
provide Fluent Composers - allowing to elegantly combine them as building 
blocks for software components. 

We will provide two compact meta-interpreters showing how backtracking 
and forward derivation can both be reflected (and controlled) at source level. 

As a practical outcome, we provide a redesign of some key Prolog built-ins, 
of possible use in the next iteration of the ISO Prolog standardization process. 

2 First Class Horn Clause Interpreters 

2.1 Fluents: Prom Reflection to Interoperation with External 
Objects 

We will build Kernel Prolog as a collection of Horn Clause Interpreters running 
LD-resolution on a default clause database and calling built-in operations. Each 
of them has a constructor which initializes them with a goal and an answer 
pattern. In fact, they will be seen as possibly infinite sources of answers which 
can be explored one by one. The object encapsulating the state of the interpreter 
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is very similar to a file descriptor encapsulating the advancement of a file reader. 
We will call such stateful entities evolving in time Fluents. 

Kernel Prolog Interpreters will possess, through built-in calls, the ability 
to create and query other Interpreters, as part of a general mechanism to a 
manipulate Fluents. Fluents encapsulating interpreters, like any other stateful 
objects, will have their independent life-cycles. 

This general mechanism will allow Kernel Prolog interpreters to interoperate 
with the underlying object oriented implementation language, which will provide 
to and request from the interpreters, various services through a hierarchy of 
Fluents. 

2.2 Interpreters as Answer Sources 

Answer Sources can be seen as generalized iterators, allowing a given program 
to control answer production in another. Each Answer Source works as a separate 
Horn Clause LD-resolution interpreter (a very compact Java implementation of 
such an interpreter is given in the APPENDIX). 

The Answer Source constructor initializes a new interpreter. 

answer_source ( AnswerPattern , Goal , AnswerSour ce) 

creates a new Horn Clause solver, uniquely identified by AnswerSource, which 
shares code with the currently running program and is initialized with resolvent 
Goal. AnswerPattern is a term, usually a list of variables occurring in Goal. 

The get/2 operation (to be provided by all Sources, see section H) is used 
to retrieve successive answers generated by an Answer Source, on demand. 

get (AnswerSource, Answerinstance) 

tries to harvest the answer computed starting from Goal, as a instance of An- 
swerPattern. If an answer is found, it is returned as the( Answerinstance), 
otherwise no is returned. Note that once no has been returned, all subsequent 
get/2 on the same AnswerSource will return no. Returning distinct func- 
tors in the case of success and failure allows further case analysis in a pure 
Horn Clause style, without needing Prolog’s CUT operation. Bindings are not 
propagated to the original Goal or AnswerPattern when get / 2 retrieves an 
answer, i.e. Answerinstance is obtained by first standardizing apart (renam- 
ing) the variables in Goal and AnswerPattern, and then backtracking over its 
alternative answers in a separate Prolog interpreter. Therefore, backtracking in 
the caller interpreter does not interfere with the new Answer Source’s iteration 
over answers. Note however that backtracking over the Answer Source’s creation 
point as such, makes it unreachable and therefore subject to garbage collection. 

Finally, an Answer Source is stopped with the stop operation (implemented 
by all Sources, see section^- 

stop (AnswerSource) 

The stop/1 operation is called automatically when no more answers can be 
produced as well as through the Fluent’s undo operation on backtracking. 
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3 Fluent Classes and their Operations 

After seeing how AnswerSources encapsulate interaction with an interpreter, we 
will proceed with building a class hierarchy which generalizes this interaction 
pattern to external objects. The crux of this design is to make stateful exter- 
nal objects and interpreters communicate with a given interpreter in a uniform 
way. This turns out to be a very natural process, as modern ’’pattern aware” 
Q object oriented design usually results in ” interpreter-like” classes providing 
their services through high level abstractions. For instance, the Java classes in 
the Collections framework (JDK 1.2 and later), closely model set and finite func- 
tion mathematics and are usable without any reference to ”data-structure level” 
implementation detail. 

We will first describe the root of our hierarchy, the Fluent class, then give 
some examples of simple Fluents and operations on Fluents. 

Fluents are created with specific constructors, usually by converting from 
other Fluents or conventional Prolog data structures like Terms, Lists or Data- 
bases. All Fluents are enabled with a stop/1 operation which releases their 
resources (most Fluents also call stop on backtracking, through their internal 
undo operation) . 

In our Java based reference implementation, the Fluent class looks as follows: 

// Constructor, which adds this Fluent to the parent’s trail, 
class Fluent extends SystemObject { 

Fluent (Prog p) {trailMe(p) 

// add the fluent to the parent Interpreter’s Trail 
protected void trailMe(Prog p) { 

if (null ! =p) p . getTrailO .push (this) ; 

} 

// usable (through overriding) to release resources 
// and/or stop ongoing computations 
public void stopO -O- 

// release resources on backtracking, if needed 
protected void undoO {stopO;}- 

} 

Sources are Fluents enabled with an extra get/2 operation. Typical Sources 
are Horn Clause Interpreters, File, URL or String Readers, Fluents built from 
Prolog lists. Fluents iterating over data structures like Vectors or Hashtables or 
Queues in the underlying implementation language. Note that the constructor 
Fluent(Prog p) is trailed on the caller program p’s trail, and provides an undo 
operation to be called by p on backtracking, to release resources through the 
Fluent’s stop method. 
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The Source abstract class looks as follows: 
abstract class Source extends Fluent { 

Source (Prog p) {super (p);]- 
abstract public Term get(); 

} 

Sinks are fluents enabled with an extra put/2 and collect /2 operation. Typical 
Sinks are ClauseWriters or Char Writers targeted to TermCollectors (imple- 
mented as a Java Vectors collecting Prolog terms), StringSinks (implemented 
as a Java StringBuffers collecting String representations of Prolog terms). 
The Sink abstract class looks as follows: 

abstract class Sink extends Fluent { 

Sink (Prog p) {super (p);}- 

// sends T to the Sink for tasks as accumulation or printing 
abstract public int put (Term T) ; 

// returns data previously sent to the Sink 
// (if collection ability is present) 
public Term collect () {return null;}- 

} 

Not surprisingly, even Prolog databases are first class citizens implemented as 
extensions of Sources which provide add/2, reuiove/2, collect/2 operations. 

Fluents can be seen as resources which go through state transitions as a result 
of put/2, get/2 and stop/1 operations. They end their life cycle in a stopped 
state when all the data structures and/or threads they hold are freed. 



3.1 Flueut Composers 

Fluent composers provide abstract operations on Flueuts. They are usually 
implemented with lazy semantics. 

For instance, appeud_sources/3 creates a new Source with a get/2 op- 
eration such that when the first Source is stopped, iteration continues over the 
elements of the second Source. 

Compose_sources/3 provides a cartesian product style composition, the 
new get/2 operation returning pairs of elements of the first and second Source. 

Reverse_source/2 builds a new Source R from a (finite) Source F, such 
that R’s get/2 method returns elements of F in reverse order. 

Split _source/3 is a cloning operation creating two Source objects identical 
to the Source given as first argument. It allows writing programs which iterate 
over a given Source multiple times. 
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Sources and Sinks are related through a discharge(Source,Sink) opera- 
tion which sends all the elements of the Source to the given Sink. This allows 
for instance copying in a generic way a stream of answers of an Interpreter as 
well as data coming from a URL, through a socket, to a file, without having to 
iterate explicitly or know details on how data is actually produced and what its 
concrete representation is. 



3.2 Fluent Modifiers 

Fluent modifiers allow dynamically changing some attributes of a give Fluent. 
For instance set_persistent(Fluent,YesNo) is used to make a Fluent survive 
failure, by disabling its undo method, which, by default, applies the Fluent’s 
stop method on backtracking. 



4 Source Level Extensions through New Definitions 

To give a glimpse to the expressiveness of the resulting language, we will now 
introduce, through definitions in Kernel Prolog, a number of built-in predicates 
known as ” impossible to emulate” in Horn Clause Prolog (except by significantly 
lowering the level of abstraction and implementing something close to a Turing 
machine) . 



4.1 Negation and once/1 

These constructs are implemented simply by discarding all but the first solution 
produced by a Solver. 

"/, returns the(X) or no as first solution of G 
f ir St _solut ion (X, G, Answer) : - 
answer_source(X,G, Solver) , 
get (Solver , Answer) , 
stop (Solver) . 

"/, succeeds by binding G to its first solution or fails 
once(G) :-first_solution(G,G,the(G)) . 

"/, succeeds without binding G, if G fails 
not(G) : -f irst_solution(_, G,no) . 



4.2 Refiective Meta-interpreters 

The simplest meta-interpreter metacall/1 just reflects backtracking through 
element_of/2 over deterministic Answer Source operations. 
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metacall (Goal) 

answer_source (Goal , Goal ,E) , 
element_of (E,Goal) . 



element_of (I ,X) : -get (I , the (A) ) , select_from(I , A,X) . 
select_from(_, A, A) . 

select_from(I , _ ,X) :-element_of (I,X) . 



We can see metacall/ 1 as an operation which fuses two orthogonal language 
features provided by Answer Sources: computing an answer of a Goal, and ad- 
vancing to the next answer, through the source level operations element _of/2 
and select_from/3 which ’borrow’ the ability to backtrack from the under- 
lying interpreter. The existence of this simple meta-interpreter indicates that 
answer jsources lift expressiveness of first-order Horn Clause logic significantly. 

Note that element_of/2 works generically on Sources and is therefore re 
usable, for instance, to backtrack over the character codes of a file or a URL. 

After showing that we can emulate metacalls, we will use, for convenience, 
variables directly in predicate call position. 

Note also that an Answer Source enumerates elements of the transitive clo- 
sure of the clause unfolding relation 

If our interpreter can access a single unfolding step through a similar Fluent, 
a finer grained meta-interpreter can be built as follows. Let’s introduce a new 
Fluent, 



unf older_source (Clause , Source) 



which, given a Clause produces a stream of clauses obtained by unfolding the 
first atom on the right side against a matching clause in the database. Each step 
is described through an (associative) clause composition operation © as follows: 
Let Ao:-Ai,A 2 , . . . ,A„ and Bo:-Bi, . . . .B^ be two clauses (suppose n > 
0, m > 0). We define 

( Aq . — Ai , A2 , , A^) © (Bq . — Bi , ... , B^^ ) — ( Aq . — Bi , ... , B^^ , A2 , ... , A^) 0 

with 0 = mgu(Ai,Bo). If the atoms Ai and Bq do not unify, the result of the compo- 
sition is denoted as _L (failure). Furthermore, we consider Ao:-true,A 2 , . . . ,A„ 
to be equivalent to Aq:-A 2 , . . . ,A„, and for any clause C, _L©C = C©_L = 
_L. As usual, we assume that at least one operand has been renamed to a variant 
with variables standardized apart. 

We can now build a meta-interpreter which implements the transitive closure 
of the unfolding operation © (provided as the get/2 operation of an Unfolder 
Source in the underlying implementation language), combined with backtracking 
trough element _of/2. 

unf old_solve (Goal) : -unf old ( ’ : - ’ (Goal .Goal) , ’ : - ’ (Goal, true) ) . 



unf old(Clause, Clause) . 
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unfold (Clause, Answer) 

unf older_source (Clause , Unf older) , 
element_of (Unfolder, NewClause) , 
unf old (NewClause , Answer) . 

Note that this meta-interpreter will provide both backtracking and recursion for 
implementing Prolog’s LD-resolution search. Clearly, alternative search mecha- 
nisms can be programmed quite easily. 

4.3 If-then-else 

Once we have first_solution and metacall operations, emulating if-then-else is 
easy. 

"/, if Cond succeeds executes Then otherwise Else 
if (Cond, Then, Else) : - 

first_solution(successful (Cond, Then) ,Cond,R) , 
select_then_else (R, Cond, Then, Else) . 

select_then_else(the (successful (Cond, Then) ) , Cond, Then, _) : -Then. 
select_then_else(no, _, _ ,Else) : -Else . 

4.4 All-Solution Predicates 

All-solution predicates like findall/3 can be obtained by collecting answers 
through recursion. 

"/, if G has a finite number of solutions 
"/, returns a list Xs of copies of X each 
"/, instantiated correspondingly 
findall(X,G,Xs) :- 

answer_source(X,G,E) , 
get (E, Answer) , 

collect _all_answers (Answer , E , Xs) . 

"/, collects all answers of a Solver 
collect_all_answers(no,_, [] ) . 
collect_all_answers(the (X) ,E, [X I Xs] ) : - 
get (E, Answer) , 

collect _all_answers (Answer , E , Xs) . 

Note that, again, the collect _all_answers operation is generic, and works on any 
Source. This suggest providing a built-in Source-to-List converter source Jist / 2 
which can be made more efficient in the underlying implementation language 
where iteration replaces collect _all_answers/3’s recursion while also the elim- 
inating interpretation overhead. 

The alternative definition of findall/3 becomes simply: 

findall(X,G,Xs) :- 

answer_source(X,G, Solver) , 
source_list (Solver, Xs) . 
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4.5 Term Copying and Instantiation State Detection 

As standardizing variables apart upon return of answers is part of the semantics 
of get/2, term copying is just computing a first solution to true/0. Implementing 
var/1 uses the fact that only free variables can have copies unifiable with two 
distinct constants. 

copy_term(X,CX) : -f irst _solut ion (X, true , the (CX) ) . 
var (X) : -copy_tenn(X, a) , copy_term(X,b) . 

The previous definitions have shown that the resulting language subsumes 
(through user provided definitions) constructs like negation as failure, if-then- 
else, once, copy_term, findall - this justifies its name Kernel Prolog. As Kernel 
Prolog contains negation as failure, following Q we can, in principle, use it for 
an executable specification of full Prolog. 

4.6 Implementing Exceptions 

While it is possible to implement exceptions at source level as shown in 
through a continuation passing program transformation (binarization), an effi- 
cient, constant time implementation can simply allow the interpreter to return 
a new answer pattern as indication of an exception. We have chosen this imple- 
mentation scenario in our Kernel Prolog compiler which provides a return/1 
operation to exit an engine’s emulator loop with an arbitrary answer pattern, 
possibly before the end of a successful derivation. 

throw (E) : -return(exception(E) ) . 

catchCGoal , Exception, OnException) : - 

answer_source (answer (Goal) , Goal, Source) , 
element_of (Source, Answer) , 

do_cat ch (Answer , Goal , Exception , OnException , Source) . 

do_catch(exception(E) , _, Except ion, OnException, Source) : - 
if (eq(E, Exception) , 

OnException "/, call action if matching 
throw (E) "/, throw again otherwise 

), 

stop (Source) . 

do_catch(the (Goal) , Goal, _,_,_) . 

The throw/1 operation returns a special exception pattern, while the 
catch/ 3 operation stops the engine, calls a handler on matching exceptions 
or re-throws non-matching ones to the next layer. 

5 Built-Ins as a Library of Fluents 

Modular extension of Kernel Prolog through new built-ins is based on an Object 
Oriented hierarchy of Fluents. 



1234 Paul Tarau 



5.1 Lists and Terms as Source Fluents 

Sequential Prolog data structures are mapped to Fluents naturally. For instance, 
list_source/2 creates a new Fluent based on a List, such that its get/2 opera- 
tion will return one element of the list at a time. Similarly term_source/2 cre- 
ates a Fluent from an N-argument compound term, such that its get / 2 method 
will return first its function symbol then each argument. They are directly usable 
for composition/decomposition operations like univ/2 (also known as =. ./2): 

univ(T,FXs) : -if (var (T) ,list_to_fun(FXs ,T) ,fun_to_list (T,FXs) ) . 

list_to_fun(FXs ,T) : -list_source (FXs , I) ,source_term(I,T) . 
fun_to_list (T,FXs) : -term_source (T, I) , source_list (I ,FXs) . 



As they can be converted easily to/from Prolog data-structures. Fluents are us- 
able as canonical representation for data objects as well as for computational 
processes (like in the case of answer _sources). Fast iteration on Fluents, us- 
ing loops over efficient native data structures in the implementation language, 
replace recursion in the object language. This makes it possible to build high 
performance Fluent based logic programming implementations in relatively slow 
languages like Java ( preliminary benchmarks indicate that our ongoing Jinni 
2000 implementation is within an order of magnitude of the fastest C-based Pro- 
log implementations, and it is likely to match quite closely slower ones like SWI 
Prolog). Interoperation with external objects is also simpler as implementation 
language operations can be applied to Fluents directly. 

5.2 File, URL, aud Database I/O iu Keruel Prolog 

File and URL I/O operations are provided by encapsulating Java’s Reader and 
Writer classes as Fluents. Clause and character Readers are seen as instances 
of Sources and therefore benefit from Source composition operations. Moreover, 
Prolog operations traditionally captive to predefined list based implementations 
(like DCGs) can be made generic and mapped to work directly on Sources like 
file, URL and socket Readers. 

Dynamic clause databases are also made visible as Fluents, and reflection of 
the interpreter’s own handling of the Prolog database becomes possible. As an 
additional benefit, multiple databases are provided, to simplify adding module, 
object or agent layers at source level. By combining database and communica- 
tion (socket or RMI) Fluents abstractions like mobile code are built easily and 
naturally. 

5.3 Memoing Fluents 

Most Fluents are designed, by default, to be usable only once, and to release 
all resources held (automatically on backtracking or under programmer’s control 
when their stop operation is invoked). While Fluent operations like 
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split Jiuent/3 can be usecj to duplicate most Source Fluents, the following 
alternative provides a more efficient alternative. 

A Memoing Fluent is built on top of a Source Fluent by progressively 
accumulating computed values in a List or dynamic array. A Memoing Fluent 
can be shared between multiple consumers which want to avoid recomputation 
of a given value. 



5.4 Fluent Based Lazy Lists 

Lazy Lists can be seen as an instance of Memoing Fluents: they accumulate 
successive values of a Source Fluent in a (reusable) list. The simple Lazy List 
abstraction in our reference implementation works as follows: 

source_lazy_list (Source , LazyList) 

creates a new LazyList object from a Source object: 

lazy_head(LazyList , LazyHead) 

extracts the current head element of the list. Iteration over the list is provided 

by 

lazy_tail (LazyList , LazyTail) 

which returns LazyTail, a new lazy list encapsulating the next stage of the Source 
fluent. 

While complete automation of lazy lists through a form of attributed variable 
construct is possible, we have chosen a simpler implementation scenario based on 
the previously described operations, mainly because overriding unification with 
execution of an arbitrary procedure would introduce potential non-termination - 
something which would break the very idea of keeping the execution mechanism 
as close as possible to basic Horn Clause resolution, as available in classic Prolog. 
Based on these operations, a lazy findall/3 is simply: 

"/, creates lazy list from an answer source 
lazy_f indall (X, G, LazyList) : - 
answer_source(X,G,S) , 
source_lazy_list (S , LazyList) . 

In fact, the behavior of the lazy list encapsulating lazy_findall’s advancement 
on alternative solutions produced by an Answer Source, is indistinguishable from 
a lazy list constructed from an ordinary list_source: 

^ The astute reader might notice that Linear Logic provers provide similar operations. 
This is by no means accidental, a resource conscious proof procedure will usually 
provide explicit means to implement multiple use of a resource. 
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"/, creates a lazy list from a List 
lazy_list (List ,LazyList) : - 
list_source(List ,S) , 
source_lazy_list (S jLazyList) . 

The following operations are centered around the lazy_tail/3 advancement op- 
eration, which produces a lazily growing reusable list. This list is explored with 
lazy_element_of/2 in a way similar to the way ordinary lists are explored with 
member /2 and ordinary Sources are explored with element _of/2. 

"/, explores a lazy list in a way compatible with backtracking 
"/, allows multiple ’consumers’ to access the list, end ensures that 
"/, the lazy list advances progressively and consistently 
lazy_element_of (XXSjX) 
lazy_decons(XXs, A,Xs) , 
lazy_select_from(Xs, A,X) . 

"/, backtracks over the lazy list 
lazy_select_from(_,A,A) . 

lazy_select_from(XXs , _ , X) : -lazy_element_of (XXs ,X) . 

"/, returns a head/tail pair of a non-empty lazy list 
lazy_decons(XXs ,X, Xs) : - 
lazy_head(XXs,X) , 
lazy_tail(XXs,Xs) . 

A minor change in Prolog’s chronological backtracking is needed however: only 
the creation point of the lazy list is subject to trailing, and the complete lazy list 
is discarded at once. This is achieved in our reference implementation by giving 
to each lazy list its own (dynamically growing) trail, and by providing an undo 
operation which rewinds the trail completely when backtracking passes the lazy 
list object’s creation point. 

6 Related Work 

Similar to the Answer Sources described in this paper, engine constructs have 
been part of systems like Oz BinProlog ^3 and Jinni 

The main differences with Oz engines are: 

— while Oz designers have chosen not to handle backtracking in exchange for 
the ability of sharing variables between different threads. Kernel Prolog pro- 
vides encapsulated backtracking, local to a given Answer Source 

— Oz engines are not separated from the underlying multi-threading model, 
they are not simple Horn Clause processors, they are part of Oz’s computa- 
tion spaces - which include threads and constraint stores 

— in Oz, answers are returned only when a computation space is stable - the 
engine mechanism in Oz is overloaded as a synchronization device - which 
in our case is an orthogonal concept 
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— Oz engines have been designed for a different purpose, i.e. to program al- 
ternative search algorithms or for local constraint propagation, while our 
objective is a uniform reflection mechanism for multiple first order Horn 
Clause interpreters and interoperation with (other) external stateful objects 

Fluents share some design objectives with Haskell’s 10 Monad approach Q - 
which essentially encapsulates the state of the external world in a single stateful 
entity on which 10 operates as a sequence of transitions. Our fluents can be seen 
as an abstraction for multiple stateful worlds organized as a typed inheritance 
hierarchy and specialized toward source and sink roles - corresponding to abstract 
read and write operations. Note however that some sink fluents provide a collect 
operation allowing to build new sources. Arguably, fluents offer a more flexible 
management of input and output flows than the monolithical 10 Monad. In fact, 
John Hughes recent proposal to replace monads with the more powerful concept 
of arrow Q with emphasis on directionality hints towards possible evolution 
towards a fluent-like concept. 

Java’s own design of Reader and Writer class trees and the ability to trans- 
form streams into new streams with stronger properties or elements of a different 
granularity (which in fact serves as the implementation bases for some of our 
fluents, behind the scenes) and its recently introduced Collection framework Q 
also show convergence towards similar design patterns. 

Our previous work on the Jinni agent programming language and Bin- 
Prolog ^3 has described similar engine constructs. However, the key idea of 
seeing engines as instances of Fluents, the separation of engines from the multi- 
threading mechanism, the reconstruction of Prolog’s built-ins as a hierarchy of 
Fluent classes and the interoperation of external objects encapsulated as Fluent 
instances are definitely new. 

New languages based on relatively pure subsets of Prolog like Mercury have 
been designed as targets of more efficient implementation technologies and for 
their reliability in building large software systems. While Horn Clauses with 
negation have been extensively studied and some of the techniques described in 
this paper might be well known to experienced Prolog programmers, the very 
idea of systematically exploring the gains in expressive power as a result of having 
multiple pure Prolog interpreters as first order objects, has not been explored 
yet, to our best knowledge. 



7 Future Work 

We have recently finished the first cut of a fast WAM based implementation of 
Kernel Prolog in Java and integrated it with the interpreter described in this 
paper. Preliminary benchmarks indicate being constantly within one order of 
magnitude from the fastest C-based Prolog implementations. 

This opens the door for a number of real-life software applications. 

The advent of component based software development and intelligent appli- 
ances requiring small, special purpose, self contained, still powerful processing 
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elements, makes Kernel Prolog an appealing implementation technique for build- 
ing logic programming components. In particular, in the case of small, wireless 
interconnected devices, subject to severe memory and bandwidth limitations, 
compact and orthogonally designed small language processors are instrumental. 

Our ongoing commercial Palm Prolog and Prolog-in- Java implementations 
use respectively C and Java variants of a fast Horn Clause LD-resolution WAM 
emulator based on the Kernel Prolog design described in this paper. This high- 
performance Kernel Prolog compiler (subject of an upcoming paper) will also 
provide support for Agent Classes - a new form of code structuring which 
promises to bring logic programming to functionality beyond the usual object 
oriented Prolog extensions, within a declarative framework. 

Here are a few open issues and some other ongoing or projected Kernel Prolog 
related developments: 

— executable specification of ISO Prolog in terms of Kernel Prolog 

— a study of Kernel Prolog’s invariance under program transformations (un- 
folding) 

— type checking / type inference mechanisms for Kernel Prolog 

— lightweight engine creation and engine reuse techniques for Kernel Prolog 

— Kernel Prolog as a basis of embedded Prolog component technology and 

Prolog based Palm computing 

8 Conclusion 

We have provided a design for the uniform interoperation of Horn Clause Solvers 
with stateful entities (Fluents) ranging from external procedural and object ori- 
ented language services like I/O operations, to other, ’first class citizen’ Horn 
Clause Solvers. As a result, a simplified Prolog built-in predicate system has 
emerged. 

By collapsing the semantic gap between Horn Clause logic and (most of) 
the full Prolog language into three surprisingly simple, yet very powerful oper- 
ations, we hope to open the doors not only for an implementation technology 
for a new generation of lightweight Prolog processors but also towards a better 
understanding of the intrinsic elegance hiding behind the core concepts of the 
logic programming paradigm. 

Our Horn Clause Solvers encapsulated as Fluents provide the ability to com- 
municate between distinct OR-branches as an practical alternative to the use 
assert/retract based side effects, in implementing all-solution predicates. More- 
over, lazy variants of all solution predicates are provided as a natural extension 
to Fluent based lazy lists. 

Finally, high level Fluent Composers allow combining component function- 
ality in generic, data representation independent ways. 
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Abstract. The WAM allows within its framework many variations e.g. 
regarding the term representation, the instruction set and the memory or- 
ganization. Consequently several Prolog systems have implemented suc- 
cessful variants of the WAM. While these variants are effective within 
their own context, it is difficult to assess the merit of their particular vari- 
ation. In this work, four term representations that were used by at least 
one successful system are compared empirically within dProlog, one ba- 
sic implementation which keeps all other things equal. We also report on 
different implementation choices in the dProlog emulator itself. dProlog 
is reasonably efficient, so it makes sense to use it for these experiments. 



1 Introduction 

The WAM (see has been the basis for many Prolog systems, also the most 

successful ones. It leaves open certain issues like the implementation of cut, dy- 
namic code etc. but even when it specifies other issues, there are variations 
that can still pass for the WAM in the broad sense. Examples are optimiza- 
tions like instruction compression, new ways to propagate the read- write mode, 
the organization of the stacks or a different tagging schema. Another variation 
- the one of interest here - concerns the term representation itself: the WAM 
initializes permanent variables on the local stack when possible, while other 
implementations have chosen to globalize permanent variables on their first oc- 
currence (BIM_Prolog always, AQUARIUS under certain conditions) and 
consequently do not have to deal with unsafe variables; PARMA Q represents 
the binding between two free variables differently from the WAM and has con- 
stant time dereferencing; BinProlog employs a tag on data schema instead 
of the WAM tag on pointer schema. Each of these WAM variations was effective 
within its own context: BIM_Prolog used native code generation (not common 
in 1985 !); BinProlog binarizes clauses before compiling them Q; PARMA and 
AQUARIUS rely on abstract interpretation for their top speed. Because the 
implementation context of these term representations was different from each 
other and from the original WAM, it is not at all clear how they really compare, 
i.e. there has been no empirical study of the impact of changing within a single 
efficient system one term representation into another one while all others things 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 1240^^^2000. 
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are kept equal. We intend to do exactly that: evaluate empirically and compare 
directly within the same basic implementation the four above mentioned term 
representations. 

Such an experiment only makes sense if the basic Prolog implementation is 
reasonably complete and fast. Yap Q or SICStus Prolog B could have served 
as a good starting point for the experiment. However, adapting such systems is 
very time consuming and that was one reason for starting almost from scratch: 
because of our prior involvement with XSB (see e.g. |), we borrowed the XSB 
compiler (see |3), for the generation of abstract machine code (XSB is largely 
WAM based) and we built a new emulator. This permitted us to redo partly 
the experiment reported on in Q and at the same time benefit from its advice, 
investigate the potential for speeding up the Prolog part of XSB and build the 
basis for a dedicated Prolog system for inductive learning applications Q. It 
also gave us the chance to satisfy a private curiosity regarding an unusual term 
representation for integers and floating point numbers, and a different layout of 
environments: these are reported on later. 

We named the resulting Prolog system dProlo J dProlog is complete enough 
to bootstrap itself but hardly more complete than needed for the experiment. 

We decided to stay in the emulator business as 0, but since it clearly doesn’t 
make sense to study the impact of changes in a slow system we wanted dProlog 
to be in the same ball park as SICStus Prolog emulated with all bells and 
whistles (i.e. using gcc extensions). The SICStus Prolog emulator is not the 
fastest around: Yap B beats SICStus Prolog consistently. So we decided to 
borrow from Yap techniques applicable at the C-level as well as the abstract 
machine code level. As a consequence dProlog performs as good as Yap for 
certain benchmarks - especially smaller ones - but given our choice of XSB for 
generating the abstract machine code, dProlog has not a chance to get always 
on par with SICStus Prolog. Still, we felt that the initial goal was met close 
enough. We report on the aspect of performance compared to other systems in 
section ^ mainly because it shows that our emulator is of sufficient quality to 
make the results of the experiments relevant. 

We also experimented with implementation choices within the emulator it- 
self. Therefore we have set up dProlog so that it can be installed in 6 different 
basic emulator modes depending on two parameters: the first parameter sets the 
number of opcode fields in each instruction; it is either I - as is customary - and 
then the read-write mode in the unify-instructions is explicitly tested by means 
of the WAM S register; or it is 2, in which case the read-write mode is propagated 
by using the first opcode held in read mode and the second in write mode (see 
y for more detail). The second parameter can orthogonally be set to switch, 
jumpj,ahle and threaded which is a similar choice as in SICStus THREADED 
= 0,1 or 2. The latter two require GNU cc. We report on the effects (time and 
space) of these six modes in section ^ 

Section ^reports on choices in the implementation of the emulator: the as- 
signment of a hardware register to the WAM program counter, binding calls, 

1 
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conditional trailing, trail overflow checking and 28 versus 32 bit integers. In the 
same section, we also report on the effect of several instruction compressions. 

The initial version of dProlog (with all the above variations) always globalizes 
permanent variables on their first occurrence: we will refer to it as the heap_vars 
version. We then created three more versions: we will refer to them as wam_vars, 
parma_vars and tag_on_data. They differ from the heap_vars dProlog in only 
one aspect: wam_vars initializes permanent variables on the local stack when- 
ever possible, exactly as in the WAM, and thus knows unsafe variables (see 
Q); parma_vars uses the variable representation as in tag_on_data uses the 
representation as in BinProlog but without term compression. Parma_vars 
and tag_on_data also always globalize permanent variables: BinProlog, the only 
other Prolog system using the tag-on-data representation, doesn’t even have 
a local stack and the intricacies of having PARMA variables also in the local 
stack reported in Q scared us off. All these different representations are shortly 
explained in section^ We report on the impact of these changes in section^ 
We start with an overview of the XSB compiler and dProlog in section^ 
All the experiments were performed on a Pentium II, 260MHz, I28Mb. 



2 The XSB Compiler and dProlog 

XSB supports HiLog and tabling, both of which we were not interested in for this 
experiment: consequently, we have removed most of the code in the XSB compiler 
that deals with these extensions. They do not interfere with the compilation of 
ordinary Prolog programs. Also call specializatio'^was switched off. The XSB 
compiler can generate indexing for any argument (depending on declarations); 
we have disabled the index declaration and specialized all indexing instructions 
to the first argument. Overall, the XSB compiler generates reasonable to good 
code, but some basic choices in the compiler are bad for performance, especially 
within an emulator: (1) the activation of a predicate can cause the creation 
of two choice points this slows down some benchmarks; in particular sdda, 
meta_qsort, and also to a lesser extent boyer; (2) the convention for in-lined 
built-ins is that their arguments are put in the argument registers 1 up to the 
arity of the built-in; sometimes up to three movreg instructions are generated 
before and after the call to a built-in; the twin calls to functor/3 in boyer are a 
good example of this inefficiency; (3) register allocation is far from optimal; this 
results in badly compiled arithmetic (among other things); e.g. the inner loop 
of tak contains at least five instructions that would have been avoided with a 
better register allocation; (4) XSB does not treat void variables in a special way; 
this slows down a.o. zebra. 

The basic structure of the XSB compiler was not changed: variable classifi- 
cation, built-in calling convention, the indexing schema, register allocation etc. 
were not touched. We made five changes: (1) the generation of the testjieap 
instruction - the entry point of each predicate in the current implementation of 

^ a predicate specialization according to (partially instantiated) call patterns that 
appear in the same module 
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XSB which tests for heap overflow - was suppressed, and its functionality moved 
to the call and execute instructions; (2) in order to provide for native size float- 
ing point numbers and integers small changes were necessary: see later; (3) XSB 
uses specialized instructions for the atom []; this specialization was switched off; 
(4) we have added some peephole optimizations for instruction compression and 
added a few instruction specializations (section^3 ; (5) we have specialized the 
XSB switch_onJ,erm instruction to lists; this was important for testing an opti- 
mization referred to later as switch (section^^; this does not affect other issues: 
in our tagging schema, the list and compound test have the same cost. 

XSB has only truncated integers (28 bits on a 32-bit 

machine). We implemented both truncated inte- 
gers and full integers, i.e. 32 bits. The latter need 
changes in the generated code, since a 32-bit inte- 
ger must always reside on the heap. We give the 
two instruction streams for the head of the clause 
head{f{9,a)). The overhead of full integers comes from its higher heap con- 
sumption and from extra emulator cycles. This will be clear in the benchmarks. 
Floating point numbers in dProlog are never truncated and always require the 
above transformation. 

All versions of dProlog have the following characteristics: (1) separate stacks for 
environments and choice points; (2) no environment trimming: the XSB compiler 
does not generate the information to do it; the local stack grows towards the heap 
and environments are put upside-down (see Q); this can result in less testing 
during trailing, but in an extra comparison when binding two free variables; (3) 
no tidying of the trail during cut; (4) no trail overflow testing: see section^for 
explanation and the effect on speed of trail overflow testing; all other overflow 
testing is done in software; (5) dProlog deals with hash collisions in the indexing 
code when using hashing by a try-retry-trust chain, just like XSB does; (6) 
floating point operations are not IEEE compliant. 



truncated ints 


full ints 


getstr i/2, A1 
uninumcon 9 
unicon a 


getstr i/2, A1 
unitvar A2 
unicon a 
getint A2, 9 



3 The Three Term Representations on the Heap in 
dProlog 

The heap_vars and wam_vars term representation on the heap is the same: the 
difference is in where permanent variables are initialized. Heap_vars does that 
always on the heap; wam_vars in the environment when possible. Tag_on_data 
and parma_vars are really different. So, we can speak of three heap term rep- 
resentations. The next figure shows the representation of the list [a, b] in the 
tag_on_data schema to the right and in the other schemas to the left. Each heap 
cell consists of a tag (P,S,L,A,I or F) and a pointer or value. An empty tag or 
value held means it is never inspected. 



L| a |AF 



|L| b |A| []^ 
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Tag_on_data uses one heap cell more per cons than the other representations. 
In the tag_on_data schema as implemented in BinProlog, the list constructor 
is treated as any other constructor. We have instead chosen to specialize the 
representation of lists within the tag_on_data philosophy, because that results 
in exactly the same abstract machine instructions being executed in all variants 
of dProlog. The next figure shows compound terms, variables and numbers in 
/(X, g(X), 666, 3.14). Note how the PARMA representation of two bound free 
variables creates a cycle instead of a chain of references. 




Pointers (to the heap and local stack) are always aligned on a 4 byte bound- 
ary, so the tags on pointers (P, S and L) can be 2 bits without restricting the 
range of pointers. The dProlog tags are as follows (only the significant lower bits 
are given): 



P (ref) = 00 


S (struct) = 01 


L (list) = 11 


A (atom) = 0110 


I (integer) = 1010 


F (ffoat) = 1110 



The representation of floating point numbers is a bit unusual: the number is 
put on the heap, and its (F-tagged) offset from the start of the heap is used as 
its entry; the dashed pointer symbolizes the offset. This representation is also 
used for full integers. We have since long wanted to use such a representation 
(offsets instead of pointers) and now understand better the consequences. The 
main issues are: (1) some routines (like general unify) need to know the start of 
the heap; if the implementation needs to be re-entrant, it means that this start of 
heap must be passed as an argument; (2) copying terms (with numbers) becomes 
a bit more involved if the region one copies to (or from) is not contiguous (like 
for instance in findall buffers); (3) a sliding garbage collection algorithm needs 
an extra mark bit since numbers on the heap are not preceded by a header; 
(4) retaining sharing during copying is nearly impossible. We recommend this 
representation to nobody. 

Dereferencing in the three representations is different. Without an attempt 
to show the best code in a particular context, here is basically the dereferencing 
of an object p: 
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parma.vars 


if (ref(p)) p = *p; 


wam_vars and heap_vars 


while (ref(p)) { if (p == *p) break; p = *p; } 


tag_on_data 


while (ref(p)) { if (p == *p) break; q = p; p = *p; } 



In tag_on_data, the value of q might be needed after deref: if after deref, p 
contains an S-tagged value, g + 1 points to the first argument of the structure. 

In parma_vars dereferencing is a constant time operation. When two free 
variables are bound to each other, they must be tested for equality. reports 
this as a drawback of parma_vars, but the truth is that - as was noted during 
the HAL project in which also the PARMA representation is used (see Q) - 
testing for equality of two free variables in parma_vars might require less steps 
than in the other representations. Also, there exist programs for which the WAM 
is quadratic and PARMA linear in the input. 



4 Comparing dProlog with Other Prolog Systems 

We compare dProlog with other well-known and/or relevant systems on a set 
of benchmarks taken from . The compiler of dProlog compiling itself (with 
output suppressed - input performed with getO/ 1 and a reader in Prolog) is added 
as a medium sized more realistic benchmark: it consists of about 5000 lines of 
code. Times are always in 1/lOOs of a second. Sizes in tables are always in units 
of 4 bytes and represent the maximal stack usage during the running of all the 
benchmarks above the size figure in the same table; the code size includes also 
the compiler and toplevel. We repeated each benchmark in a failure driven way; 
the repetition factor is mentioned in the table: sdda(1200) means that a timing 
is shown for repeating sdda 1200 times. Each such repetition was performed four 
times; the first timing is always ignored (it is often an out-lier either way) and 
the smallest timing of the remaining three is reported. For dProlog, we show 
here only the mode threaded with two opeodes + all other defaults (see section^ 
for heap_vars. We use an older SICStus version because it was our initial target 
and the most recent release (3.8.1) is significantly slower. 

SICStus Prolog, Yap and XSB all implement wam_vars, while BinProlog 
obviously implements tag_on_data. SICStus and Yap (as dProlog) use gcc specific 
features, while XSB and BinProlog use only ANSI-C. Yap uses a single stack for 
choice points and environments, like the WAM. 



5 Comparing the Six Basic Modes of dProlog 

Table Q shows the results of running dProlog in its six basic modes on the 
standard set of benchmarks. The modes are indicated as switch (for a C switch), 
jump (for a jump table) and threaded (for the threaded implementation) and the 
suffix 1 or 2 indicates whether read-write propagation is done as in the WAM 
(1) or with two operation codes (2) as described in Q. 

The stack sizes are the same for all modes and not included in the table. 
The code sizes for switch 1 and jumpl must be equal, and also the code sizes 
for switch2 and jump2. The fact that the code sizes for switchl and switch2 
are exactly the same is a coincidence: the instruction layout is such that each 
instruction has a spare byte. 
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Table 1. Comparing dProlog with other systems 





dProlog 1 


SICStus 3#5 


Yap4.2.1 


XSB 2.1 


BinProlog 6.84 


boyer(l) 


40 


34 


32 


95 


106 


browse(l) 


48 


47 


30 


95 


147 


cal(lO) 


77 


69 


68 


140 


105 


chat (5) 


45 


55 


43 


77 


98 


crypt (200) 


53 


57 


41 


108 


79 


ham(2) 


59 


74 


54 


137 


146 


meta_qsort(125) 


51 


42 


34 


118 


150 


nrev(5000) 


43 


66 


45 


227 


88 


poly_10(10) 


32 


27 


23 


64 


58 


queens_16(2) 


88 


88 


44 


180 


148 


queens(lO) 


106 


141 


91 


260 


241 


reducer(20) 


19 


13 


10 


37 


35 


sdda(1200) 


40 


33 


29 


70 


75 


send(lO) 


49 


48 


28 


85 


124 


tak(lO) 


73 


77 


53 


159 


208 


zebra(30) 


82 


82 


63 


139 


173 


compile(l) 


776 


914 


739 


1774 


2074 



The positive effect of using two opcodes (or two addresses in the case of 
threading) for read-write propagation is not as good as one might hope. We 
think the main reason is that the WAM non-read-write propagation with the 
S register, performs quite well on modern architectures with pre- fetching and 
branch prediction. The increased code size probably does not matter: this was 
confirmed by other experiments that are not reported on here. 

It might seem strange that switch2 performs worse than switchl: we have 
tried three variants of switch2 and the results were always similar. Compared to 
switchl, switch2 requires extra jumps and/or increases register pressure even on 
instructions that have no read- write variant. This is not true when comparing 
jumpl with jump2 or threaded 1 with threaded2. 



6 The Effect of Features and Optimizations in dProlog 

The next tables only contain figures that relate to the heap_vars version of dPro- 
log. The general setup is that the default settings are compared with a version 
in which one (or sometimes more) features are introduced or disabled. We first 
show variations in the implementation of the emulator itself (section 
variations in the generated abstract machine code (section ^3 . 



6.1 Variations in the Implementation of the Emulator 

Table H shows the variation of features in the emulator itself. An absent size 
figure means it is the same as for the default version. The explanation of the 
columns is: 

— default: the default for dProlog is threaded, two opcodes, bind call, truncated 
integers, local pc = bx, with conditional trailing, no trail overflow check and with 
all instruction specializations and compressions 
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Table 2. The six basic modes of dProlog - heap_vars 





s wit chi 


switch2 


jumpl 


jump2 


threadedl 


threaded2 


boyer 


54 


67 


44 


44 


40 


40 


browse 


81 


95 


51 


50 


48 


48 


cal 


87 


105 


87 


87 


78 


77 


chat 


54 


64 


48 


47 


46 


45 


crypt 


70 


84 


57 


56 


52 


53 


ham 


99 


115 


66 


65 


60 


59 


meta_qsort 


76 


89 


56 


55 


52 


51 


nrev 


130 


157 


45 


43 


46 


43 


poly_10 


46 


56 


36 


34 


33 


32 


queens_16 


118 


141 


100 


98 


89 


88 


queens 


176 


211 


113 


110 


107 


106 


reducer 


26 


30 


20 


20 


19 


19 


sdda 


51 


62 


41 


42 


41 


40 


send 


70 


85 


59 


60 


49 


49 


tak 


101 


125 


78 


78 


73 


73 


zebra 


103 


113 


85 


83 


83 


82 


code 


48251 


48251 


48251 


48251 


73104 


77038 


compile 


1094 


1324 


827 


808 


786 


776 


code 


50202 


50202 


50202 


50202 


77826 


81692 



— no bind call: nsnally the call instrnction refers to a predicate table to find the 
entry point of the predicate to be called; this makes the implementation of debug- 
ging and reconsult easier; in its default mode however, dProlog puts the address 
of the entry point directly in the call (and execute) instruction; we name this bind 
call', supporting debngging and reconsult under this schema adds a little implemen- 
tation complexity and is not fully done in dProlog; this column shows the effect 
of not binding calls: although binding calls looks a priori like an optimization, its 
effect varies and is not large; this is in part cansed by the fact that in dProlog the 
lookup of the entry of a predicate, is very simple: only one indirection is needed 

— always trail: this column represents unconditional trailing; its effect depends 
on the kind of benchmark (a benchmark where each potential trailing is actual, 
obviously benefits from deleting the test) but is never large except for nrev, we 
also give the maximal trail usage for comparison 

— trail overflow test: by default, dProlog allocates enough space for the trail (as 
much as the heap in heap_vars and tag_on_data, six times as much in parma_vars, as 
much as heap md local stack together in wam_vars), so that trail overflow testing is 
not necessary! however, the space penalty can be too high; so it is worth looking 
at the potential performance gain; the effect is quite high on some benchmarks, 
but overall small 

— full integers: many implementations sacrifice the range of integers for the benefit 
of their compact representation: XSB represents integers with just 28 bits, as in the 
default mode of dProlog; dProlog can also run in a mode with 32 bit integers: this 
column shows the performance penalty both space and time wise; the relatively 
bad performance can be partly explained by the particular representation used for 
full integers, relying on a heap offset; another reason is the suboptimal abstract 
machine code for full integers (see section J 

— glob bx, glob bp, register, no reg deck as advised in ! we assigned the 
WAM program counter (pc) to a hardware register; Q does not report that there 

® this “optimization” came up during working with Paul Tarau but might be folklore 
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are several choices: one can reserve the hardware register locally to the emulator 
loop or globally in the whole of the implementation; and different choices as to 
which hardware register is used are possible; our default choice is to assign the 
program counter locally to the hardware register bx: loc bx\ the meaning of glob bx 
and glob bp follows; we also tried just declaring the program counter locally as a 
register or giving no directions to the C compiler at all. 



Table 3. The effect of emulator properties in dProlog 





default 


no bind 
call 


always 

trail 


check tr 
overflow 


MT 

integers 


glob bx 


glob bp 


register 


no reg 
decl 


boyer 


40 


40 


40 


41 


45 


40 


40 


41 


41 


browse 


48 


47 


47 


50 


49 


47 


47 


50 


49 


cal 


77 


78 


79 


79 


91 


78 


78 


77 


78 


chat 


45 


45 


45 


45 


47 


45 


45 


44 


44 


crypt 


53 


52 


54 


51 


62 


52 


52 


52 


51 


ham 


59 


61 


62 


62 


60 


59 


59 


64 


65 


meta.qsort 


51 


51 


52 


52 


51 


51 


51 


51 


51 


nrev 


43 


46 


53 


44 


44 


43 


43 


52 


51 


poly_10 


32 


32 


33 


32 


33 


31 


31 


31 


31 


queens_16 


88 


90 


90 


88 


108 


88 


88 


90 


90 


queens 


106 


105 


107 


103 


108 


103 


103 


107 


107 


reducer 


19 


19 


19 


19 


19 


18 


18 


19 


19 


sdda 


40 


41 


41 


40 


41 


40 


40 


41 


40 


send 


49 


49 


50 


55 


60 


49 


49 


54 


54 


tak 


73 


74 


72 


74 


93 


75 


75 


74 


74 


zebra 


82 


83 


83 


86 


86 


81 


81 


85 


85 


heap 


448296 


- 


- 


- 


674911 


- 


- 


- 


- 


trail 


57677 


- 


403043 


- 


- 


- 


- 


- 


- 


code 


77038 


- 


- 


- 


77761 


- 


- 


- 


- 


compile 


776 


779 


787 


787 


844 


769 


796 


785 


785 


heap 


1369456 


- 


- 


- 


5972416 


- 


- 


- 


- 


trail 


227623 


- 


854611 


- 


- 


- 


- 


- 


- 


code 


81692 


- 


- 


- 


82198 


- 


- 


- 


- 



The table indicates that assigning the WAM program counter to a global 
bx register (the Yap choice is global bp) performs best, followed closely by the 
local bx register. One should not take this as a general truth: it will depend on 
factors beyond control like the C compiler and the particular way of writing C 
code in the emulator. Rather one should take this as an indication that exploring 
the alternatives might be worthwhile. We made local bx our default because it 
performs well while being local. Note that also just declaring the program counter 
as a register without assigning it to any particular hardware one, performs quite 
well, with the additional advantage that it is fully ANSI. 

6.2 Variations on the Abstract Machine Code 

We report here on variations in the generated abstract machine code: the columns 
in tablejshow the timings when one or more instruction compression or special- 
ization is turned off. Note that even though some instructions are not generated 
when some optimizations were turned off, all instructions are present in the 
emulator at all times. 

The XSB compiler performs one particular instruction compression during 
its peephole optimization: the sequence getlist,unitvar,unitvar is compressed to 
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getlist_tvar_tvar, append/3 in particular benefits. Tablejmentions it as getlist. 
We implemented two more instruction compressions and two specializations: 

— dealloc: compresses the instruction sequence deallocate, proceed into one (new) in- 
struction deallocjproceed, the sequence deallocate, execute into deallex and 
deallocate, builtin, proceed into builtin, dealloc 4 >roceed-, 

— uni: two subsequent wnitna* instructions are compressed to one instruction; this 
leads to four instructions uni_tvaX_tvaY where X and Y can be r or Z; Yap also 
performs this compression; 

— try: specialized versions for the try, retry and trust instructions are generated for 
predicates with arities 2 and 3; Yap does this for 0 up to 4; 

— switch: this specialization exists in Yap and in some other forms in other imple- 
mentations; if the list exit of a switch_onJist instruction points to the corresponding 
getlist instruction, a specialized switch instruction is generated which in the list 
exit jumps directly to the read-mode of the instruction following the getlist 



Table 4. Variations of abstract machine code in dProlog 





default 


try 


dealloc 


switch 


getlist 


uni 


switch 

getlist 


switch 

uni 


getlist 

uni 


switch 

getlist 

uni 


boyer 


40 


42 


40 


40 


40 


40 


40 


40 


40 


40 


browse 


48 


49 


49 


47 


49 


50 


49 


48 


50 


51 


cal 


77 


80 


77 


77 


77 


77 


77 


77 


77 


77 


chat 


45 


45 


45 


44 


45 


45 


45 


46 


46 


46 


crypt 


53 


53 


53 


54 


55 


52 


54 


54 


55 


55 


ham 


59 


66 


59 


59 


66 


61 


66 


61 


70 


70 


meta_qsort 


51 


54 


51 


50 


51 


54 


51 


54 


54 


54 


nrev 


43 


43 


43 


50 


43 


54 


50 


62 


54 


62 


poly_10 


32 


32 


32 


32 


32 


33 


32 


33 


33 


33 


queens_16 


88 


89 


88 


92 


89 


90 


92 


92 


92 


94 


queens 


106 


115 


105 


106 


106 


107 


108 


108 


113 


116 


reducer 


19 


19 


19 


19 


19 


19 


18 


19 


20 


19 


sdda 


40 


41 


41 


40 


41 


40 


41 


40 


41 


41 


send 


49 


49 


49 


46 


49 


49 


49 


49 


49 


49 


tak 


73 


73 


73 


73 


73 


73 


73 


73 


73 


73 


zebra 


82 


82 


82 


82 


84 


83 


84 


82 


87 


87 


code 


77038 


77474 


77477 


77005 


77317 


78355 


77317 


78289 


78913 


78913 


compile 


776 


785 


782 


776 


782 


789 


784 


787 


796 


796 


code 


81692 


82236 


82209 


81641 


82184 


83177 


82184 


83075 


84161 


84161 



The specialization try and compression dealloc are each independent of all 
the other transformations; they are performed in the order: switch, getlist, uni. A 
switch specialization prevents a getlist compression of the corresponding getlist 
instruction, but still allows the uni compression of the instructions after the 
getlist. Likewise, a getlist compression clearly prevents the application of uni 
compression on the unify instructions after the getlist. Since the interaction of 
these three transformations is tricky, we give all seven possibilities (together with 
the default, that makes 8). 
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7 Comparing Four Term Representation Schemas 

Table ^shows the execution times and some stack sizes for the four term rep- 
resentations mentioned in section Q Every version here has the same default 
settings as in^Q Only heap and trail sizes are mentioned, as the choice point 
stack, local stack and the code size are the same for all four versions. 

A priori, one can reason that heap_vars and parma_vars must consume the 
same amount of heap, while tag_on_data potentially consumes more (due to 
the absence of an optimized list representation) and wam_vars consumes less 
because some objects only ever live on the local stack. For the trail, one expects 
heap_vars and tag_on_data to trail exactly the same cells, while both wam_vars 
and parma_vars trail potentially more. Indeed, when a variable is bound to a 
non-variable in parma_vars all the cells in the chain representing the variable 
are bound and subject to trailing. Note also that in parma_vars trailing one cell 
needs two entries on the trail stack. It is clear that wam_vars must (conditionally) 
trail on globalizing a permanent variable. But even for permanent variables that 
are never globalized, wam_vars potentially trails more than heap_vars. 

The figures in tableH^^re in accordance with the above reasoning. However, 
for the smaller benchmarks, the difference in trail usage between parma_vars 
and the others is very small, which confirms the common knowledge that var- 
var bindings are uncommon ... for small benchmarks. The compile benchmark 
shows a different picture. 

The huge difference between the heap usage of wam_vars and the others is 
striking. Even though 99% of the difference is caused by the double calls to 
functor/3 and arg/3 in boyer, and a better built-in calling convention would 
reduce the difference to almost zero, in general this extra heap consumption is 
a drawback for any schema that always globalizes variables. 

In order to reduce the potential bias in common operations towards one par- 
ticular term representation, we have tried for each version several ways to write 
(in C) the dereference operation: each version is run with the best (sometimes 
more than one) we found for it. For the wam_vars version, we have specialized 
the trailing test whenever possible. 

Tag_on_data is clearly the loser. On the small benchmarks, wam_vars comes 
out as the winner with heap_vars a close second; parma_vars suffers badly from its 
disadvantages on some of the small benchmarks. On compile parma_vars wins, 
albeit with a small margin: the high number of trail entries (almost triple of 
heap_vars) indicates that more var-var bindings occur here and that is where 
parma_vars is at its strongest. 



8 Related Work 

^ is worth mentioning because it gives good advice on implementing an emulator 
for Prolog. We have followed it to a large extent and we did benefit a lot from 
it. In fact, most of the advice we put to scrutiny turned out to be excellent, 
even though we were working in the context of a different abstract machine code 
generator and a different stack layout. So, our work is in line with Q, redoing 
partly its experiment in a different setting. Q does not stress the importance 
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Table 5. Four schemas for term representation 





heap_vars 


wam.vars 


parma.vars 


tag_on_data 


boycr 


40 


38 


40 


42 


browse 


48 


46 


46 


53 


cal 


77 


75 


77 


77 


chat 


45 


44 


46 


47 


crypt 


53 


52 


52 


54 


ham 


59 


58 


60 


64 


meta_qsort 


51 


48 


54 


53 


nrev 


43 


44 


47 


56 


poly_10 


32 


31 


34 


34 


queens_16 


88 


85 


90 


90 


queens 


106 


103 


113 


113 


reducer 


19 


18 


21 


21 


sdda 


40 


42 


43 


44 


send 


49 


45 


52 


49 


tak 


73 


71 


75 


73 


zebra 


82 


82 


97 


90 


heap 


448296 


144069 


448296 


448366 


trail 


57677 


58635 


115366 


57677 


compile 


776 


776 


773 


840 


heap 


1369456 


862479 


1369505 


1647279 


trail 


227623 


237689 


642356 


227633 



of the quality of the generated machine code, probably because its compiler 
- although not sophisticated - is of sufficient quality. We think that a decent 
compiler is very essential for speed. Also, Q does not provide any insight in 
the importance of the double opcode schema for read-write mode propagation, 
which we do in section^ Finally, Q was not aimed at providing empirical data on 
alternative term representations. In fact, no such work exists as far as we know. 
Alternative term representations were always implemented in combination with 
other features which can obscure in unknown ways the effect of the choice of the 
term representation. 

As far as “paper” comparisons is concerned: describes nicely the issues 

involved in implementing PARMA variables and relates them to the WAM, but 
as the authors note themselves, it is impossible to conclude with any confidence 
how within the same implementation these two alternatives would compare. Q 
compares only minimally tag-on-data with the usual WAM representation and 
focuses on the issue of term compression and stack usage. 

9 Conclusion and Future Work 

We have gathered experimental data on how four term representations that are 
easily compatible with the WAM compare and about choices in the implemen- 
tation of the abstract machine compiler and emulator. One conclusion is that 
the tag_on_data representation seems the least attractive from the performance 
point of view. Its main attraction is in the fact that since pointers are tag-less, 
the address space is not restricted and that one can have up to 32 tag bits in 
the data, a luxury that can make any implementor’s mouth water. Admittedly, 
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we have not implemented term compression, but since does not report a sig- 
nificant speedup related to term compression and sometimes even a slowdown, 
we feel that our conclusion holds. The situation with parma_vars is more com- 
plicated: first of all, one must realize that for admittedly artificial examples, 
parma_vars can perform arbitrarily better than the other version. Moreover, 
while parma_vars performs worse on the smaller benchmarks, it performs better 
on the one benchmark that makes more use of the full potential of the Pro- 
log variable. The figures give a slight preference to wam_vars time wise over 
heap_vars, and space wise wam_vars clearly wins, modulo the remarks made in 
section^ However, other considerations could make one prefer heap_vars. E.g. 
in the context of SLG-WAM, the trail must be tidied on cut as far as the local 
stack trailed entries goes. But tidying the trail has bad worst case complexity. 
Then choosing for a heap_vars schema seems suddenly quite attractive given the 
small time penalty. In any case, such tradeoffs should be made by the imple- 
mentor and might be based on the figures here or after having seen the actual 
implementation of dProlog. 

We have put a lot of effort into avoiding bias towards any one version of 
dProlog. In particular, we have made sure that in all versions the same abstract 
machine code is executed instruction by instruction, that the stack layout is the 
same, that the number of times the general unification is called is the same, 
that the indexing (in particular the occurrence and treatment of hash collisions) 
is the same etc. | When comparing the four term representation each within a 
different context, it will be next to impossible to keep all the above factors the 
same. However, one might also see this uniformity as a drawback: each of the 
term representations might benefit in a different way from a particular action, 
e.g. dereferencing during a particular instruction might be good in wam_vars but 
not in parma_vars. We are aware of the fact that given much more time, we can 
improve each of the four versions; but we are not aware of having favored any 
particular one. We have even put effort in providing each version with its best 
dereferencing macro and tag testing sequence. 

The figures in section^give a good indication on which specializations, com- 
pressions and emulator optimizations are interesting and also uncover weaknesses 
in the XSB compiler. Our experience has been used in a partial redesign of XSB. 

The experiments might show different results on other processors. Since dPro- 
log is portable the experiments can be redone for other platforms. Still, some 
extra work is required, mainly because one must assign hardware registers to 
WAM registers carefully. 

Like P we found that a fast emulator is a combination of the following fac- 
tors: (1) a good discipline for writing C code, (2) selective use of gcc features, 
(3) a decent basic abstract machine code generator, (4) some instruction com- 
pression, (5) some instruction specialization. In dProlog, we were missing mostly 
item 3: while | claims for instance that a sophisticated register allocation (see 
e.g. H) is not needed, we found that bad register allocation as in XSB, is a real 

^ the number of times dereferencing is performed is not the same: wam_vars and 
parma_vars have by necessity more than heap_vars (about 6% for the benchmark 
suite); tag_on_data has marginally less because of a different optimal sequence of 
instructions in the switchonlist instruction 
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drawback. Also the following two points are very important in our opinion: sin- 
gle level indexing is to be preferred over double level indexing (see also Q); and 
secondly the basic mechanism for (in-lined) built-ins must suit the emulator: the 
XSB mechanism leads to more register shuffling and executed emulator cycles. 

One can wonder whether redoing the effort described in J in a different 
context is relevant: we think that redoing it in exactly the same context would 
have been meaningless. Our work shows that the advice of H is useful elsewhere. 

Directly related to dProlog, there is ample work for speeding up the imple- 
mentation. Apart from issues mentioned before, we think two more points are 
worth exploring further: specialization of built-ins (e.g. functor/3 is almost al- 
ways called in one of two basic modes and the compiler usually knows which 
because of the var-val distinction) and instruction compression over predicate 
boundaries: the call or execute instructions transfer very often to the same in- 
structions. We experimented shortly with both, but gathered until now insuffi- 
cient systematic data to report on them. 

More generally, there are still many things worth investigating within a fixed 
implementation context: there is for instance no hard comparative data on en- 
tirely different tagging schemas, e.g. like the one SICStus Prolog is using. Other 
issues are the implementation of general unify (with support for cyclic terms or 
occurs check), optimal abstract machine code for arithmetic, calling of built-ins, 
the use of type or mode information in an emulator (as in ^Q) and many more. 
Also different allocation schemas within a WAM-like implementation can and 
should be experimented with, together with different garbage collection strate- 
gies and principles. Inspiration here might come from the implementation of 
other programming languages. The problem with memory management experi- 
ments is however that an entirely new type of benchmarks is needed. 

We will definitely continue using dProlog for experimenting and gathering 
information on the implementation of WAM variants and beyond. 
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Abstract. In previous work Bruynooghe, Janssens and Kagedal devel- 
oped a live-structure analysis for Mercury which detects memory cells 
available for reuse. Separate compilation of modules is an essential in- 
gredient of a language such as Mercury which supports programming in 
the large. Hence, to be practical, a live-structure analysis also has to be 
module based. This paper develops a modular live-structure analysis and 
extends it with a modular reuse analysis. It also describes preliminary 
results obtained with a first prototype of the module based analysis. 

1 Introduction 

In declarative languages, the programmer is liberated from the low level details 
of memory management such as allocation of memory and destructive updates 
of data structures. The price to pay for this convenience is a loss of performance 
due to the run-time overhead of garbage collection, due to an increased number 
of cache misses (caused by the loss of locality of data structures) and due to 
the overhead of creating new data structures (creating a new version of a data 
structure is typically more expensive than updating an existing one). 

There has been a lot of research on methods to overcome this handicap 
and improve the memory management, both for logic programming languages 
as for functional programming languages Some approaches de- 

pend on a combination of special language constructs and analysis 
others are solely based on compiler analyses At least in logic program- 

ming, none of the analysis based methods has reached the maturity of becoming 
part of a widely distributed implementation, so this largely remains an unsolved 
problem. 

A language as Mercury, a logic language with declarations offers a par- 
tial solution through the availability of destructive input di and unique output 
uo modes; however the use of these modes is cumbersome for the programmer. 
Moreover it does not fit into the declarative programming paradigm. Hence we 
believe it is a useful research goal to develop a reuse analysis for Mercury. In 
addition, mastering it for Mercury should be a useful stepping stone for develop- 
ing such an analysis for systems such as Ciao Prolog B where declarations are 

* This work has been supported by the GOA project LP'*', the ESPRIT project ARGo, 
and the FWO-Vlaanderen. 
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optional and where one has to cope with the impurities of Prolog and HAL Q 
which is a constraint language having many similarities with Mercury. 

Mulkers et al. Q have developed an analysis for Prolog which detects when 
memory cells become available for reuse; however the lack of declarations and the 
impurity of Prolog make it rather infeasible to obtain acceptable analysis times 
and to integrate it in a Prolog compiler. In ^ Bruynooghe et al. have adapted 
the analysis for a Mercury-like language with type, mode and determinism dec- 
larations; the analysis takes also backtracking into account (the original work 
relied on the trail to restore overwritten data structures on backtracking). The 
paper only briefly sketches some preliminary ideas about how to make the anal- 
ysis modular. Modularity is essential for the analysis to be practical as it is 
infeasible to analyse large programs (e.g. the Mercury compiler) as a single unit. 
The concept of modules is an integral part of the Mercury support for program- 
ming in the large and even simple applications import predicates from libraries. 
Moreover, Mercury compiles each module of a program separately, hence an 
analysis which has to become part of the compiler better does the same. This 
paper presents a module based analysis for memory reuse as a two step anal- 
ysis where a so called default liveness analysis of the procedures exported by 
the module is followed by a reuse analysis. Results obtained by a prototype are 
presented. Finally the paper suggests also some solutions w.r.t. the creation of 
multiple versions for procedures. 

The paper is a reworking and elaboration of ^3 where the non modular 
default analysis was first described. Modularisation of analysis is also a current 
research issue in the Ciao Prolog project. A discussion of possible approaches 
which have quite some parallels with our work is in 

Section H recalls the basics of the work described in Section J develops 
module based liveness analysis. Section J reports on the results obtained with 
our prototype analysis system. We conclude with a brief discussion in Section J 



2 Background 

2.1 Abstract Interpretation 

The analysis system in Q uses the top-down abstract interpretation framework 
of Q. Abstract interpretation mimics concrete execution by replacing the pro- 
gram’s operations on concrete data with abstract operations over data descrip- 
tions. The analysis of a predicate, given abstract information about the predi- 
cate’s arguments (call pattern), computes abstract information for each program 
point, and a final abstract description of the state of the variables at the exit 
point (exit pattern). For each predicate call, abstract information from the caller’s 
context is mapped onto information relevant for the called predicate {procedure 
entry), thus obtaining the call pattern of that predicate. The called predicate 
is analysed w.r.t. this call pattern. The obtained exit pattern will be used to 
compute the abstract state of the program point following the predicate call 
{procedure exit). The analysis uses flxpoint iteration to cope with recursion. 



A Module Based Analysis for Memory Reuse in Mercury 1257 



2.2 Mercury 

Mercury Q is a logic programming language with types, modes and determinism 
declarations. Its type system is based on a polymorphic many-sorted logic and 
its mode-system does not allow the use of partially instantiated structures. 

Our analysis is performed at the level of the High Level Data Structure 
(HLDS) constructed by the Mercury compiler. Within this structure, predicates 
are normalized, i.e. all atoms appearing in the program have distinct variables 
as arguments, and all unifications X = Y are explicited as one of (1) a test 
X == Y, (2) an assignment X := Y, (3) a construction X <t= /(Yi,... ,Yn), 
or (4) a deconstruction X ^ /(Yi, . . . , Y„). Within the HLDS, the atoms of a 
clause body are -if needed- reordered such that the body is well moded. 

Just like in the HLDS we will use the notion of a procedure, i.e. a combination 
of one predicate with one mode, and thus talk about the analysis of a procedure. 



2.3 Types and Selectors 

Using a simple example, we recall some basics about types. 

The polymorphic type Zist(r) is defined as: list (T) > [] ; [T|list(T)]. 

This type is obtained by applying a type constructor (list) on zero or more 
types or type variables (here type variable T). Its definition is given by the 
right hand side of the above expression and consists of one or more alternatives. 
Each alternative is a distinct type functor applied to zero or more types or type 
variables ( [] has zero arguments, the list constructor has two, namely T and 
list(T)). A type tree is a possibly infinite graphical representation of a type 
definition. A finite type graph is obtained by imposing that two type nodes on 
the same branch from the root are the same when they are labelled with the 
same type. The graph of list(T) is shown in Fig. H it has two type nodes 
(list(T) and T) and two functor nodes ( [] and [.]). 

Type selectors are used to select type nodes in type graphs. The empty se- 
lector is denoted by e; with t a type, T selects the root node of its type graph. 
If Iq selects a node of type U in the type graph of to and one of the alternatives 
defining ti has a type functor f /n then with j < n selects the type node 

which is the child of the functor node labeled f /n that is a child of ti. 

With recursive types, several selectors can select the same node in a type 
graph. This equivalence is denoted with si = S 2 , with si and S 2 selectors. Using 
as list constructor, and list{TY both select the root node. Our 

analysis always simplifies selectors, hence will replace the former by the latter. 

Terms also have a tree representation and nodes of the term tree can be 
mapped to type nodes of the corresponding type tree. With X a variable which 
has a term of type t as value and with s a selector for t. A® denotes the nodes 
in the term tree of X which are mapped to t®. We refer to the memory cells 
implementing these nodes as the data structure of A®. A*^ selects (at least) the 
root node of the term tree. This root node is the top-level data structure of A. 
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Fig. 1. Type graph of list(T) 



2.4 Liveness Analysis 

Our liveness analysis exploits the mode, type and determinism information avail- 
able in the HLDS of Mercury programs. It can be applied on any sequential logic 
programming language where this information is available through declarations 
or analysis. Due to the absence of partially instantiated data structures every 
unification can be reduced to one of the cases in Section^3 Although the anal- 
ysis can handle full unification, the ultimate reuse will depend on the presence 
of deconstruction/ construction pairs. With less precise modes, less of these pairs 
occur in the code. 

The liveness analysis of Q computes in each program point which data 
structures are live. Calling the program point under consideration the current 
program point and the atom following it the current atom, a data structure is 
live in the current program point if -given the bindings of the program variables 
before executing the current atom- the data structure is reachable 

— either from a program variable occurring in an atom following the next pro- 
gram point (hence it will possibly be accessed while continuing the execution 
after successful completion of the current atom) . 

— or from a program variable which will possibly be accessed after the back- 
tracking which would occur if the execution of the current atom fails. 

Liveness is expressed as a set of elements A®. That A® is live in program 
point p means that the data structure(s) selected by A® in the current value of 
the variable A will probably be accessed after executing the current atom. 

The liveness set in a program point p is computed from two components: 

— A binary relation ALIAS. Tuples in this relation are of the form (A®, A*). 
The intuitive meaning is: if data structure A® is live then A* is possibly live 
and, if A* is live, then A® is possibly liv(| The relation is not transitive 
as we maintain only one ALIAS relation in each program point, hence it 
is possible that (A®, A*) holds due to one computation path and (A*, A’') 
due to another incompatible computation path, while (A®, A’’) does not 

^ Possibly because the analysis makes approximations and may overestimate the 
ALIAS relation. Also reflexive tuples exist, e.g. (A*- ’^/ with A of type list 
expresses: if one element of the list is live then others are possibly live, in other 
words the value of A is a list with possibly several occurrences of the same element. 
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hold. When, due to a unification or a procedure call, new ALIAS tuples 
are derived then an alternating closure which alternates over new and old 
tuples is used to update the ALIAS relation. The ALIAS relation consists 
of a global component GA containing the aliases between input arguments 
of the procedure that existed prior to calling the analysed procedure and a 
local componant LAp giving the aliases created by executing the procedure 
up to the program point p. The whole ALIAS relation is then given by the 
alternating closure of both components, i.e. ALIASp = Altclos{GA, LAp). 

— A set IN _USE. It is the union of two sets. The first, LIVEq, is a global 
component which contains elements A® expressing that A® is live due to 
the context of the caller. In other words. A® will probably be accessed after 
completion (with success or failure) of the current procedure. It is called 
LIVEq because it is derived from the liveness which exists in the program 
point where the analysed procedure is called. The second set, LUp, is a local 
component containing elements for every variable which can be accessed 
after completing the execution of the current atom (with success or failure) . 

The set LIVEp describing the liveness in a program point is obtained by using 
the implications in ALIASp to extend the initial liveness set given by IN JJSEp. 
More formally, defining 

{A® I A® e 1} 

C{L,A) = U {A®|W € I and (W *b A®) G A} (1) 

U {A* ®i|A® ®i G I and (A®, A*) G A} 

we have 

LIVEp = C{IN_USEp, ALIASp) (2) 

where IN JJSEp = LIVEq U LUp and ALIASp = Altclos{GA, LAp). For more 
technical details we refer to Q. 

2.5 Reuse Analysis 

The liveness analysis computes a safe approximation of the liveness, hence a data 
structure which is not live is -if reachable at all- only reachable from the program 
variables in the current atom. The interesting case is when the current atom is 
a deconstruction A ^ /(Ai, . . . , A„) and A*^ is not live in the current program 
point. Then, Q the data structure A*^ is available for reuse in the program 
point following the deconstruction as it is no more reachable from any accessible 
program variable. If, within the procedure, the deconstruction is followed by a 
construction Y f{Yi, . . . ,Yn) then the top level of A can be used to construct 
Y and we say that there is direct reuse (of A*^) in the analysed procedure. We say 
that a procedure has indirect reuse if it calls a procedure q/m and q/m allows 
for (in the context of that call) direct or indirect reuse. To distinguish this phase 
from the liveness analysis, we call it the reuse analysis. When analysing the 
program as a single unit, this pass requires no fixpoint iteration as it only has 
to verify whether deconstruction/construction pairs are fitted for reuse. 
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2.6 Using the Analysis Results 

Which deconstruction/construction pairs are suited for reuse can be returned to 
the compiler as an extra piece of information in the HLDS code. The work of 
Taylor could be adapted to perform the actual reuse. Actually this should be 
easier than the current approach which still requires a non-trivial local analysis 
of the programmer-provided di/uo annotations. 

An important point to recall is that procedures can be called with different 
call patterns and that one obtains a form of multiple specialisation as described 
in Eventually, although having different call patterns, two versions may 
end up with identical direct and indirect reuse, hence should be merged in a 
single version. Such version control is discussed in As also explained there, 
the analysis has two phases. In our case, the first phase performs the liveness 
analysis and constructs a table with call/exit patterns (a pattern consists of the 
ALIAS relation and the IN _USE set). This phase requires fixpoint iteration to 
handle recursive procedures. The second phase performs a single pass over the 
program, generates the required versions for each procedure and checks whether 
deconstruction/construction pairs satisfy the reuse condition. It also takes care 
that each procedure call calls the proper version. 

3 Module Based Analysis 

For separate compilation of modules Mercury uses interfaces which are created 
during compilation and which contain the needed information of the exported 
predicates. Mutual dependencies are not a problem as all relevant information 
about exported procedures is in the obligatory declarations. However, mutual 
dependencies pose a problem during abstract interpretation of mutually recursive 
predicates defined in different modules. This problem is discussed in Sect^H 
For the time being, we assume a tree structure for the calling hierarchy between 
modules. 



3.1 Modular Liveness Analysis 

The domain of the liveness analysis is suited for a so called goal independent 
analysis Q. Starting the analysis of a procedure p/n with an empty LIVEq 
and an empty GA component, one obtains as exit pattern the ALIAS relation 
describing the possible aliases created between the arguments of p/n due to 
the execution of p/n. Similarly, one obtains the IN _USE component describing 
the arguments of p/n in use due to the execution of p/n (which are nothing 
else than the data structures in the arguments which could be needed when 
backtracking returns control to p/n). This goal independent information about 
p/n suffices to perform the liveness analysis of a procedure q/m calling p/n. 
Combining the goal independent exit pattern of p/n with the liveness information 
of the point before the call to p/n, one can compute the liveness in the program 
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point following Storing the call/exit patterns of exported predicates in the 
module interface, modules importing predicates can be analysed by accessing 
their call/exit pattern in the corresponding interfaces. Hence a goal independent 
liveness analysis can be performed in a modular way. 



3.2 Modular Reuse Analysis 

For a truly modular analysis, the reuse analysis must also be modular. Problem 
is that reuse is not goal independent. One useful property is that the amount 
of reuse decreases monotonically with increases of LIVEq, the liveness in the 
caller’s context and GA, the aliases in the caller’s context. Hence performing 
a reuse analysis based on a goal independent liveness analysis of a procedure 
exported from a module gives a maximal amount of reuse. However, it is unlikely 
that an actual call will ever have LIVEq = 0. At least the output arguments 
of the procedure will be in LIVE^ This suggests the following approach for 
analysing procedures exported from a module: besides the standard Mercury 
code without reuse, a version with reuse is generated. It is created starting from 
a liveness analysis of these procedures which are initialised with GA = 0 and 
LIVEq = {A*^|A is an output argument} (called the default liveness analysis). 
The standard reuse analysis is applied on the outcome of this analysis and results 
in code with reuse annotations for the exported procedure and for the internal 
procedures called by them. When calling an imported procedure, one can check 
whether the caller’s context meets the assumption for reuse, i.e. whether there 
are no aliases between the (input) arguments of the procedure and none of the 
input arguments is live. If so, the version with reuse can be called; if not, the 
version without reuse is called. In what follows, we call the default liveness 
analysis of the procedures exported by a module followed by the reuse analysis 
the default analysis of the module. 

The above approach is overly pessimistic. Consider predicate append with 
mode (in, in, out). The default analysis reveals that the backbone of the first 
input list can be reused for constructing the output list. Calls with the elements 
of the first input list live, or with the second input list live do not meet the 
requirement for using the reuse version. However, performing the analysis for 
such call patterns reveals that reuse is still possible. Intuitively, the reuse version 
of append can be called when the backbone of the first input list is not live. More 
generally, the problem to be addressed is: which results about the default analysis 
should be stored and how to check that a particular call meets the requirements 
to call the reuse version resulting from the default analysis. 

^ Although the ALIAS component is not idempotent, Altclos{ALI AS, ALIAS) A 
ALIAS, there is no loss of precision with respect to a goal dependent analysis. This 
is because the aliases created during the analysis of p/n depend only on the mode 
declared for p/n, not on the call pattern of p/n. 

® Making a call and not using some of the outputs is not impossible; however, we 
consider it part of a preceding source level specialisation step to create a special 
version of the procedure with the unneeded outputs eliminated. 
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3.2.1 Conditions for Reuse. In what follows, a component is given a sub- 
script i when its value depends on the program point i. It is given a superscript 
da or gd when its value differs between the default and the goal dependent 
analysis. 

Consider the following program fragment : 

q(Ql, . . . ,Qn) ... i X => f ( . . . ) , ... 

Performing a default liveness analysis for q/n, formula ^ applied at program 
point i yields the live set 

LIVEf’^ = C{LUi U LIVE'^‘^, LA{) (3) 

where LIVEq°‘ = {Ql\Qi is an output argument of q} and LUi, LAi are respec- 
tively the local use and the local aliases at i. The top level of X becomes available 
for reuse when ^ LIVEf^". A goal-dependent analysis of q/n computes 

LIVEf = C{LUi U LIVEl^^, Altclos{LAi, (4) 

with LIVEq'^ the initial liveness of q/n and GA^‘^ the initial aliases of q/n. We 
want to check whether reuse is still possible without performing a goal dependent 
analysis for q/n. To do so, we first present a theorem which addresses a slightly 
more general situation. First we introduce some new notation. 

— With R a relation over (a set from) a domain of data structures and V a set 
of variables, R\v denotes the restriction of the relation to the variables in V. 

— With D a set of data structures, V a set of variables and LAi the local 
aliases at a program point i, DY is the abbreviation for C{D, LAi)\v, i.e. 
the restriction to V of the data structures reachable from the set D due to 
the aliases in LAi. 

Theorem 1. Given a procedure with head variables Ti. and local aliases LAi 
and local use LUi at program point i. Let D he a set of data structures from the 
procedure. If 

X^ GD implies A® (/ C{LUi U LIVE/Y,LAi) (5) 

y* G dP implies T* ^ C{LIVEf U Luf^ , Altclos{GAS'^ , LAi\j^)) (6) 

then 

X^ € D implies A® ^ C{LUi U LIVEf, Altclos{GAS^ , LAi)) (J) 

Proof. Note that GA^'^ and LIVEf contain only data structures from H. As- 
sume A" G C{LUi U LIVEf ,Altclos{GA3d, LAi)). A® G LUi U LIVEf is in 
contradiction with conditions 0 (A® ^ LUi) and B (if A® G LIVEf then 
X gH but then A® G of) of the theorem. Hence there must be a path starting 
in Z* G LUiV LIVEf , alternating over GA^‘^ and LAi and ending in A® (accord- 
ing to H)- We perform a case analysis and show that each case is inconsistent 
with the conditions of the theorem. 
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~ Z (hence e LUt) 

• path of length 1: (Z‘, AT®) £ LAi and thus Q is violated for X^. 

• path of length > 1: The first edge in the path is of the form (Z*,V^^) 

and belongs to LAi; moreover (the path alternates with GA^‘^) Yi £ H 
hence £ Luf^. From the assumption it follows that (Yj®\Al®) £ 
Altclos(GA^^, LAi), hence an alternating path , (F^", X®) 

with Yi,... ,y„ £ Ti. exists. If X® £ Ti then we have (Yj®\AT®) £ 
Altclos{GA^'^ , LAi\y) and is violated for AT®. Otherwise X® ^ Ti., 

hence Y„®" e and (Y/\Y^") G Altclos{GA^'^ , LAi\y) hence B is 
violated for Y®" . 

- Z £T-L (hence Y* G LC/i|^ U LIVEf) 

• path of length 1: Either (Y*,X®) G GAs<^ or (Y*,A:®) G LAi. In the 
former case, (Y‘,AT®) G Altclos{GA^'^, LAi\y) and Q is violated for 
AT®. In the latter case, either Z* £ LUi and B is violated for X® or 
Z* G LIVEff", hence also Y* G and condition B is violated for Z*. 

• path of length > 1: (Y*, Y®) G Altdos{GA^'^,LAi) hence there is an 
alternating path (Y/, Y 2 ®^), . . . , (Y,f", Y®) with Z = Y\ and Yi, . . . , Y„ G 
T-L. If AT® G then (Y]*,X®) G Altclos{GA^'^ , LAi\'j^ and condition B 
is violated for X®. Otherwise X® ^ H, hence Y^^ £ and (Y/, Y,^") G 
Altclos{GA^'^ , LAi\j^) hence condition B i® violated for Y,f". 

□ 

With D = {^'^}, the set of data structures potentially available for reuse, 
condition B verifies whether X'^ is available for reuse in the default analysis, 
while condition B verifies whether X*^ is available for reuse in the goal dependent 
analysis. Hence, given that reuse is possible in the default case, the theorem says 
that the latter condition can be replaced by condition B which is a condition 
involving only head variables. It suffices to store the relations/sets LAi\-j^, 
and Luj^ (the reuse information) in the module interface to allow a caller to 
check whether it can call the reuse version of the imported procedure q/n. 

Consider append{A, B,G) with mode (in, in, out) , H — {A,B,G} and 
LIVEq°' = {C*^}. The default analysis computes in the point preceding A => . . . 
that D = {A'^} = dJ^, LAi\j^ = 0 and Luj^ = {B'^,G'^}. Consider a call 
with LIVEq’^ = {A^'^\G^} and GA^^ = 0. Condition B becomes: Y* G 
implies Y* ^ C"^}, 0) which is satisfied. 

We also have to address the problem of verifying whether a version with 
indirect reuse can be called. Consider the following fragment: 

r (R1 , . . . ,Rm) :- ... j q(Xl , . . . ,Xn) , ... 
q(Ql, . . . ,Qn) :- ... i X => f ( . . . ) , ... 

To verify that the default version of r/m can call the version of q/n with reuse 

1~L 

at program point i, one should check that the data structures in D' = p{D^ '') 
(p renames the variables in the head of q/n into the variables in the call to q/n) 
are not live, taking into account LA) = LAj U p{LAi\pf) as local aliases and 
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LU'j = LUj U p{LU]^) as local use (this is the rephrasing of B to the context of 
program point j). If this indirect reuse is possible in the default case, then the 

reuse information over the variables of r/m , U' and LC/j '") can 

be computed. A caller to r/m can use the version of r/m with indirect reuse in 
q/m if B is satisfied for the reuse information of r/m. Repeating this, the reuse 
information can be propagated up to the level of the exported predicates. Note 
that here fixpoint iteration is needed to handle recursive procedures (the reuse 
information of a recursive procedure is needed while computing it). 



3.2.2 Version Control. The default analysis of an exported procedure may 
reveal more than one point for reuse: there can be several deconstruction/con- 
struction pairs allowing reuse as well as indirect reuse through calls to procedures 
with reuse. For each case of reuse, a relation LAi\-j^ and sets d]/^ and Luf^ are 
obtained so that the condition for the particular reuse can be tested by a caller. 
(The reuse is unconditional when d]/^ is empty.) If all conditions are satisfied 
then the version of the exported procedure which performs all the reuses can be 
called. If one of the conditions is violated, should one give up all reuse and call the 
version without any reuse? Ideally one should call a version which performs all 
the other reuses. This would require to create 2" versions of the procedure when 
there are n places with (different) conditional reuse. This becomes infeasible for 
large n. Experience will have to show whether many cases of conditional reuse 
show up in a single procedure. If so, some pragmatic solutions will have to be 
worked out. Several scenarios are feasible: 

— Only make 2 versions, one without any conditional reuse and one with all 
conditional reuses. 

— Provide the programmer with a pragma to express interest in the reuse of a 
data structure. Then only the versions with conditional reuse involving these 
data structures are created. Such a pragma should still be much less tedious 
to use than di/uo declarations. 

— Make versions on demand: reuse code is only generated if a call occurs for 
which a particular set of reuse conditions is satisfied. This scenario breaks 
with the strict modularity of the compilation process. Also, versions created 
on demand for the compilation of another module may finally never be called 
from the main program. 

— Create all possible versions and add a final global analysis pass: once all 
modules of a program are analysed, a final global compilation can be per- 
formed, which, starting from the top-level module, makes a single pass over 
the whole program (and thus compiled code), and links those versions of the 
procedures which are actually needed into the final compiled code. While 
this solution also departs from the strict modularity principle, once modules 
are compiled with all their multitude of procedure versions, these modules 
will not have to be recompiled if used for other programs. 
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3.3 Circular Dependencies between Modules 

A problematic circular dependency exists when predicates that depend on each 
other are distributed over different modules. Several solutions with different 
computational costs are feasible (see also the discussion in ^3) . 

— When importing a procedure from a module which cannot be analysed due to 
a circular dependency, a worst case assumption can be made for the liveness 
(all arguments are live) and for the aliasing (all pairs of data structures 
with compatible types are aliases) of the imported procedure. This allows to 
continue the analysis of the current module but gives a suboptimal result. 

— Another solution is to make a best case assumption (only the output argu- 
ments are live and there are no aliases) and to reanalyse the current module 
when this assumption turns out to be false. So a fixpoint iteration across 
modules will be necessary. 

— A third solution is to load all dependent modules and analyse them together 
as one module. If the module is too large, the call graph of its procedures 
could be used to split it into parts that can be compiled separately. 

4 Experimental Results 

A prototype of the modular analysis has been implemented. The first phase 
performs a default liveness analysis of the exported procedures and the second 
phase uses its results to perform a reuse analysis. It creates for each exported 
procedure two versions (unless both versions are identical): one version with 
unconditional reuse only (or none at all) and a version with all possible reuse. 
For the latter version, the reuse information is also computed. It allows callers 
to verify whether they meet the conditions for reuse. 

4.1 Benchmarks and Results 

The following modules are analysed: basic library modules for tree and list ma- 
nipulation (assocJist, bintree, bool, bt_array, list, set_ordlist, tree234), library 
modules which import procedures from the basic ones (bag, bintree_set, eqv- 
class, graph, group, map, multijnap, queue, set, set_unordlist), a module of the 
industrial users of Mercury in the ESPRIT project ARGo (argo_cnters) and mod- 
ules from the Mercury compiler (labelopt, lids, opt_util). In table Jthe library 
modules are in the upper part and the other modules in the lower part. 

Time The time in seconds of the default liveness analysiij 
Pr The number of procedures in the module. 

Xp The number of exported procedures. 

CR The number of exported procedures for which conditional reuse is detected. 

^ The analysis is done with a generic abstract interpretation tool written in Prolog, 
using Master Prolog, release 4.1 ERP on a UltraSPARC-IIi (333MHz) with 256MB 
RAM, using SunOS Release 5.7, under a usual workload. 
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Table 1. Results; means not applicable. 
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100 


set 


0.08 


27 


27 


6 


0 


21 


1.00 


1.00 


0 


- 


0 


- 


27 


6 


ggn 


set.ordlist 


0.52 


31 


29 


6 


0 


23 


1.00 


1.16 


7 


0 


41 


2 


19 


6 




set.unordlist 


0.34 


30 


27 


13 


3 


14 


1.15 


1.10 


1 


100 


25 


64 


12 


6 


■mn 


tree234 


1140 


74 


20 


10 


1 


9 


5.55 


1.14 


283 


88 


443 


71 


136 


0 


- 


argo.cnters 


4.79 


18 


1 


0 


1 


0 




1.00 


32 


ggn 


41 


29 


56 


0 


- 


labelopt 


12.00 


6 


2 


2 


1 


0 




2.00 


2 




17 


88 


13 


9 


78 


lids 


0.08 


7 


7 


0 


0 


7 


- 


1.00 


0 


- 


6 


0 


2 


0 


- 


opt.util 


2028 


73 


46 


20 


8 


23 


2.04 


1.47 


48 


83 


284 


28 


70 


24 


100 



UR The number of exported procedures for which unconditional reuse is detected. 
(The two types of reuse can occur in the same procedure.) 

NR The number of exported procedures without reuse. 

Cnd The average number of reuse conditions for exported procedures with conditional 
reuse. Some conditions might be equal (i.e. different sources of reuse might produce 
exactly the same reuse information). The number of reduced conditions is not 
available here. 

pol The average polyvariance resulting from the liveness analysis, i.e. the average 
number of call patterns per procedure. 

DC The number of deconstruction/construction pairs in the analysed module. 

%DR The percentage of deconstruction/construction pairs resulting in direct reuse. 

Lc The number of calls to procedures internal at the module. 

%LR The percentage of Lc that calls a version with reuse. 

Ec The number of calls to imported procedures. 

EcR The number of calls to imported procedures for which a reuse version exists. 

%ER The percentage of EcR that calls a version with reuse. ( if EcR=0) . 



4.2 Discussion 

— In most cases the analysis time is of the same order as the compilation time 
of the module. In a few cases it is rather large (tree234 and opt_util). We do 
not consider these times as unbearable, especially for library modules which 
have to be compiled only once. Modules importing them need only to consult 
the module interface. Our prototype leaves room for much improvement and 
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it is a topic of further research to consider alternative representations of 
the ALIAS information and to develop appropriate widenings. Our reuse 
analysis is not yet fine-tuned enough to report reuse analysis times. In most 
cases the time needed for it is comparable to the time for the default liveness. 
We believe it should only be a small fraction of the total analysis time, 
especially in cases where the default analysis time is large. 

— Reuse versions are created for a large fraction of exported predicates. Even 
unconditional reuse is quite frequent. This is an indication that our analysis 
is able to find an interesting amount of reuse. 

— The average number of reuse conditions is in general small. However for bag 
and tree234 the average is about 5 conditions. In tree234 there is a procedure 
with 12 conditions. Yet some of these conditions appear to be equivalent, and 
upon simplification, the total set of different conditions is reduced to only 3. 
It seems not feasible to create a version for each of the combinations of reuse. 
It requires further experimentation to find out how many of the conditions 
are satisfied by typical calls to procedures with many conditions and what 
are good strategies for version creation (see discussion in^^3- 

— The polyvariance is in general low. The multiple specialisation inherent at 
the analysis does not result in an explosion of versions of the same procedure. 

— Quite a large fraction of deconstruction/construction pairs result in direct 
reuse. If no direct reuse is detected, it is either because no reuse is possible 
or because the analysis is too imprecise. It requires hand analysis to find out 
what is the real cause; it is not feasible to analyse this on a large scale. 

— Versions of local procedures with reuse are quite frequently called. 

— Although the total number of calls to imported procedures (Ec) looks high 
with regard to the number of calls to such procedures for which a reuse 
version exists (EcR), most of the calls happen to be I/O related, or integer- 
operations, hence are to procedures which cannot have reuse versions. 



4.3 Effect on the Performance of Mercury Programs 

There is yet no version of the Mercury compiler which makes use of the reuse 
analysis. However, Taylor has implemented structure reuse for a separate dis- 
tribution of the Mercury compiler. It is based on the di/uo annotations provided 
by the programmer. Hand translating the reuse annotations in di/uo annota- 
tions, we did a few experiments. 

For argo_cnters, a benchmark counting various properties in a file, this com- 
parison revealed a speedup of up to 30% depending on the size of the input. 
Comparing memory usage yields an improvement of 50% (7 mega-words com- 
pared to 14 mega- words in the non-optimized version). Other programs (too 
small to be included in table ^ , like nrev (naive reverse of a large list of in- 
tegers), and insert (inserting elements in a binary tree) reveal speedups up to 
75%, and memory savings up to 85%. The latter programs were also used as 
benchmarks in The di/uo annotations considered there correspond to the 
reuse annotations we derived. 
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5 Conclusion 

This paper describes how the liveness analysis of Q can be extended into a 
modular reuse analysis for Mercury. The reuse analysis discovers when data 
structures become garbage and allows the compiler to reuse them. The concepts 
can be adapted for other sequential logic programming languages such as Ciao 
Prolog and HAL; however, one can expect that less precise type, mode and 
determinism information will result in less reuse. 

The contribution of this paper is to develop a modular reuse analysis which 
can become part of module compilation. While this was fairly straightforward for 
the liveness analysis — liveness analysis is fitted for goal independent analysis — , 
it was a nontrivial task for reuse analysis. A major contribution is a theorem 
which allows to transform a condition verifying whether data structures become 
available for reuse at some program point into a condition over the head variables 
of the procedure which can be verified by the caller of the procedure. This is the 
basis to derive conditional reuse for procedures exported by a module. Storing 
the necessary information in the module interface, other modules importing the 
procedure can easily verify whether they can call a version with reuse or not. 

The paper also reports on experiments done with a prototype. Our results 
are promising; a substantial number of opportunities for reuse are detected and 
a few experiments show that they can have a substantial impact on perfor- 
mance and memory consumption. The results are encouraging enough to start 
the development of an analyser in Mercury itself which can become a compo- 
nent of the Mercury compiler. Much more extensive experiments will localise 
the remaining problems. We expect that we will be confronted with too bulky 
aliasing information and will have to consider more compact representation for it 
and/or appropriate widening operators. The issue of multiple specialisiation will 
also need further investigation. We also have to incorporate language features 
ignored so far such as higher order predicates and type classes. 

References 

1. Yves Bekkers and Paul Tarau. Monadic constructs for logic programming. In John 
Lloyd, editor. Proceedings of the International Symposium on Logic Programming, 
pages 51-65, Cambridge, December 4-7 1995. MIT Press. 

2. Maurice Bruynooghe. A practical framework for the abstract interpretation of logic 
programs. Journal of Logic Programming, 10(2):91-124, February 1991. 

3. Maurice Bruynooghe, Gerda Janssens, and Andreas Kagedal. Live-structure analy- 
sis for logic programming languages with declarations. In L. Naish, editor. Proceed- 
ings of the Fourteenth International Conference on Logic Programming (ICLP’97), 
pages 33-47, Leuven, Belgium, 1997. MIT Press. 

4. M. Codish, M. Bruynooghe, M. Garci'a de la Banda, and M. Hermenegildo. Ex- 
ploiting goal independence in the analysis of logic programs. Journal of Logic 
Programming, 32(3):247-261, September 1997. 

5. Saumya K. Debray. On copy avoidance in single assignment languages. In David S. 
Warren, editor. Proceedings of the Tenth International Conference on Logic Pro- 
gramming, pages 393-407, Budapest, Hungary, 1993. The MIT Press. 



A Module Based Analysis for Memory Reuse in Mercury 1269 



6. B. Demoen, M. Garci'a de la Banda, W. Harvey, K. Marriott, and P. Stuckey. An 
overview of HAL. In Proceedings of the International Conference on Principles 
and Practice of Constraint Programming, pages 174-188, Virginia, USA, October 
1999. Springer Verlag. 

7. G. Gudjonsson and W. Winsborough. Update in place: Overview of the Siva 
project. In D. Miller, editor. Proceedings of the International Logie Programming 
Symposium, pages 94-113, Vancouver, Ganada, 1993. The MIT Press. 

8. Fergus Henderson, Thomas Gonway, Somogyi Zoltan, and Jeffery David. The 
mercury language reference manual. Technical Report 96/10, Dept, of Computer 
Science, University of Melbourne, February 1996. 

9. M. V. Hermenegildo, F. Bueno, G. Puebla, and P. Lopez. Program analysis, de- 
bugging, and optimisation using the Ciao preprocessor. In D. De Schreye, editor. 
Logic programming, Proc. of the 1999 Int. Conf. on Logic Programming, pages 
52-66, Las Cruces, NM, December 1999. MIT-Press. 

10. S. B. Jones and D. Le Metayer. Compile-time garbage collection by sharing anal- 
ysis. In Proceedings of the Conference on Functional Programming Languages and 
Computer Arehitecture ’89, Imperial College, London, pages 54-74, New York, NY, 
1989. ACM. 

11. Andreas Kagedal and Saumya Debray. A practical approach to structure reuse 
of arrays in single assignment languages. In Lee Naish, editor, Proceedings of the 
14 th International Conference on Logic Programming, pages 18-32, Cambridge, 
July 8-11 1997. MIT Press. 

12. Feliks Kluzniak. Compile-time garbage collection for ground Prolog. In Robert A. 
Kowalski and Kenneth A. Bowen, editors. Proceedings of the Fifth International 
Conference and Symposium on Logic Programming, pages 1490-1505, Seattle, 1988. 
MIT Press, Cambridge. 

13. N. Mazur, G. Janssens, and M. Bruynooghe. Towards memory reuse for Mercury. 
In Proc. Int. Workshop on Implementation of Declarative Languages (IDL’99), 
Paris, September 1999. 

14. Anne Mulkers, Will Winsborough, and Maurice Bruynooghe. Live-structure 
dataflow analysis for Prolog. ACM Transactions on Programming Languages and 
Systems, 16(2):205-258, March 1994. 

15. G. Puebla and H. Hermenegildo. Some issues in analysis and specialisation of 
modular programs. In M. Leuschel, editor. Optimisation and Implementation of 
Declarative Programs, (WOID’99), a ICLP’99 workshop, 1999. 17 pages. 

16. G. Puebla and M. Hermenegildo. Abstract multiple specialisation and its appli- 
cation to program specialisation. The Journal of Logic Programming, 41:279-316, 
November-December 1999. 

17. Zoltan Somogyi, Fergus Henderson, and Thomas Conway. The execution algo- 
rithm of Mercury, an efficient purely declarative logic programming language. The 
Journal of Logic Programming, 29(l-3):17-64, October-December 1996. 

18. Simon Taylor. Optimization of Mercury programs. Honours report. Department 
of Computer Science, University of Melbourne, November 1998. 

19. Mads Tofte and Talpin Jean-Pierre. Region-based memory management. Infor- 
mation and Computation, 132(2): 109-176, 1997. 

20. K. Ueda. Linearity analysis of concurrent logic programs. In M. Leuschel, ed- 
itor, Optimisation and Implementation of Deelarative Programs, (WOID’99), a 
ICLP’99 workshop, 1999. 14 pages. 

21. Philip Wadler. The essence of functional programming. In Conference Record 
of the Nineteenth Annual ACM SICPLAN-SICACT Symposium on Principles of 
Programming Languages, pages 1-14, Albequerque, New Mexico, January 1992. 




Mode Checking in HAL 



Marfa Garcfa de la Banda^, Peter J. Stuckey^, 
Warwick Harvey^, and Kim Marriott^ 

^ Monash University, Clayton 3168, Australia 
{mbanda , wharvey ,marriott}@csse . monash . edu . an 
^ University of Melbourne, Parkville 3152, Australia 
pj s@cs .mu.oz.au 



Abstract. Recent constraint logic programming (CLP) languages, such 
as HAL and Mercury, require type, mode and determinism declarations 
for predicates. This information allows the generation of efficient target 
code and the detection of many errors at compile-time. However, mode 
checking in such languages is difficult since the compiler is required to 
appropriately re-order literals in the predicate’s definition for each pred- 
icate mode declaration. The task is further complicated by the need 
to handle complex instantiations which interact with type declarations, 
higher order functions and predicates, and automatic initialization of 
solver variables. Here we give the first formal treatment of mode check- 
ing in strongly typed CLP languages which require reordering of clause 
body literals during mode checking. We also sketch the mode checking 
algorithms used in the HAL compiler. 



1 Introduction 

While traditional logic and constraint logic programming (CLP) languages are 
untyped and unmoded, recent languages such as Mercury and HAL | re- 
quire type, mode and determinism declarations for (exported) predicates and 
functions. This information allows the generation of efficient target code (e.g. 
mode information provides a substantial speed improvement Q), improves ro- 
bustness and facilitates efficient integration with foreign language procedures. 
Here we describe our experience with mode checking in the HAL compiler. 

HAL is a CLP language designed to facilitate “plug-and-play” experimenta- 
tion with different solvers. To achieve this it provides support for user-defined 
constraint solvers, global variables and dynamic scheduling. Mode checking in 
HAL is one of the most complex stages in compilation. It requires the compiler 
to appropriately re-order literals in the body of each rule. Since predicates can be 
given multiple mode declarations, the compiler mode checks each of these modes 
and creates a specialized procedure (i.e. performs multi- variant specialization). 
Three issues make mode checking even more difficult. First, instantiations (which 
describe the possible states of program variables) may be very complex and in- 
teract with the type declarations. Second, accurate mode checking of higher 
order functions and predicates is difficult. Third, the compiler needs to handle 
automatic initialization of solver variables. 
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Here we formalize mode checking in the context of strongly typed CLP lan- 
guages which may need reordering of clause body literals during mode checking. 
In order to do this we introduce “ti-trees” , which are a kind of labelled determin- 
istic regular tree. We also describe the mode checking algorithms currently used 
in the HAL compiler. Since HAL and the logic programming language Mercury 
share similar type and mode systems|much of our description and formalization 
also applies to mode checking in Mercury (which has not been previously de- 
scribed). However, there are significant differences: HAL requires the automatic 
initialization of solver variables and handles a limited form of polymorphic mode 
checking. Furthermore, determining the best reordering in HAL is more complex 
than in Mercury because the order in which constraints are solved can have a 
greater impact on efficiency Q. On the other hand. Mercury’s mode system 
allows the specification of information about data structure liveness and usage. 

Mode inference and checking of logic programs has been a fertile research field 
for many years. However, starting with almost all research has focused on 

mode checking/inference in traditional logic programming languages where the 
analysis assumes the given literal ordering is correct, only simple instantiations 
are used and higher-order predicates are largely ignored. Regular trees have been 
used before in logic programming to define types, e.g. Q, and instantiations, 
e.g. B, usually in the context of inference of information. Here, although we 
use regular trees to formalize types, our type analysis Q is based on a Hindley- 
Milner approach. A key difference with previous work (in particular Q) is that 
we describe instantiations for polymorphic types, including higher-order objects. 
The only other work on mode checking in strongly typed logic languages with 
reorderable clause bodies is that of 

2 The HAL Language 

In this section we provide an overview of the HAL language. The basic syntax 
follows the standard CLP syntax, with variables, rules and predicates defined 
as usual (see, for example, for an introduction to CLP). HAL supports 
integer, float, string and char data types and terms over these types. However, 
the base language support is limited to assignment, testing for equality, and 
construction and deconstruction of ground data. More sophisticated constraint 
solving requires the programmer to import a constraint solver for the type. In 
the case of terms, the declaration herbrand f/n. indicates that the system 
should use a Herbrand solver for terms of type /(Ti, . . - ,Tn)- Types with an 
associated constraint solver are called solver types. 

Programmers may annotate predicate definitions with type, mode and deter- 
minism declarations. Types specify the representation format of program vari- 
ables. For example, the type system in HAL distinguishes between constrained 
integers (cint) and standard numerical integers (int) since these have a different 
representation. Type definitions are (polymorphic) regular tree type statements. 
Instantiations specify the possible values, within a type, that a program variable 

^ In part, because HAL is compiled to Mercury. 
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may have. The base instantiations are new, old and ground. A variable is new if 
it has not been seen by any constraint solver, old if it has, and ground if it is 
known to take a fixed value. For data structures such as lists of solver variables, 
more complex instantiations may be used. A mode is of the form Insti — > Inst 2 
where Instil Inst^ describe the call and success instantiations, respectively. The 
standard modes are mappings from one base instantiation to another: we use two 
letter codes (oo, no, og, gg=in, ng=out) based on the first letter of the instan- 
tiation, e.g. ng is new— >ground. Every constraint solver is required to provide 
an initialization predicate, init/1, with mode no. Determinism declarations de- 
scribe how many answers a procedure may have: nondet means any number of 
solutions; multi at least one solution; semidet at most one solution; det exactly 
one solution; failure no solutions; and erroneous a runtime error. 

: - typedef list (T) -> ( [] ; [T I list (T)] ) . Consider the following HAL pro- 
: - instdef elist -> [] . gi'^m implementing a polymor- 

instdef nelist -> [ground I list (ground) ]. phic stack using lists. The first 
instdef list (I) -> ( [] ; [I I list (I)] ) . 
modedef out (I) -> (new -> I), 
modedef in(I) -> (I -> I). 

pred push(list (T) ,T, list (T) ) . 
mode push(in, in, out (nelist) is det. 
push (SO, E, SI) SI = [E I SO] . 
pred popdist (T) ,T, list (T) ) . 
mode pop (in, out , out) is semidet. 
mode pop(in(nelist) ,out,out) is det. 
pop(S0,E,Sl) SO = [ElSl]. 
pred empty (list (T) ) . 
mode empty (in) is semidet. 
mode empty (out (elist) ) is det. 
empty (S) : - S = [] . 

requires instantiation 1 on call and has the same instantiation on success. The 
next three lines define predicate push/3. The first line is a type declaration 
(polymorphic in element type T). The second is a mode declaration specifying 
that the first two arguments must be ground on call, the third returns a non- 
empty ground list, and the determinism is det. The remaining lines similarly 
define pop/3 and empty/ 1. Note that each has two modes of usage. 

3 Type, Instantiation, and Type-Instantiation Trees 

This section formalizes type and instantiation definitions in terms of determinis- 
tic regular trees. It then introduces type-instantiation (ti-) trees which combine 
type and instantiation information and are the basis for mode checking in HAL. 

Regular Trees: Regular trees are a well understood formalism (see, for example, 
P) but algorithms for them are surprisingly hard to find in the literature: ^ 
gives algorithms for ordering (^) and lower bound (□), while ^ give algorithms 
for (polymorphic) non-deterministic regular trees. 



line defines a (parametric) list 
type. The next three lines de- 
fine instantiations: elist de- 
scribes empty lists, nelist de- 
scribes non-empty ground lists, 
and list(l) describes lists of 
elements with instantiation 1. 
Note the deliberate reuse of the 
type name. The next two lines 
are mode definitions, defining 
macros for modes. The out(l) 
mode requires a new object on 
call and returns an object with 
instantiation 1. The in(l) mode 
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Fig. 1. Regular trees for lists of as, bs, cs and ds and their meet and join. 



A signature A is a set of pairs f/n where / is a symbol and n > 0 is the integer 
arity of /. Let t(U) denote the set of all ground terms (the Herbrand Universe) 
over A. We assume (for simplicity) that S contains at least one constant (i.e. 
arity 0) symbol. 

A (deterministic) regular tree r over some signature A is a rooted directed 
graph with the following properties: 

1. Each node a has a label denoted label{a) and has deg{a) outgoing edges 
labelled 1, . . . , deg{a). 

2. There are two classes of nodes: functor nodes and set nodes. Consider a 
node a with label{a) — f and deg(a) = n. If a is a functor node then 
f/nGS and each outgoing edge ends at a set node. If a is a set node 
then / e Set, all outgoing edges end at functor nodes, and these functor 
nodes refer to distinct function symbols, i.e. for each two children and aj, 
either label{ai) yf label{aj) or deg{ai) yf deg{aj). For standard regular trees 
Set = {Oi?}. 

3. The root node is a set node. 

4. Each node is reachable from the root node. 

Note that regular trees are bipartite: set nodes alternate with functor nodes. 

We use paths (sequences of integers) to refer to nodes in a regular tree: If r 
is a regular tree, r.e refers to the root of r, while if r.p refers to node a, then r.p.i 
refers to the node reached from a by following the edge labelled i. Each path p 
in a regular tree r defines a subset |r.p] of r(A). This is the least set satisfying: 

f I 1 A i < degfr.p)}, if label{r.p) = OR 

\r.p} = {f(ti, ...,tn)\f = labelir.p), n = deg{r.p), 

[ and ti G |r.p.z] for 1 < z < n}, otherwise. 

We extend this notation by defining the meaning of regular tree r as |r] = |r.e]. 

Example 1. Consider the signature {[]/0, ‘.’/2, a/0, 6/0, c/0, d/0} and the asso- 
ciated regular trees and shown in FigureHa) and (b), respectively. The 
tree defines lists of as, 6s and cs. The notation iW.2.2.2.1.2 refers to the 
node labelled 6. The tree whose root is defines ^e set of terms {a, 6, c|, 

while defines even length lists of 6s, cs and ds. 

The I • ] function induces a partial order on regular trees: r\ < T 2 iff |ri] C 
[z’ 2 l- With the addition of T, the least regular tree, and T, the greatest regular 
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tree, the partial order gives rise to a lattice over the regular trees. We use □ 
to denote the meet (i.e. greatest lower bound) operator in this lattice, and U 
to denote the join (i.e. least upper bound) operator. We have that |ri □ r 2 ] = 
|ril n |r 2 ]. Because we restrict ourselves to deterministic regular trees the join 
is inexact: |ri U r 2 ] 3 |n] U |r 2 ]. 

Example 2. Consider the regular trees and illustrated in FigureO Their 
meet is shown in Figure^c). TnSr join is shown in FigureHd). 

Type Trees: Types in HAL are formalized using (possibly polymorphic) deter- 
ministic regular trees. We assume a fixed signature Sterm of term constructors. 

A type constructor / is a functor of some arity. A type expression (or simply 
type) is either a type variable u or a term of the form /(ti, . . - ,tn) where / is 
an n-ary type constructor, and ti, . . . , are type expressions. A type definition 
for / is of the form 

typedef /(ui,...,u„) -> (/i(t(, . . . , • • • ; /fc(tj, . . . , t^J). 

where v\,...,Vn are distinct type variables, {fi/rni, . . fk/ruk} Q Eterm are 
distinct term constructor/ arity pairs, and t\,...,t'^^ are type expressions in- 
volving at most variables vi, ... ,Vn- 

Every type t has a corresponding regular tree r defined as follows: If t is 
a type variable v then r is a singleton set node with label v and no children. 
We thus need to add to Set (the set of possible labels for set nodes) an infinite 
number of type variables. Conceptually, a type variable is simply a place holder 
which can be substituted with a type expression. Otherwise, t is of the form 
/(ei, . . . , e„), where / is defined by a type definition of the form above. Let 9 
be the substitution {ui ei, . . . , i— *■ e„}. Then r has as root an OR labelled 

node a with k functor nodes as children. The child of a is labelled fj and 
has mj children. The child of r.j is the tree corresponding to the type 9{tj). 

A type can be understood in a “naive” set-theoretic manner as the meaning 
of its associated regular tree. From now on we will not distinguish between types 
and their corresponding regular trees. For example, we will use the notation |t] 
on a variable-free type t to refer to the set of terms defined by its corresponding 
regular tree. For simplicity, we will ignore the built-in types float, int, char 
and string whose treatment does not significantly complicate mode checking. 

Example 3. Given the type definition: : - typedef abc -> a ; b ; c . the cor- 
responding regular tree to type list (abc) is shown in Figureja). The meaning, 
[list (abc)], is the set of lists of as, bs and cs. The regular tree corresponding 
to the type expression list(T) is shown in Figure^a). 

Instantiation Trees: Instantiation definitions look like type definitions, the 
only difference being that the arguments are instantiations rather than types. 
However, they should not be confused: a type describes the representation format 
for a variable and is thus invariant over the life of the variable, while an instan- 
tiation describes at a particular point in execution how constrained a variable is 
and what values it may have been bound to. 
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An instantiation constructor g is a functor of some arity. An instantiation 
expression (or simply instantiation) is either a base instantiation (one of ground, 
old or new), an instantiation variable w, or a term of the form g{ii, . . . ,in) 
where g is an n-ary instantiation constructor, and ii,...,in are instantiation 
expressions. A instantiation definition for g is of the form: 

instdef g{wi,...,Wn) ~> (5i(i(, . . . , • • • ; 5fc(*i , • ■ • AmJ)- 

where wi,...,Wn are distinct instantiation variables, {51/mi, . . . , gfc/mfc} C 
^term are distinct term constructors, and are instantiation expres- 

sions other than new| involving at most the variables wi, . . . , Wn- 

HAL requires instantiations appearing in a predicate mode declaration to be 
variable-free. As a result, mode checking only deals with variable-free instanti- 
ations. Thus, from now on we will assume all instantiations are variable free. 
We can associate a slightly extended form of regular tree with a variable-free 
instantiation, analogously to how we associate a regular tree to a type. The only 
differences are that there are no nodes labelled by instantiation variables and 
that we require new set node labels {new, old, ground} C Set to express the base 
instantiations. Each of these set nodes has no outgoing arcs and any new node 
must be the only node in its regular tree. 

Type-Instantiation Trees: The type information of a variable x can be com- 
bined with an instantiation for x to give even more detailed information about 
the possible values x can take at a particular program point. To do this, we de- 
fine a function rt(t, i) from a type expression t and a variable-free instantiation 
expression i to a type-instantiation regular tree (or ti-tree). 

The base instantiation ground represents all elements of the type but in- 
dicates that the program variable is bound to a unique value. Hence, if t is a 
variable-free type, rt{t, ground) is simply t. Otherwise, rt(t, ground) is obtained 
from t by replacing each node labelled by a type variable v hy a, node labelled 
ground (?;) with no children. Conceptually, this new node represents the tree 
rf(t', ground) obtained if v were replaced by the variable-free type t' . 

The base instantiation old represents all elements of the type, including the 
possibility that the program variable may still not have a unique value for those 
parts of the type which are solver types (i.e. have an associated solver). The 
regular tree rt{t, old) is obtained from t by (a) adding a new child labelled oldf 
to any OR node corresponding to a solver type t' , and (b) replacing the nodes 
labelled with a type variable r; by a node labelled oldCr;) with no children. 

Example f. Suppose that list types are solver types but that the type abc 
is not. Then rt(list (abc), old) (= olabel) is the regular tree shown in Fig- 
ureHa), but with an extra (third) child of the root labelled oW]^ig.(;(abc)- The 
set {olahcl} includes terms {[], [a|oWiigt(abc)]> [b], a, c, a|oWiist(^bc)]}- The 
symbol o/dbist(abc) represents possible positions of list (abc) variables. 

Suppose abc is a solver type but list types are not, then rt(list (abc), old) 
(= olabc2) is again the tree shown in FigureHa)j but with a new (fourth) child of 
the non-root OR node labelled old^y^f^. It is shown in FigureHc). The set |oZa&c^J 



2 



In HAL (and Mercury) uninitialized (new) data cannot appear in data structures. 
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Fig. 2. Trees list(T), nelist, rt(list (abc), old) and rt(list(r), nelist). 



includes terms {[], [a], [o/dabci o/c?abc]}- Note that the two occurrences of the 
symbol o/c?abc do not necessarily represent the same variable. 

The base instantiation new cannot exist as part of another instantiation. 
Thus, the regular tree rt(t, new) is a singleton node with no incoming or outgoing 
edges, labelled newt- This is true regardless of whether t is a variable or not. 

We have now defined the result of rt{t, i) whenever z is a base instantiation. In 
the case of non-base instantiations, rt is defined analogously to the □ operation. 

A ti-tree is thus a regular tree where S = iftej.mU{oWt|tisatypeexpression} 
and Set = {OR\ U {ground(u), old(u) | u is a type variable}U{ner(;t | t is a 
type expression}. We extend the partial ordering and hence meet and join on 
regular trees to ti-trees by taking into account the “is more constrained” partial 
order on the base instantiations. The extension is as follows. For the case of the 
singleton newt- newt ^ r iff r = newt ; newt U newt = newt ; newt U r = T 
when r ^ newt (no representable upper bound) ; newt □ r = r for any (usually 
representing when a variable is first instantiated to r). Let us now consider 
ground(u) and old(u). We assume mode checking occurs after type analysis 
and, thus, we know the code is type-correct and we can assume we have the 
most specific type description for each program variable. As a result, we will 
only compare nodes containing the same type variable v. Therefore, we only 
need note that ground(u) ^ old(u), and the meet and join operations follow in 
the natural way. 

Example 5. Assume abc is a solver type and list types are not. The regular 
trees in FiguresHa), (b), (c) and (d) correspond to type list(T), instantiation 
nelist, and ti-trees rf(list (abc) , old) and rf(list (T) , nelist), respectively. 

Finally, we introduce the concept of a type-instantiation state (or ti-state) 
{si 1 -^ ri,...,a;„ i-^- r„|, which maps program variables to ti-trees. We can 
extend operations on ti-trees to ti-states over the same set of variables in the 
obvious manner. Given ti-states TI = {xi and TI' = {a;i i-^ 

r (, . . .,Xn '—>■ then TI ^ TI' iff r/ ^ r( for all 1 < / < n, TI □ TI' = {xi i-^- 
G n I 1 < ^ < n} and TI U TI' = {xi i— > r/ U | 1 < / < n|. 

® This interpretation of n does not agree with the ordering, instead it gives the correct 
answer when we use H to create new instantiations during mode checking. 
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4 Basic Mode Checking 

Mode checking is a complex process which aims to reorder body literals in or- 
der to satisfy the mode constraints provided by each mode declaration, thus 
generating different code for each mode declaration. 

Before performing mode checking, the HAL compiler normalizes the program 
(i.e. rewrites it to a form where each atom has distinct variables as arguments 
and each equality is either of the form x = y or x = f{xi,...,Xn), where 
x,y,x\, . . . ,Xn are distinct variables) and performs type checking (and inference) 
so the type of each program variable is known. 

We shall now explain mode checking by showing how to check whether each 
program construct is schedulable for a given ti-state and, if so, what the resulting 
ti-state is. If the program construct is not schedulable for the given ti-state it 
may be reconsidered after other constructs are scheduled. We assume that before 
checking each construct for initial ti-state TI, we extend T/ so that any variable 
of type t local to the construct is assigned the ti-tree newt- 

Equality: Consider the equality x\ = X2 where xi and X2 are variables of type 
t and current ti-state TI = {x\ i-^- ri^X2 ?"2}U RTI (where RTI is the ti- 
state for the remaining variables). The two standard modes of usage for such an 
equality are copy ( : =) and unify (==) . If exactly one of ri and T2 is newt (say 
ri), copy xi := X2 can be performed and the resulting ti-state is TT = {a;i i-^- 
T2,X2 ?"2} U RTI. If both are not newt then unify x\ == X2 is performed 

and the resulting instantiation is TT = {xi i-^- ri □ r2, a;2 ri □ r2} U RTI. If 
neither of the two modes of usage apply, the literal is not schedulable (yet) . 

Consider the equality x = f(xi , . . . , x„) where x, xi, . . . , Xn are variables with 
types {x 1-^- t,xi ti, . . . , tn 1-^ tn\ and current ti-state TI 
ri, . . . , x„ 1-^- r„}Ui?T/. Its two standard modes of usage are: construct ( :=) and 
deconstruct (=:). The construct mode applies if r is newt and none of the rj 
are newty The resulting ti-state is TT = {x i-^- r', xi i-^- ri , . . . , x„ i-^- r„} U RTI 
where r' is the ti-tree defined by OR /(xi, . . . , r„). The deconstruct mode 
applies if each Xj is newt^ and r is not newt and has no child oldt (i.e. it is defi- 
nitely bound to some functor). If r has a child tree of the form f{r [, . . . , r'„) the 
resulting ti-state isTT = {x 1-^ r,xi 1-^ r(, . . . , x„ i-^- r'.^} LI RTI. If r has no child 
tree of this form, the resulting ti-state is the same but with r' = T, 1 < j < n, 
indicating that the deconstruct must fail. If some of the variables Xj are new 
(i.e. Xj = xiewtj) and some are not (say Xfcj, . . . , Xk.^), the compiler decomposes 
the equality constraint into a deconstruct followed by new equalities by in- 
troducing fresh variables, e.g. x = /(xi , . . . , fresh /.., ...),..., Xk^ = fresh/.., . . .. 
These new equalities are handled as above. 

Example 6. Assume X and Y are ground lists and A is new. Scheduling the goal 
Y = [A lx] results in the code Y =: [A|F], X == F. 

The above uses of deconstruct are guaranteed to be safe at runtime. One 
difference between HAL and Mercury is that HAL allows the use of the decon- 
struct mode when x is old (i.e. r = xt{t, old)). In this case r has a child node of 
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the form f{r[, . . . , r'„) and we proceed as in the previous paragraph. Note that 
this is where the HAL mode system is weak (i.e. run-time mode errors can oc- 
cur), since if at run-time a; is a variable the deconstruct will abort if it cannot 
initialize all of a;i, . . . , Xn- 

Example 7. Assuming abc is not a solver type but lists are, the following pro- 
gram may detect a mode error only at run-time: 
pred p (list (abc), abc). 
mode p(oo, out) is semidet . 
p(X,Y) X = [YIJ . 

The equation is schedulable as a deconstruct since X is old. However, if at run- 
time X is not bound when p is called, the deconstruct will generate a run-time 
error since it cannot initialize Y. 

Predicates: Consider the predicate call p{x \^ . . . , Xn) where xi, . . . , x„ are vari- 
ables with type {a;i i-^- t\,...,Xn tn\ and current ti-state TI = {x\ i-^- 
ri, . . ,,Xn r„} U RTI, and p has mode declaration p{c\ si, . . . , c„ ^ s„) 
where Cj, Sj are the call and success instantiations, respectively, for argument j. 

The predicate call can be scheduled if for each j G {l..n} the current ti-state 
is stronger than (defines a subset of) the calling ti-state required for p, i.e. Xj < 
rt{tj, Cj). If the predicate is schedulable for this mode the new ti-state is TI' = 
{a;i 1 -^- ri rirf(tj, si), . . . , i-^- r„rirt(t„, s„)}Ui?T/. The predicate call can also 

be scheduled if for each j such that rj rt{tj,Cj) then rt{tj,cj) = newty For 
each such j, the argument Xj in predicate call p{x \, . . . , Xj-\, xj, a;j+i, . . . , Xn) is 
replaced hy fresh j, where freshj is a fresh new program variable, and the equation 
fresh j = Xj is added after the predicate call. 

if multiple modes of the same predicate are schedulable, we choose a mode 
with calling ti-state CTI (defined as {x\ i-^- rt{ti, ci), . . .,Xn^ rt(t„, c„)}) such 
that, for each other schedulable calling ti-state CTI' , CTI' CTI. 

Conjunctions, Disjunctions and If-Then-Elses: To determine if a conjunc- 
tion Cl, , Cn is schedulable for initial ti-state TI we choose the left-most goal 
Cj which is schedulable for TI and compute the new ti-state TIj. This default 
behavior schedules goals as close to the user-defined left-to-right order as pos- 
sible. If the state TIj assigns T to any variable, then the subgoal Cj must fail 
and hence the whole conjunction is schedulable. The resulting ti-state TI' maps 
all variables to T, and the final conjunction contains all previously scheduled 
goals followed by fail. If TIj does not assign any variable to T we continue by 
scheduling the remaining conjunction C \, . . . , Cj-\, Cj +\, . . . , with initial ti- 
state TIj. If all subgoals are eventually schedulable we have determined both an 
order of evaluation for the conjunction and a final ti-state. 

To determine if a disjunction Gi; • • • ; G„ is schedulable for initial ti-state TI 
we check whether each subgoal Cj is schedulable for TI and, if so, compute each 
resulting ti-state TIj, obtaining the final ti-state TI' = Uje{i..n}TIr If this 
ti-state assigns T to any variable or one of the disjuncts Cj is not schedulable 
then the whole disjunction is not schedulable. 

To determine whether an if-then-else Ct — > Cp, Gg is schedulable for initial 
ti-state TI, we determine first whether Ct is schedulable for TI with resulting 
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ti-state TIi. If not, the whole if-then-else is not schedulable. Otherwise, we try to 
schedule G* in state TIi (resulting in state Tit say) and Ge in state TI (resulting 
in state T/g say). The resulting ti-state is TT = TIf.[_\TIt. If one of G* or Gg 
is not schedulable or TT includes T the whole if-then-else is not schedulable. 

Mode Declarations: To check if a predicate with head p(a;i, . . . , a;„) and 
declared (or inferred) type {x\ i-^- G,...,a;„ i— > satisfies the mode dec- 
laration p{c\ si,...,c„ ^ Sn)i we build an initial ti-state TI = {a;i i-^- 
rt{ti,c\), . . . ,Xn rt(t„,c„)} to analyse the body of the predicate (multiple 
rules are treated as a disjunction). The mode declaration is correct if everything 
is schedulable with final ti-state TT = {x\ i— > s(, . . .,a;„ i— > s(j} and for each 
argument variable 1 < z < n, s' ^ rt{ti, Si). A mode error results if some s' is 
not strong enough or if the body is not schedulable (in which case the compiler 
reports an error about the least subpart of the goal which is not schedulable.) 

Example 8. Consider mode checking of the following code: 
pred dupl (list (T) , list(T)). duplicate top of stack 
mode dupl (in(nelist) , out(nelist)) is det . 
dupl (SO, S) SO = [] , S = [] . 

dupKSO, S) pop(S0, A, SI), push(S0, A, S) . 

We start by constructing the initial ti-state TI = {SO i— > i-^ newust{T)} 

where = rf(list(T), nelist) is the tree shown in FigureH^d). Checking 
the first disjunct (rule) we have SO = [] schedulable as a deconstruct. The 
resulting ti-state assigns T to SO, thus the whole conjunction is schedulable with 
Til = {SO 1 -^ T,S 1 -^ T}. Checking the second disjunct, we first extend TI 
to map A to newT and SI to newust(T)- Examining the first literal pop (SO, 
A, SI) we find that both modes declared for pop/3 are schedulable. Since the 
second mode has more specific calling instantiations, it is chosen and the ti-trees 
for A and SI become ground(T) and rf(list(T), ground), respectively. Now the 
second literal is schedulable obtaining for S the ti-tree Qj. Restricting to the 
original variables the final ti-state isTT = {SO S i-^ ?^}. Taking the join 

TT = T/i ur /2 = TT- Checking this against the do^lared success instantiation 
we find the declared mode correct. The code generated for the procedure is: 
dupljnodel (SO , S) fail. 

dupljnodel (SO , S) pop_mode2 (SO , A, SI), pushjnodel (SO, A, S) . 
where popjnode2/3 and pushjnodel/3 are the procedures associated to the sec- 
ond and first modes of the predicates, respectively. 

Our algorithm does not track variable dependencies and thus it might obtain 
a final ti-state weaker than expected. This can be overcome by adding a definite 
sharing and/or a dependency based groundness analysis to the mode checking 
phase. In practice, however, it seems these kinds of modes are rarely used. 

5 Automatic Initialization 

Many constraint solvers require solver variables to be initialized before they 
can be used in constraints. Thus, explicit initializations for local variables may 
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need to be introduced. This is not only a tedious exercise for the user, it may 
even be impossible for multi-moded predicate definitions since each mode may 
require different initialization instructions. Therefore, the HAL mode checker 
automatically inserts variable initializations when required. Hence, whenever a 
literal cannot be scheduled because there is a requirement for an argument of 
type t to be rt{t, old) when it is newt and t is a solver type, then the init/1 
predicate for type t can be inserted to make the literal schedulable. 

Unfortunately, unnecessary initialization may slow execution and introduce 
unnecessary variables (when it interacts with implied modes). Hence, we would 
only like to add those initializations required so that mode checking will succeed. 
The HAL mode checker implements this by first trying to mode the procedure 
without allowing initialization. If this fails it tries to find the leftmost unsched- 
uled literal, starting from the previous partial schedule, which can be scheduled 
with initialization. If such a literal is found the appropriate initialization calls 
are added, the literal is scheduled, and then scheduling continues once more try- 
ing to schedule without initialization. If there are no literals schedulable with 
initialization the whole conjunct is not schedulable. This two-phase approach is 
applied at every conjunct level individually. 

Example 9. Consider the following program where cint is a solver type: 
pred lengthflist (cint) , int) . 
mode length(out (list (old) ) , in) is semidet . 
length(L,N) N = 0, L = []. 

length(L,N) : - N > 0 , N = N1 + 1 , L = [V|L1], length (LI, Nl) . 

In the first phase the second rule is not schedulable since L = [V|L1] cannot 
be a construct (V is new) or a deconstruct {L is new). In the second phase 
we try to schedule the remaining unscheduled literal, which can be managed by 
initializing V, obtaining: 

length(L,N) NN := 0, NN == N, L : = [] . 

length(L,N) N > 0, Nl := N - 1, length(Ll ,N1) , init(V), L := [V|L1]. 

The initialization policy above is not always optimal. We are investigating 
more informed policies which give a better tradeoff between adding constraints as 
soon as possible and delaying constraints until they can be tests or assignments. 

6 Higher-Order Terms 

Higher-order programming is particularly important in HAL because it is the 
mechanism used to implement dynamic scheduling, which is vital in CLP lan- 
guages for extending and combining constraint solvers. Higher-order program- 
ming introduces two new kinds of literals: construction of higher-order objects 
and higher-order calls. A higher-order object is constructed using an equation 
of the form h = p{xi , . . . , Xk) where h, x\, . . . ,Xk are variables and p is an 
n-ary predicate with n > k. The variable h is referred to as a higher-order 
object. Higher-order calls are literals of the form call(h, Xk+i, ■ ■ ■ , x„) where 
h, Xk+ii ■ ■ ■,Xn are variables. Essentially, the call/n literal supplies the n — k 
arguments missing from the higher-order object h. 
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The higher-order type of a higher-order object h is of the form pred(tk+i, ■ ■ ■ , 
tn) where pred/m is a special type construct and tfc+i , . ■ . ,tn are types. It pro- 
vides the types of the n — k arguments missing from h. The higher-order instan- 
tiation of h is of the form pred{ck+i Sfc+i, . . . , c„ — > Sn B where pred/m is a 
special instantiation construct and Cj sj are call and success instantiations. 
It provides the modes of the n — k arguments missing from h. 

We extend our earlier definitions involving regular trees by introducing a 
new node labelled pred which has n — k children for a higher-order object of 
type pred{tk+i, ■ ■ ■ ,tn). The child node of pred is labelled typej and has 
exactly one child which is the type of the missing argument of the predicate. 
The typcj functor nodes are not usually written when referring to the type and 
are there simply to keep the regular tree graphs bipartite. In the regular tree 
associated with a higher-order instantiation (or type-instantiation) the child 
node of pred is labelled — and has exactly two children: the call Cj and success 
Sj instantiations (resp. ti-trees). 

Example 10. Consider the goal ?- H = code (’a’), map(H, [7,0, 11] ,S) . and 
program: 

pred map(pred(A,B) , list (A), list(B)). 
mode map (in (pred (in, out) is det) , in, out) is det . 
map(H, [] , [] ) . 

map(H, [A I As] , [B|Bs]) call(H,A,B), map(H, As ,Bs) . 
pred code (char , int , char) . 
mode code (in, in, out) is det. 
code(Cl,I,C2) C2 = chr(ord(Cl) + I). 

The map/3 predicate takes a higher-order predicate with two missing arguments 
with types A and B and modes in and out, respectively. This predicate is 
applied to a list of As, returning a list of Bs. The literal H = code (’a’) builds 
a higher-order object which calls the code predicate with first argument ’a’. 
The type-instantiation of H, pred (int: : in, char: :out), is represented by the 
regular tree shown in FigureHb). 

As discussed in the next section, HAL treats the mode and determinism of 
higher order terms as if they were part of the “type”. This means that, for 
example, in a list of higher-order objects, all elements must have the same mode 
and determinism. This makes sense since otherwise after removing an element 
from the list it cannot be called as we have lost its mode and determinismj 
This simplifies mode checking since, as a result, the only comparable ti-trees 
with root labelled pred must be identical. 

We extend rt so that rt{pred{ti , . . . , tn), ground) and rt{pred{ti , . . . , t„), old) 
are new singleton nodes labelled ground(pred(ti, . . . , f„)) and old{pred{ti , . . . , 
tn)), respectively. These nodes act like ground(ri) and old(ti) but they can also be 
compared with more complicated ti-trees (with root nodes labelled pred) of the 

^ In practice, the determinism also appears in the higher-order instantiation. 

® Mercury treats this differently: two higher-order objects with different mode and/or 
determinism information can be placed in the same list, but an error will occur when 
calling an element removed from this list. 
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same type. We define r ^ ground(prec?(fi, . . . , f„)) ^ old(prec?(fi, . . . , f„)) for 
any ti-tree r of the form pred{ci — si, . . . , c„ —^n Sn) where Sj tj, 1 < j < n. 

Intuitively, a higher-order equation h = p{x\, . . .,Xk) is schedulable if h is 
new and xi, . . . ,Xk are at least as instantiated as the call instantiations of one 
of the modes declared for p/n. If this is true for more than one mode, an ambi- 
guity is reported. If it is not true for any mode, the equation is delayed until the 
arguments become more instantiated. Note that the instantiation of each Xj is 
unchanged and, in fact, will not be updated when the call to h is made. Hence, 
higher-order objects lose precision of mode information. This would lead to er- 
roneous mode information if some Xj is new. Hence, the call is not schedulable if 
this is the case. The HAL compiler warns if the declared mode of p used in the 
higher-order call may have lost instantiation information. 

A higher-order call call(h, Xk+i^ ■ ■ ■ ) ^n) is schedulable if Xfc+i , . . . ,Xn are 
at least as instantiated as the call instantiations of the arguments of the higher- 
order type-instantiation previously assigned to h. If this is not true, the call 
is delayed until the arguments become more instantiated. Just as for normal 
predicate calls, implied modes are also possible where if h requires one of the Xi 
to be new and it is not, we can replace it in the call literal by a fresh variable 
freshi and a following equation freshi = xi . 

7 Polymorphism and Modes 

Interfaces for storing polymorphic objects lose substantial information about 
the instantiations of retrieved items (they are only known to be ground or old). 
The problem is more severe for higher-order objects because then we do not have 
enough information for the higher-order object to be used (called). 

Example 11. Consider the following goal: 

?- empty(SO), 10 = code(’a’), pushCSO , 10 , SI) , pop(Sl , I ,S2) , map(I , [7] ,S) . 
When item / is extracted from the list we know it is a ground object of type 
predCint , char) . Since the mode and determinism information of / has been 
lost, it cannot be used in map and a mode error results. 

We could overcome this problem by having a special version of each predicate 
for the case of higher-order predicates. But this defeats the purpose of the ab- 
stract data type. Our approach is to use polymorphic type information to recover 
the lost mode information. This is an example of “Theorems for Free” since 
polymorphic code can only copj terms with polymorphic type it cannot create 
instantiations and, hence, the output instantiations of polymorphic arguments 
must result from the calling instantiations of non-output arguments. Thus, they 
must be at least as instantiated as the join of the input instantiations. 

To recover instantiation information we extend mode checking for procedures 
with polymorphic types to take into account the extra mode information that is 
implied by the polymorphic type. Due to space considerations we simply illus- 
trate this by an example. 

® In HAL and Mercury it can also unify such terms, but this only creates more in- 
stantiated modes. 
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(a) (b) (c) (d) (e) 



Fig. 3. Gaining information from polymorphic types. 

Example 12. Assume we are scheduling the push/3 literal in the goal: 

?- empty(SO), 10 = code(’a’), pushCSO , 10 , SI) , pop(Sl , I ,S2) , map(I , [7] ,S) . 
for current ti-state {SO i— s- elist, 10 i— > pred^lnt — >i int, newchar —^2 char)}, 
the remaining variables being new. The ti-trees and corresponding, re- 
spectively, to SO and 10 are illustrated in FigureHa) anc^b). The ti-trees de- 
fined by the type and mode declarations for the first two arguments of push/3, 
rt(list(T), ground) and rt(r, ground), are shown in Figure^c) and (d). The 
literal is schedulable. Computation of the output instantiation proceeds by find- 
ing corresponding sub-graphs in the formal and actual input instantiations where 
the former is labelled with ground(T). This comparison of sub-graphs in Fig- 
ures Jc) and (d) with the ti-trees of Figure Ja) and (b), respectively gives 
that ground(r) is matched by Hence in the output instantiation, the only 
ground(T) nodes must come from this input instantiation. Thus the success in- 
stantiation for the third argument is rt(list(T), nelist) (see Figure^d)) with 
the ground(T) node replaced by ?■. The result (the output instantiation of SI) 
is shown in Figure^e). Note that uie mode information of the higher-order term 
is preserved. 

There is a caveat which currently prevents this method from being more 
widely used in HAL. HAL currently assumes that a program variable with vari- 
able type may indeed be a solver type and hence can be initialized. This means 
polymorphic code can introduce the instantiation old for polymorphically typed 
code thus destroying the correctness of the “theorem for free”. Thus, this en- 
hanced polymorphic mode checking cannot be used when a matching type is a 
solver type. However, it is, of course, correct for higher-order types. When type 
classes are fully integrated in the compiler they will eliminate the assumption 
above thus removing the caveat. 

8 Conclusion 

We have formalized mode checking for CLP languages, such as HAL, with strong 
typing and re-orderable clause bodies, and described the algorithms currently 
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used in the HAL compiler. The implementation of these algorithms in HAL 
is considerably more sophisticated than the simple presentation here. Partial 
schedules are computed and stored and accessed only when enough new instan- 
tiation information has been created to reassess them. Operations such as ^ are 
tabled and hence many operations are simply a lookup in a table. We have found 
mode checking is efficient enough for a practical compiler, taking 27% of overall 
compile time on average. 
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Abstract. In this paper we use execution-driven simulation of a scal- 
able multiprocessor to evaluate the performance of the Andorra-I parallel 
logic programming system under invalidate and update-based protocols. 
We use two versions of Andorra-I. One of them was originally designed 
for bus-based multiprocessors, while the other is optimised for scalable 
architectures. We study a well-known invalidate protocol and two differ- 
ent update-based protocols. Our results show that for our sample logic 
programs the update-based protocols outperform their invalidate-based 
counterpart for the original version of Andorra-I. In contrast, the opti- 
mised version of Andorra-I benefits the most from the invalidate-based 
protocol, but a hybrid update-based protocol performs as well as the 
invalidate protocol in most cases. We conclude that parallel logic pro- 
gramming systems can consistently benefit from hybrid update-based 
protocols. 

Keywords: Logic programming, parallelism, cache coherence protocols, 
DSM architectures, performance evaluation 



1 Introduction 

One of the most important advantages of logic programming is the availability of 
several forms of implicit parallelism that can be naturally exploited on shared- 
memory multiprocessors. These forms include: or-parallelism, as exploited in 
the systems Aurora and Muse independent and-parallelism, as in &- 
Prolog ^3 and &-ACE dependent and-parallelism, as in Parlog’s JAM Q, 
KLIC ^3, and DBAS ^3s data-parallelism, as in Reform Prolog and com- 
bined and~or parallelism, as in Andorra-I Penny ^3: ACE ^3- 

these systems have been able to obtain good performance on early bus-based 
systems, such as the Sequent Symmetry multiprocessors. 

As modern architectures are developed and the gap between CPU and mem- 
ory speeds widens, the issue arises of whether the current parallel logic pro- 
gramming systems can also perform well on the new, scalable, architectures. In 
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modern multiprocessors, performance depends heavily on the miss rates and may 
be limited by the communication overhead that is involved in sharing writable 
data. 

Sharing in parallel logic programming systems occurs under several circum- 
stances. The use of logical variables for communication in dependent and-parallel 
applications, for instance, is an example of producer-consumer sharing of data. 
A second major form of sharing, migratory sharing, arises from synchronisation 
between processors. Synchronisation occurs in tasks such as fetching work from 
other processors, and on being the leftmost goal or branch to execute cuts or 
side-effects. 

The sharing of writable data structures introduces the problem of coherence 
between the processors’ caches. Most parallel machines have used a write in- 
validate (WI) protocol B in order to keep caches coherent. In this protocol, 
whenever a processor writes a data item, copies of the cache block containing 
the item in other processors’ caches are invalidated. If one of the invalidated pro- 
cessors later requires the same item, it will have to (re)fetch it from the writer’s 
cache. 

Write update (WU) protocols are the main alternative to invalidate- 
based protocols. In WU protocols, whenever an item is written, copies of the 
new value are sent to the other processors that share the item, so that it does 
not have to be (re)fetched on a later access. 

The tradeoff between WI and WU protocols is then clear: WI protocols usu- 
ally involve more cache misses but less communication than WU protocols. Thus, 
the performance of parallel logic programming systems on modern multiproces- 
sors will depend heavily on the sharing behavior of these systems and how well 
it matches the underlying cache coherence protocol. We are interested in exactly 
this interplay between sharing behavior and coherence protocol. 

To address this issue, we use execution-driven simulation of a scalable mul- 
tiprocessor running the Andorra-I parallel logic programming system We 
simulate three different coherence protocols: a well-known invalidate protocol 
and two update-based protocols. Andorra-I is an ideal subject for our exper- 
iments because it supports two rather different forms of parallelism in logic 
programs: and-parallelism and or-parallelism. We experiment with two versions 
of Andorra-I. One of them was originally designed for bus-based multiprocessors, 
while the other has been optimised for scalable architectures 

Our results show that for our sample logic programs the update-based pro- 
tocols outperform their invalidate-based counterpart for the original version of 
Andorra-I. The detailed analysis of these results shows a hybrid form of WU 
performing better than WI both for or-parallel and and-parallel benchmarks. In 
contrast, we find that the optimised version of Andorra-I benefits the most from 
the invalidate-based protocol, but the hybrid protocol performs as well as the 
invalidate protocol in most cases. We conclude that parallel logic programming 
systems can consistently benefit from the hybrid update-based protocol and that 
multiprocessors designed for running these systems efficiently should adopt some 
form of this protocol. 
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Our approach contrasts with previous studies of the performance of coherence 
protocols for parallel logic programming systems. Tick and Hermenegildo ^3 
studied caching behaviour of independent and-parallelism in bus-based multi- 
processors. Other researchers have studied the performance of parallel logic pro- 
gramming systems on scalable architectures, such as the DDM but did not 
evaluate the impact of different coherence protocols. Our initial work studied the 
impact of different cache coherence protocols for the original, non-optimised, 
Andorra-I version, using a limited benchmark set and a relatively small data 
cache We next performed a detailed analysis of the WI protocol based 
on the Andorra-I data areas Q, which led us to proposing optimisations that 
improved the speedup of the WI protocol by more than 100% for some appli- 
cations ly. In this study we address the question of how the original and the 
optimised versions of Andorra-I perform under the various coherence protocols. 
We use a set of benchmarks that covers both and-parallelism and or-parallelism, 
with examples of scalable and non-scalable applications. 

The remainder of the paper is organised as follows. Section ^ describes the 
Andorra-I parallel logic programming system and the techniques we used to opti- 
mise its performance for scalable architectures. Section^presents the methodol- 
ogy used to obtain our results. Section^describes our benchmark set. Section^ 
presents speedup results for the or-parallel, and-parallel, and combined parallel 
benchmarks ran on both versions of Andorra-I under all protocols, and evaluates 
the performance of the protocols. Finally, section ^ draws our conclusions and 
suggests future work. 

2 Andorra-I 

2.1 Overview 

The Andorra-I parallel logic programming system is based on the Basic An- 
dorra Model The system was developed at the University of Bristol by 
Beaumont, Dutra, Santos Costa, Yang, and Warren To the best of the 

authors’ knowledge, Andorra-I was the first parallel logic programming system 
that exploited both and- and or-parallelism, and yet could run real-world ap- 
plications with significant parallel performance. This is the main motivation for 
using this system in our experiments. 

Andorra-I employs a very interesting method for exploiting and-parallelism 
in logic programs, namely to execute determinate goals first and concurrently, 
where determinate goals are the ones that match at most one clause in a pro- 
gram. Thus, Andorra-I exploits determinate dependent and-parallelism. Eager 
execution of determinate goals can result in a reduced search space, because 
unnecessary choicepoints are eliminated. The Andorra-I system also exploits 
or-parallelism that arises from the non-determinate goals. Its implementation is 
influenced by JAM | when exploiting and-parallelism, and by Aurora Q when 
exploiting or-parallelism. 

A processing element that performs computation in Andorra-I is called a 
worker. In practice, each worker corresponds to a separate processor. Andorra-I 
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is designed in such a way that workers are classified into masters and slaves. One 
master and zero or more slaves form a team. Each master in a team is responsible 
for creating a new choicepoint, while slaves are managed and synchronised by 
their master. Workers in a team cooperate with each other in order to share 
available and-work. Different teams of workers cooperate to share or-work. Note 
that workers arranged in teams share the same set of variables used in a given 
branch of the search tree. 

Most of the execution time of workers should be spent executing engine 
code ^ 3 , i.e., performing reductions. Andorra-I is designed in such a way that 
data corresponding to each worker is as local as possible, so that each worker tries 
to find its own work without interfering with others. Scheduling in Andorra-I is 
demand-driven, that is, whenever a worker runs out of work, it enters a scheduler 
to find another piece of available work. 

The or-scheduler is responsible for finding or-work, i.e., an unexplored alter- 
native in the or-tree. Our experiments used the Bristol or-scheduler Q, originally 
developed for Aurora. The strategy used by the Bristol scheduler concentrates on 
mandatory work, choosing work from the richest worker. If there is no mandatory 
work available, speculative work is chosen in a leftmost order. 

The and-scheduler is responsible for finding eligible and-work, which corre- 
sponds to a goal in the run queue (list of goals not yet executed) of a worker 
in the same team. Each worker in a team keeps a run queue of goals. This run 
queue of goals has two pointers. The pointer to the head of the queue is only 
used by the owner. The pointer to the tail of the queue is used by other workers 
to “steal” goals when their own run queues are empty. If all the run queues are 
empty, the slaves wait either until some other worker (in our implementation, 
the master) creates more work in its run queue or until the master detects that 
there are no more determinate goals to be reduced and it is time to create a 
choicepoint. 

Workers can migrate between teams and change from master to slave and 
vice-versa through the reconfigurer Q. 

2.2 Two Versions of Andorra-I 

We used in our experiments two versions of Andorra-I. The first was originally 
written for early bus-based machines, while the second has been optimised for 
modern scalable architectures. 

The second version of Andorra-I optimises the original version of the system 
using the following 5 techniques: (1) trimming of shared variables (removal of all 
variables from the source code that are not relevant to the main execution of the 
programs and that generate a surprising amount of read misses, e.g., statistical 
shared counters and debugging variables), (2) data layout modification (this op- 
timisation includes mainly padding and field reordering in order to reduce the 
amount of false sharing on some data areas in Andorra-I), (3) privatisation of 
shared data structures, (4) lock distribution, and (5) elimination of locking in 
scheduling. Shared variable trimming and the modification of the data layout 
produced the greatest improvements under a WI protocol. These optimisations 
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were performed after a careful analysis of the data areas in the Andorra-I exe- 
cution 

3 Methodology 

We use a detailed on-line, execution-driven simulator that simulates a 24-node, 
DASH-like Q, directly-connected multiprocessor. Each node of the simulated 
machine contains a single processor, a write buffer, cache memory, local memory, 
a full-map directory, and a network interface. The simulator was developed at the 
University of Rochester and uses the MINT front-end ^3 simulate the MIPS 
architecture, and a back-end Q to simulate the memory and interconnection 
systems. 

We simulate a WI protocol and two different WU-based protocols. Our WI 
protocol keeps caches coherent using the DASH protocol with release consistency 
^ 3 . In our WU implementation, a processor writes through its cache to the 
home node. The home node sends updates to the other processors sharing the 
cache block, and a message to the writing processor containing the number of 
acknowledgments to expect. Sharing processors update their caches and send 
an acknowledgment to the writing processor. The writing processor only stalls 
waiting for acknowledgments at a lock release point. 

Our WU implementation includes two optimisations. First, when the home 
node receives an update for a block that is only cached by the updating proces- 
sor, the acknowledgment of the update instructs the processor to retain future 
updates since the data is effectively private. Second, when a parallel process is 
created by fork, we flush the cache of the parent’s processor, which eliminates 
useless updates of data initialised by the parent but not subsequently needed by 
it. 

In order to reduce the number of update messages of the WU protocol, we 
experiment with a dynamic hybrid protocol (WUh2) 33 based on the coherence 
protocols of the bus-based multiprocessors using the DEC Alpha AXP21064 33 - 
In these multiprocessors, each node makes a local decision to invalidate or update 
a cache block when it sees an update transaction on the bus. We associate a 
counter with each cache block and invalidate the block when the counter reaches 
the threshold. References to a cache block reset the counter to zero. We used 
counters with a threshold of 2 updates. 

4 Applications 

4.1 And-Parallel Applications 

We used two examples of and-parallel applications, the clustering algorithm for 
network management from British Telecom, bt-cluster, and a program to cal- 
culate approximate solutions to the traveling salesperson problem, tsp. The clus- 
tering program receives a set of points in a three dimensional space and groups 
these points into clusters. Basically, three points belong to the same cluster if the 
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distance between them is smaller than a certain limit. And-parallelism in this 
case naturally stems from running the calculations for each point in parallel. The 
test program uses a cluster of 400 points as input data. This program has very 
good and-parallelism, and, being completely determinate, no or-parallelism. The 
traveling salesperson program is based on a Reform Prolog Q benchmark that 
finds an approximate solution for the TSP problem in a graph with 24 nodes. To 
obtain best performance, the Andorra-I team rewrote the original applications 
to make them determinate-only computations. 



4.2 Or-Parallel Applications 

We use two or-parallel applications. Our first application, chat 80, is an exam- 
ple from the well-known natural language question-answering system chat-80, 
written at the University of Edinburgh by Pereira and Warren This version 
of chat-80 operates on the domain of world geography. The program chat80 
makes queries to the chat-80 database. This is a small scale benchmark with 
good or-parallelism, and it has been traditionally used as one of the or-parallel 
benchmarks for both the Aurora and Muse systems. The second application, 
floorplan, is an example query for a knowledge-based system for the auto- 
matic generation of floor plans The input to this program is a set of desired 
rooms and their sizes with restrictions on windows facing north, south, etc. We 
ran this application for 9 different rooms with different restrictions. This appli- 
cation should at least in principle have significant or-parallelism. 



4.3 And/Or-Parallel Applications 

We used a program (called f lypan) to generate naval flight allocations, based 
on a system developed by Software Sciences and the University of Leeds for 
the Royal Navy. It is an example of a real-life resource allocation problem. The 
program allocates airborne resources (such as aircraft) whilst taking into ac- 
count a number of constraints. The problem is solved by using the technique of 
active constraints as first implemented for Pandora Q. In this technique, the 
co-routining inherent in the Andorra model is used to activate constraints as 
soon as possible. The program has both or-parallelism, arising from the differ- 
ent possible choices, and and-parallelism, arising from the parallel evaluation of 
different constraints. The input data we used for testing the program consists of 
11 aircrafts, 36 crew members and 10 flights needed to be scheduled. The degree 
of and- and or-parallelism in this program varies according to the queries, but 
all queries give rise to more and-parallelism than or-parallelism. 



5 Results: The Impact of Different Coherence Protocols 

In this section we present speedup results for Andorra-I under the three proto- 
cols, WI, WU and WUh2. We present results for the two versions of Andorra-I: 
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orig, the original version, and optim, the version optimised for a scalable archi- 
tecture. 

All results, except for the or-parallel applications, were obtained using the 
reconfigurer to automatically adapt to the available parallelism. The or-parallel 
applications used a fixed all-masters configuration. Also, we obtained times for 
the first run of an application (results would be somewhat better for other runs) . 



5.1 The orig Version 

Figures^ QQ Q and^show the speedups for all protocols with the Andorra-I 
orig version. We can observe that the hybrid protocol becomes the best for all 
applications as we increase the size of the multiprocessor up to 24 processors. 

Among the and-parallel applications, bt-cluster exhibits excellent and- 
parallelism, resulting in fairly good speedups under WUh2. WI achieves its best 
speedup of 11.3 with 24 processors, while WU achieves its best speedup of 8.5 
with 16 processors. WUh2 achieves its best speedup of 15.9 for 24 processors 
yielding an improvement of 40% over the WI protocol and 97% over the WU 
protocol. 

Figureflshows that tsp achieves worse speedups than bt-cluster. The main 
reason for this result is the sharing behaviour of these applications. Under the 
WI protocol and 16 processors, for instance, tsp issues 26 million references to 
shared memory with a cache miss rate of 3%, while bt-cluster issues 27 million 
references to shared memory with a cache miss rate of only 1.6%. 

It is interesting to observe that the performance of the WU protocol is better 
than that of the WI protocol for the tsp application, but not for the bt-cluster 
application. Recall that pure WU can reduce the miss rate with respect to WI 
but can also generate heavy coherence traffic in doing so. For tsp, WU reduces 
the miss rate substantially without a significant increase in network traffic. More 
specifically, the miss rate of tsp is reduced from 3% under WI to 0.7% under WU 
on 16 processors, while the corresponding amount of network traffic increases 
from 148 MBytes to only 180 MBytes (a 22% increase), respectively. The WU 
protocol does not behave as nicely for bt-cluster. For this application, the miss 
rate is reduced from 1.6% under WI to 0.9% under WU again on 16 processors, 
while the network traffic increases from 71 MBytes to 313 MBytes (a 4-fold 
increase), respectively. 

The performance of the or-parallel applications is similar, with f loorplan 
(figure B achieving better performance than chat-80 (figure WU again per- 
forms better than WI for the or-parallel applications, chat-80 and f loorplan. 
The reason for the better performance of the WU protocol for these applications 
is that most sharing misses are due to false sharing and WU usually performs 
better for this kind of sharing pattern. 

The application flypan is not much affected by any protocol. As can be 
observed from figure^ this application achieves maximum speedup of 5 for 16 
and 24 processors. Its execution is dominated by parallel overheads. In particular, 
flypan spends a significant amount of time in the and-scheduler trying to find 
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Fig. 1. Speedup of bt-cluster on the original sys- 
tem 



bt-cluster (orig) 




Fig. 2. Speedup of tsp on the original system 



tsp (orIg) 




Fig. 3. Speedup of pan2 on the original system 




9 13 17 

Number of processors 



21 



The Impact of Cache Coherence Protocols 1293 



Fig. 4. Speedup of chat-80 on the original system 



chat-80 (orig) 




Fig. 5. Speedup of f loorplan on the original sys- 
tem 



floorplan (orig) 




available and- work. This causes a degradation in performance as we increase the 
number of processors, which does not allow the application to scale well. 



Table 1. Improvements of WUh2 over WI and WU 



Applications 


WUh2/WI 


WUh2/WU 


bt-cluster 


1.40 


1.97 


tsp 


1.79 


1.23 


f lypan 


1.05 


1.21 


chat -80 


1.88 


1.16 


floorplan 


1.86 


1.18 
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WUh2 is the best protocol for the original version of Andorra-I. The overall 
improvements of WUh2 over the WI and WU protocols on 24 processors are 
shown in tablej In the worst case, WUh2 is 5% better than WI and 16% better 
than WU. In the best case, WUh2 is nearly 100% better than WU and 88% 
better than WI. 

5.2 The optim Version 

Figures^ and^Jshow the speedups for all protocols with the Andorra-I 

optim version. 

The optimised version of Andorra-I resulted in lower execution times than 
the original code for all applications. As discussed in section ^3 the major dif- 
ferences between the optimised and original versions of the system stem from 
trimming shared variables and from data layout modifications that reduced false 
sharing at the cost of increasing memory usage (e.g., by using padding). The first 
optimisation was particularly effective for or-parallel benchmarks and benefits 
all protocols. The second optimisation was designed for a WI protocol. WU does 
not benefit as much from this latter optimisation because it suffers less with false 
sharing than WI and the extra memory usage sometimes results in more data 
and coherence messages sent to the network (since cache block-based coalescing 
of messages becomes ineffective) . 

Even though the execution times of the optimised system are lower, the 
speedups it achieves not always improve upon those of the original system. More 
specifically, the speedups of the bt-cluster, tsp, and f lypan applications un- 
der the WU protocol on 24 processors decreased significantly. Under the other 
protocols, the speedup of the optimised system is consistently higher than that 
of the original version of Andorra-I, except for the f lypan application for which 
WI and WUh2 exhibit roughly unchanged speedups. Tsp is another interesting 
application in terms of speedup. For this application, both WI and WUh2 sat- 
urate at a speedup of 12 on 16 processors, while the speedup of these protocols 
increases up to 24 processors for all the other applications. 

Overall, the best performance is now obtained with the WI protocol, since 
the optimised version of Andorra-I almost completely eliminates false sharing. 
Nevertheless, the performance of WUh2 is virtually indistinguishable from that 
of WI for all but one application, bt-cluster. For this application, WI reaches a 
speedup of 20 on 24 processors, while WUh2 performs about 25% worse. Out of 
all applications, the best performance is obtained by the or-parallel benchmark 
f loorplan, where speedups are almost linear for all protocols (20-fold speedup 
for 24 processors). Performance is also quite good for chat-80 under the WI and 
WUh2 protocols, as both protocols obtain a speedup of 18 on 24 processors. 

6 Conclusions and Future Work 

We studied the performance of the Andorra-I parallel logic programming sys- 
tem under different cache coherence protocols for distributed shared-memory 
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Fig. 6. Speedup of bt-cluster on the optimised 
system 



bt-cluster (optim) 




Fig. 7. Speedup of tsp on the optimised system 



tsp (optim) 




Fig. 8. Speedup of pan2 on the optimised system 



flypan (optim) 
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Fig. 9. Speedup of chat-80 on the optimised sys- 
tem 



chat-80 (optim) 




Fig. 10. Speedup of f loorplan on the optimised 
system 



floorplan (optim) 




machines. We experimented with two versions of Andorra-I: the original system 
which was designed for early bus-based machines and a version that was an op- 
timised for scalable multiprocessors with a write invalidate protocol. Our results 
show that a hybrid update-based protocol can obtain good performance for both 
versions of Andorra-I, while the other protocols fail to achieve consistently good 
performance. 

The hybrid protocol is quite effective for the original system. This is because 
this protocol is not as vulnerable to false sharing as write invalidate and does 
not generate as much network traffic as pure write update. The hybrid protocol 
also benefits from optimisations performed for an invalidate-based machine. 

The write invalidate protocol performs well as long as there is little false shar- 
ing. To obtain good performance it is therefore important to study the memory 
access patterns of the application and how they can generate false sharing. This 
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requires a very detailed understanding of the interplay between parallel applica- 
tion, C compiler, and parallel architecture. We performed such a study in 

The write update protocol’s main advantage is that it is not as vulnerable 
to false sharing as the write invalidate protocol. Unfortunately, Andorra-I is a 
memory intensive system and can saturate the network under this protocol. This 
problem is most remarkable in the optimised version, because padding was used 
to reduce false sharing. 

We will be performing a similar analysis for other parallel logic programming 
systems. Besides confirming the generality of our claims, such an analysis will 
give us further insight into the current performance and scalability of parallel 
logic programming systems. 
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Abstract. This paper discusses the representation of a variety of role- 
based access control (RBAC) security models in which users and per- 
missions may be assigned to roles for restricted periods of time. These 
secnrity models are formulated as logic programs which specify the secu- 
rity information which protects data, and from which a user’s permission 
to perform operations on data items may be determined by theorem- 
proving. The representation and verification of integrity constraints on 
these logic programs is described, and practical issues are considered 
together with the technical resnlts which apply to the approach. 



1 Introduction 

Role-based access control (RBAC) is an approach to representing security re- 
quirements in which individuals are assigned to roles in an organization and are 
thereby authorized to perform the actions associated with these roles. For exam- 
ple, membership of a doctor role in a medical environment enables a member of 
doctor to read a patient’s medical history if this permission has been assigned to 
the doctor role. Members of different roles (e.g. the nurse role) will have different 
sets of permissions on objects. 

RBA C is increasingly being recognized as a practical security policy to adopt 
Supporting temporal authorizations has also been identified as important 
in practice It follows then that temporal authorization in RBAC is important 
to study if one is interested in practical security issues. 

There are many situations in which users and permissions may need to be 
assigned to roles for limited periods of time. For example, a contract programmer 
may need to be assigned to the programmer role for the length of their contract, 
whilst the programmer role itself may need to be constrained to exercising per- 
missions on data objects for the duration of time allocated to a project which 
uses these objects. Temporal authorizations are also important for applications 
like workflow systems, and can limit the damage intruders may cause if they are 
able to gain unauthorized access to information . 

Thus far, temporal authorization has been studied under the assumption that 
a discretionary access control (DAC) policy is to be used p. In this context, 
certain subjects may grant permissions to others for a certain duration; these 
permissions are automatically removed on the expiration of the interval of time 
for which they were initially permitted. 
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It is increasingly being recognized, however, that supporting DAC alone is 
insufficient in practice. Many organizations now require facilities for formulat- 
ing security requirements using RBAC and want the flexibility to be able 
to specify RBAC, DAC or mandatory access control (MAC) policies as needs 
demand. Since RBAC subsumes DAC and MAC it is especially important 
to consider temporal RBAC models since temporal DAC and MAC are special 
cases. However, despite its practical importance, no temporal RBAC model has 
thus far been described in the literature. 

In this paper, we show how logic programs which incorporate the Simplified 
Event Calculus (SEC) may be used to specify any number of RBAC se- 
curity theories which support time-constrained permissions and membership of 
roles. We believe that there are a number of important reasons why such logic 
programs are of particular value for representing RBAC security models with 
temporal authorizations: they enable a wide range of security requirements to 
be represented in a high-level language and as an executable specification which 
may be formally verified as satisfying organizational, administrative, user and 
technical requirements prior to implementation; they have well-defined seman- 
tics; and sound, complete, terminating and efficient proof methods are known 
to exist for classes of logic program in which realistic temporal RBA C security 
theories may be specified. More generally, we believe that clausal form logic has 
an important part to play in formally treating a number of fundamental notions 
in RBAC that are currently not well-defined. 

The rest of this paper is organized in the following way. In Section 2, we 
show how an RBAC model can be represented as a logic program, an RBAC 
security theory. In Section 3, a brief introduction to the SEC is given. Section 
4 describes the representation of an example RBAC security theory with time- 
constrained access rights, a temporal RBAC (TRBAC) theory. In Section 5, a 
theorem-proving approach for determining access permissions from a TRBAC 
theory is discussed. In Section 6, the representation and checking of integrity 
constraints on TRBAC theories are considered. Finally, in Section 7, some con- 
clusions are drawn, and suggestions are made for further work. 



2 Representing RBAC as a Logic Program 

In our approach, a security administrator (SA) represents an RBAC security 
model as a set of normal clauses, a normal clause theory or a normal logic 
program Q. A normal clause has the form: H^Ll,L2,...,Ln. Here, the head 
of the clause, H, is an atom and Ll,L2,...,Ln is a conjunction of literals which 
comprise the body of the clause. A literal is an atomic formula or its negation. 
Negation in this paper is negation as failure (NAF) Q, and the negation of the 
atom A is denoted by not A. A clause which has an empty set of literals in its 
body is an assertion or a fact, a query or goal clause is expressed in the following 
(denial) form: ^Ll,L2,...,Ln. 

Variables which appear in a literal are assumed to be universally quantified. 
Henceforth, we will denote variables by using terms in the upper case. In this 
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paper, constants are the only type of function which are admitted and are de- 
noted by letters which appear in the lower case. We also require that clauses be 
ranged restricted. A finite logic program LP is range-restricted iff for all clauses 
in LP, every variable in the head of the clause also appears in the body, and 
every variable that appears in a negative literal in the body of the clause also 
appears in a positive literal in the body. 

The example RBA C security theories we consider are based on the family of 
RBAC models from That is, we assume that an RBAC theory includes role 
and permission assignments (RBACq), and may additionally include specifica- 
tions of role hierarchies (RBACi) or constraints {RBAC 2 ). RBAC^ subsumes 
RBACi and RBAC 2 and hence supports both role hierarchies and constraints. 
As we will show, temporal versions of any of these RBAC models may be repre- 
sented as logic programs. 

In our approach, a SA may create and destroy roles, and they may assign 
users (i.e. those who request access to data items) and access permissions (e.g. 
to read or write a data item) to a role or remove them from a role. A SA is 
also responsible for specifying role hierarchies and the constraints on an RBAC 
theory. A SA will also maintain three unary relations role(X), user(X), and 
permission(X) to, respectively, record the (disjoint) sets of roles, users and per- 
missions which constitute the universe of discourse for an RBA C security theory. 
These relations are important for validating security specifications. To simplify 
the discussion that follows, we do not consider the specific permissions a SA 
must have in order to perform these administrative tasks. 

In RBAC, when an authenticated user, U, is assigned to a role, R, U auto- 
matically acquires the permissions associated with R. In our representation of an 
RBAC theory as a logic program, to record the assignment of users to a role, a 
SA will include definitions of the binary relation ura(U,R) in an RBAC security 
theory. Here, ura is shorthand for user-role assignment. Similarly, definitions of 
the ternary relation rpa(R,P,0) may be used by a SA to specify that the per- 
mission to perform a P operation on an object O is assigned to a role R. In this 
case, rpa stands for role-permission assignment. 

To see what is involved in specifying ura and rpa definitions, consider the 
following (simple) scenario: 

Sue is assigned to role r2, and r2 is authorized to read object ol. Write 

access on an object implies read access. 

To represent this information, a SA will include the following security speci- 
fications in an RBAC theory (where is used to separate clauses): 

ura(sue,r2)^; rpa(r2,read,ol)^; rpa(R, read, 0)^rpa(R, write, O) 

Role hierarchies are used to represent the fact that senior roles may inherit 
the (positive) permissions assigned to roles which are junior to them in the 
hierarchy (but not conversely) . For example, suppose that the top manager role 
is described in a role hierarchy as being senior to a middle manager role which, 
in turn, is senior to a office worker role. If a member of middle manager has 
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been assigned the permission to read the personal files of members of ojfice 
worker then members of top manager also have this permission. Although the 
unconstrained upward inheritance of positive permissions may not always be 
appropriate, we do not address this issue in this paper. 

To represent an RBACi role hierarchy in our approach, a SA uses a set of 
ground instances of a binary relation to describe the pairs of roles which are 
involved in a “seniority” relationship in the partial order which represents a role 
hierarchy. In this case, the partial order is represented by the pair (R,>) where 
R is a, set of roles and > is a “senior to” relation. 

In more formal terms, a role R1 is senior to role R2 in a role hierarchy, RH, 
iff there is a path from R1 to R2 in RH such that R1 > R2 holds in the partial 
order describing RH. The reflexive, antisymmetric and transitive senior to rela- 
tion (i.e. >) may be defined in terms of an irreflexive and intransitive relation 
“directly senior to”. The directly senior to relation, denoted by — may be de- 
fined (since > is not dense) in the following way (where A is logical ‘and’, ^ is 
classical negation, and Ri {i € {1,2,3}) is an arbitrary role from Role(X)): 

\fRl,R2 [i?l ^ R2 iff Rl> R2 ^Rl^ R2 ^ 

-^3R‘i[Rl > R3 A R3> R2 A Rl R3 A R2 ^ i?3]] 

To see how a role hierarchy may be represented as part of an RBACi theory, 
consider the following instance (in which ri, i={1..5), is a role identifier and ri 

rj denotes that ri is directly senior to rj (j G {2,.., 5})): 

rl 

i 

r2 

y \ 

rS r4 



r5 



This instance of a role hierarchy may be represented in an RBACi security 
theory by the following set of d-s facts (where d-s is short for directly senior to ) : 

{d-s(rl,r2)^; d-s(r2,r3)^; d-s(r2,r4)^; d-s(r3,r5)^; d-s(r4,r5)^} 

We also require the following set of clauses which define the senior-to rela- 
tion as the reflexive transitive closure of the d-s relation (where is a “don’t 
care” /anonymous variable): 
senior-to (RljRl )^d-s(Rl,_) 
senior-to (R1,R1 )^d-s(_,Rl ) 
senior-to(Rl ,R2)^ d-s(Rl ,R2) 
senior-to (R1,R2)^ d-s (R1,R3), senior-to (R3,R2) 
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The definition of senior-to is used in the permitted rule that follows: 
permitted(U,P,0)^ura(U,Rl ),senior-to(Rl,R2),rpa(R2,P,0) 

The permitted rule specifies that a user U has the permission to perform a P 
operation on O if 17 is assigned to a role R1 which is senior to a role R2 to which 
the P permission on O has been assigned and is therefore inherited by Rl. 

A special role public may be used to specify public access on objects. For that, 
we may add a d-s(ri, public) assertion for each G Role(X) such that ->3rj[ri — > 
rj] holds in a role hierarchy (where rj G Role(X)). Appropriate rpa (public, P,0) 
definitions may then be added to the security specification to record that the P 
permission on O is assigned to public. 

In our approach, object, permission, and group hierarchies can be defined in 
the same way as role hierarchies, and restrictions on permission inheritance, like 
allowing private roles can easily be accommodated. 

Constraints on RBAC 2 and RBAC^ theories are discussed in Section 6, after 
we have considered the use of the SEC for temporal RBACi security theories. 



3 The Simplified Event Calculus (SEC) 

The SEC is a restricted form of the original Event Calculus which has proved 
to be useful for treating a number of practical problems involving reasoning about 
time and events (e.g. |3)’ 

The SEC, like the original event calculus, is based on the use of normal clause 
logic to specify the consequences of events happening in a world of interest. 
The basic idea is to combine the general axioms of the event calculus with a 
set of domain-specific axioms, which define the initiation and termination of 
relationships, and a description of events which have occurred in the world a 
theory describes. From this set of axioms the consequences of events occurring 
may be derived together with the periods of time for which these consequences 
hold. 

The SEC only permits forward persistence and is based on the simplifying 
assumption that complete information exists about events, including the times 
at which they happen. Under this assumption (an entirely reasonable one in the 
context of security theories), a single persistence axiom is all that is required 
to specify that an initiated relationship, Q, continues to persist until an event 
occurs to terminate it. The core axiom of the SEC capturing this notion may be 
expressed thus (where < is ‘earlier than’): 

(CO) holdsat(Q,T)^happens(El,Tl),initiates(El,Q),Tl < T, 

-'3E2,T2[happens(E2,T2),terminates(E2,Q),Tl < T2,T2 < T] 

More fully, CO expresses that a relationship Q holds at a time point T if 
an event El happened which initiated Q (i.e. made Q true) at an earlier point 
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in time Tl, and no intervening event E2 has terminated Q (i.e. made Q false) 
subsequent to its initiation. 



4 Formulating TRBAC\ as a Logic Program 

When checking a request by a user U to perform a P action on an object O, the 
key issue to decide is whether this action is authorized, according to a TRBACi 
theory, at the time T at which IPs access request is made. For this, we include 
the following core permitted axiom in our example TRBACi theory, a variant of 
the CO axiom of the SEC: 

(Cl) permitted(access(U,P,0),T)^happens(El, Tl),mitiates(El,ura(U,Rl)), 

Tl < T, happens (E2,T2), 
initiates(E2,rpa(R2,P,0)), 

T2 < T,senior-to(Rl,R2), 
not ended(ura(U,Rl),T>Tl), 
not stopped(El,ura(U,Rl),T)> 
not ended(rpa(R2,P,0),T,T2), 
not stopped(E2,rpa(R2,P,0),T) 

The reading of the Cl rule is as follows: at the time T (taken from the “system 
clock”) at which U requests P access on O, &permitted(access(U,P,0),T)A^^"‘^y is 
performed by the security system. U will be authorized to execute the requested 
P action if a security event (defined below) has occurred which initiated a period 
of time during which U is assigned to role Rl, R1 has inherited, from some role, 
R2, the permission to perform the P operation on O which has been assigned to 
R2, the assignment of U to Rl has been terminated by neither a security event 
nor the expiration of IPs assignment to Rl, and the P permission on O for R2 
has neither been terminated by a security event nor the expiration of a period 
of time for which the role R2 was authorized to perform the P action on O. 

As we will see, the security events which may occur in our TRBACi model 
result in a user or a permission being assigned or removed from a role. A SA cre- 
ates a role by simply adding a reference to it in the d-s assertions which form part 
of a TRBACi security theory. Conversely, a role is destroyed by a SA removing 
all references to the role in a TRBACi security theory (and removing the role 
from Role(X)). The create and destroy actions are not treated as events since 
they do not have times associated with them; when a role is created (destroyed) 
it is assumed to exist (not to exist) indefinitely into the future. 

The definitions of ended and stopped in Cl are as follows: 

( C2) ended(ura(U,Rl ), T, Tl )^happens(E2, T2), 

terminates(E2,ura(U,Rl)),Tl < T2,T2 < T 

( C3) ended(rpa(R2,P,0), T, T2)^happens(E3, T3), 

terminates(E3,rpa(R2,P,0)),T2 < T3,T3 < T 
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(C4) stopped(El,ura(U,Rl),T)^stop(El,Tl),Tl < T 
(C5) stopped(E2,rpa(R2,P,0),T)^stop(E2,Tl),Tl < T 



The axioms C2 and C3 are used to deal with the ending of an access per- 
mission as a consequence of an event occurring that terminates it; C4 and C5 
respectively deal with the cases where a user’s time-constrained membership 
of a role expires, and where a permission which has been assigned to a role 
is stopped as a result of the expiration of the period of time for which it was 
initially allowed. 

The set of axioms C={ Cl, C2, C3, C4, C5} is an essential part of our example 
TRBACi security theory. For a particular instance of this theory, a set of initi- 
ates and terminates rules is added to C. These initiates and terminates rules are 
specified by a SA, and define the consequences of performing a security action 
which is supported in a TRBACi model. The events which affect a TRBACi 
security theory are those which result in a user or a permission being assigned to 
a role or removed from that role. For the former we need the following initiates 
rules {A1 and A2), and for the latter we need the terminates rules {A3 and A4) 
which follow: 

(A1 ) initiates (E,ura(U,R))^ user (E, U) ,role(E,R) ,act(E,ura) 

(A2) initiates (E,rpa(R,P, 0))^role(E,R),permission(E,P),object(E,0),act(E,rpa) 

(A3) terminates (E,ura(U,R))^ user (E, U),role(E,R),act(E,revokeura) 

(A4) terminates ( E, rpa(R, P,0) role(E,R), 

permission(E, P),ohject(E,0),act(E, revokerpa ) 

When considered in relation to the core axioms, the rule A1 expresses that an 
event which involves specifying that U is assigned to role R initiates (i.e. makes 
true) ura(U,R). Similarly, A2 expresses that an event in which R is assigned 
the P permission on object O initiates rpa(R,P,0). Conversely, A3 specifies 
that ura(U,R) is terminated (i.e. is made false) by an event in which U is re- 
moved (i.e. revoked) from R, and A4 represents that rpa(R,P,0) is terminated 
by the occurrence of an event which removes the permission to perform a P 
operation on O from R. Henceforth, we will use A to denote the set of axioms, 
A={A1,A2,A3,A4}. 

In addition to the core initiates and terminates axioms in A, it is possible 
to define any number of implicit assignments of users and permissions to roles 
by defining initiates in terms of initiates or terminates or terminates in terms of 
terminates or initiates. For instance, to express that “write permission implies 
read permission” the following rule may be included in a TRBACi theory: 

initiates ( E, rpa(R, read, O ) initiates ( E, rpa(R, write, O)) 
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The initiates and terminates rules which are included in a TRBAC\ theory are 
used with a set of ground, binary assertions which describe a history of user-role 
or permission-role assignment events. The permissions we allow a SA to assign 
to roles are read and write permissions on objects. In RBAC, the permissions 
allocated to a role are application-specific, and often quite different to read and 
write. However, these two operations will be sufficient to demonstrate what our 
approach entails, and how it can be extended to accommodate any number of 
operations. 

To see what is involved in recording user and permission assignments to a 
role, suppose an event, el (say), happens on 01/09/99 and involves indefinitely 
assigning a user, Bob, to the role, rl. To represent this, the following security 
event description is included as part of our example TRBACi security theory 
(where max is the maximum permitted chronon in the domain on which the 
system time line is defined): 

{happens ( el, 01/09/99)^; act( el,ura)^; 

user(el,bob)^; role(el,rl)^; stop(el ,max)^{ 



We call a set of security event descriptions an authorization history. To see 
what is involved in their representation, consider the following scenario: 

The role rl is assigned a write permission on the object ol on 10/09/99, 
the user Jim is assigned to the role rS on 20/09/99, rS is assigned a read 
permission on ol on 03/10/99, but only until 20/12/99, the user Sue is 
assigned to the role r2 on 10/11/99, but only until 31/01/00, and Jim is 
removed from role rS on 03/12/99. 

To represent this information the required authorization history, H, is: 

{happens(e2, 10/09/99)^; act(e2,rpa)^; role(e2,rl)^; 

object(e2,ol)^; permission(e2,write)^ ; stop(e2,max)^} 



[happens( eS, 20/09/99)^; act( eS,ura)^; 

user(eS,jim)^; role(e3,rS)^; stop(e3,max)^} 

{happens(e4, 03/10/99)^; act(e4,rpa)^; role(e4,r3)^; object(e4,ol)^; 

permission( e4,read)^; stop( e4, 20/12/99)^} 

{happens(e5, 10/11/99)^; act(e5,ura)^ ; user(e5,sue)-^; 

role(e5,r2)^; stop(e5, 31/01/00)^} 

{happens (e6, 03/ 12/99)^; act(e6,revokeura)^ ; user(e6,jim)^; role(e6,r3)^} 



Notice that there is no stop time associated with acts of revocation (a re- 
vocation corresponds to a stop at the time the revocation happens), and that 
max is used to denote that the relationships in the security event description are 
assumed to persist until the maximum future time point is reached. 
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In implementations of our approach, a history of user-role and permission- 
role assignments and revocations is maintained. Maintaining this history is useful 
for a number of reasons: it makes it possible to express authorization derivation 
rules based on a user’s past history of role and permission assignment, it enables 
the initiation of assignments of users and permissions to roles to be defined 
in terms of terminating events, it enables a variety of temporal constraints to 
be expressed on a TRBAC theory, and it is useful for auditing purposes. An 
alternative approach is for the SA to perform a physical deletion to remove, 
from an authorization history, an event description which initiated a user or 
permission assignment to a role as soon as a decision to revoke these assignments 
is made. Similarly, it is possible for an event description to be physically deleted 
as soon as the current time exceeds the stop time in the event description. If 
physical deletion of event descriptions is to be used then the axioms defining our 
TRBAC I theory may be modified to take any such policy into account. Whilst 
physical deletion is always used to remove event descriptions which refer to roles 
or users which have ceased to be relevant to the security of the system, other 
choices of delete policy will depend on application-specific requirements. 

It should be noted that the type of object, ol, to be protected from unautho- 
rized access requests will depend on the type of objects our approach is used to 
protect. For instance, ol could be a UNIX file, a base table or view in a relational 
database or an EDB or IDB predicate in a deductive database. Note also that: 
a security event validation procedure is used to ensure that an authorization his- 
tory is syntactically and semantically meaningful; proactive authorizations may 
be included in an authorization history; and a much finer time granularity than 
the DAY type we have assumed thus far would be expected to be available in 
practice. 



5 Access Control by Theorem-Proving 

Our example TRBACi security theory includes the core set of axioms, C, the 
definition of senior-to, the initiates rules {A1 and A£), and the terminates rules 
{AS and A4). To this set of axioms, the application-specific authorization history 
and d-s clauses may be added to form a particular instance of a TRBACi security 
theory. Henceforth, we will denote an arbitrary instance, R, of our TRBACi 
security theory by TRBACi{Ti); specific instances of a TRBACi theory will be 
denoted by substituting a natural number for the subscript i in R. The instance 
of the TRBACi security theory outlined in the previous section will be denoted 
by Ti. We will assume that TRBACi{Ti) includes H, the authorization history 
from Section 4, and the d-s facts from Section 2. 

As we will see, any application-specific instance of our example TRBACi 
security theory can be represented in a subset of normal clause logic for which 
(safe) SLDNF -resolution is sound and complete with respect to Clark’s 2- valued 
completion semantics [^. It follows then that SLDNF-resolution may be used 
for deciding questions about a user’s access permissions on data items from a 
TRBACi theory. In our approach therefore, at the time T at which user U 
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requests P access on an object O, an SLDNF-derivation for the goal clause 
^permitted(access(U,P,0),T) is performed on the TRBACi theory. 

lfTRBACi{Ti) U {^permitted(access(U,P,0),T)} has an SLDNF-refutation 
then, from the soundness of SLDNF-resolution we have: comp{TRBAC\ (Tj)) 
\=permitted(access(U,P,0),T). In this case, C/’s request at time T to perform 
the P operation on O is authorized. Conversely, if TRBACi{Ti) U {^permitted 
(access(U,P,0),T)} has a finitely-failed SLDNF-tree then comp{TRBACi{Ti)) 
\=^permitted( access(U,P, O), T ), and U is not authorized to perform the P action 
on O at time T. Soundness ensures that no unauthorized access is permitted. 

The set of axioms in C U ^ together with the senior -to relation, forms an 
allowed^^ and eall- consistent theory, the application-specific d-s and autho- 
rization history comprise a set of positive assertions, ^permitted 
(access(U,P,0),T) is allowed and always ground when it is selected for eval- 
uation with respect to TRBACi{Ti), and TRBACiifPi) is strict Q with re- 
spect to ^permitted(access(U, P,0),T). From the results in it therefore 
follows that SLDNF-resolution is complete, with respect to Clark’s semantics, 
for evaluating access requests on TRBACifiPi). That is, if compfiPRBACfiTi)) 
\=permitted(access(U,P,0),T) (resp., comp{TRBACi{Ti)) \=^permitted 
(access(U,P,0),T)) then TRBACifiPi)) U {^permitted(access(U,P,0),T)} has 
an SLDNF-refutation (resp., a finitely-failed SLDNF-tree). Completeness ensures 
that authorized access requests are never denied. 

Before giving an example of the use of SLDNF-resolution for access con- 
trol, certain practical issues need to be mentioned. In implementations of our 
approach we store senior-to as a materialized relation p. Although the costs 
involved in updating senior-to will be increased in this case, in practice the ad- 
ditional update costs are small relative to the savings in access costs. Similarly, 
ground instances of initiates and terminates may be dynamically asserted to 
avoid their recomputation in processing subsequent access requests. This type of 
lemma generation increases the size of the security theory, but it does have the 
advantage of permitting proofs on a TRBACi theory to be efficiently performed 
since ground assertions are used, almost entirely, in the process. Various other 
optimizations are also possible. 

In implementations of RB AC it is usually the case that in addition to [/being 
recorded as being assigned to role R and R having been assigned the permission 
to perform a P operation on O, for U to be able to execute a P act on O, U 
is also required to have activated R at the time of [/’s request to perform the 
P action on O. In our approach, role activation/deactivation is managed in the 
following way. Definitions of a binary relation active(U,R) are included, by a 
SA, in a TRBAC theory to specify the set of roles the user U is permitted 
to activate. Thereafter, a ground instance of an initiates(E,active(U,R),T) fact 
is dynamically asserted into a TRBAC theory at the time T (taken from the 
system clock) at which a request by U to activate role R has been verified as 
being authorized. In this case, E is instantiated with a system generated event 
identifier. Conversely, the appropriate instance of an initiates (E, active (U,R),T) 
assertion is physically deleted as soon as U deactivates R. 
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Example (Determining Access Rights on TRBAC\(Ti)) 

Suppose that, on 01/12/99, Sue requests read access on the object ol. Assuming 
that Sue has activated the necessary roles, then for {■^permitted(access(sue,read, 
ol ), 01/12/99)} we have the following (abbreviated) SLDNF-refutation (in which 
each predicate name is the first character of the corresponding predicate name 
in Cl): 



^p(access(sue, read, ol), 01/12/99) 

I 

<^i(E 1 ,ura(sue,Rl ) ) ,i(E2,rpa(R2,read,o 1 ) ) ,h(E 1 , T1 ), 

T1 < 01/12/99,h(E2,T2),T2 < 01/12/99, s-t(Rl,R2), 
not e(ura(sue,Rl), 01/12/99, Tl), not s(El,ura(sue,Rl), 01/12/99), 
not e(rpa(R2,read,ol ), 01/12/99, T2),not s(E2,rpa(R2,read,ol ), 01/12/99) 

I 

i 

<— not e(ura(sue,r2), 01/12/99, 10/11/99), not s(e5,ura(sue,r2), 01/12/99), 
not e(rpa( rS, read, ol),01 / 12/99, 03/1 0/99), not s( e/, rpa( rS, read, ol),01 / 12/99) 

i 

success 



It should be clear that, at 01/12/99, all of the negated subgoals in the 
SLDNF-derivation succeed since: Sue’s membership of the role r2 has not been 
ended by a revocation; the read permission on ol has not been revoked for role 
r3] Sue’s assignment to r2 has not been stopped as a result of the expiration of a 
period of time for which she was assigned to r2; and the assignment of the read 
permission on ol for role r5 has not expired by 01/12/99. 

In contrast, on 20/12/99 the read permission on ol expires for role rS, 
and, thereafter. Sue does not inherit this permission from another role in the 
role hierarchy for Ti. As such, she is unable to read ol on 21/12/99 (say). In 
terms of SLDNF-resolution, the subtree for ^s(e4, rpa(r3, read, ol), 21/ 12/99) on 
TRBACi{Ti) has an SLDNF-refutation, and hence ^p(access(sue,read,ol),21/ 
12/99) is finitely failed. o 



We have used SLDNF-resolution in our example of access request checking 
since (being the standard procedural semantics for PROLOG) it is the best- 
known proof method for query evaluation on TRBACi theories. Moreover, the 
constraint checking methods we refer to in the next section are SLDNF-based. 
We have also used Clark’s completion in our discussion since this is the stan- 
dard declarative semantics for SLDNF-resolution, and is used to define integrity 
constraint satisfaction. It should be clear, however, that other declarative or pro- 
cedural semantics may be used instead of completion and SLDNF-resolution. In 
fact, XSB is used in implementations of our approach. Hence, instead of 
using SLDNF-resolution and Clark’s completion, SLG-resolution may be used 
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to evaluate permitted queries and to compute the well-founded partial model of 
a TRBACi theory. 

Since TRBACi theories satisfy the bounded- term- size property, 

SLG-resolution is guaranteed to terminate for such theories Q]. Moreover, from 
the results in Q], SLG-resolution is sound and search space complete, with re- 
spect to the well-founded model of a TRBACi theory, for all non-floundering 
queries. The problem of incompleteness due to floundering does not arise in any 
instance of our example TRBACi theory since every clause is range-restricted 
and permitted queries on a TRBACi theory are only ever positive. 

Every instance of our example TRBACi theory is also locally stratified. The 
well-founded model of a TRBACi theory is total in this case, and equivalent 
to both the perfect model and the unique 2-valued stable model of the theory. 
Having a total semantics is important (especially, if a closed access policy [3] is to 
be adopted) since every ground instance of permitted( access (U,P,0),T) should 
be either true or false (but not both) in a TRBACi theory. 

In addition to its attractive soundness, completeness and termination proper- 
ties, SLG-resolution is a particularly efficient method of computation to use with 
TRBACi theories. Since TRBACi theories are function- free, SLG-resolution has 
polynomial time data complexity for evaluating *^permitted( access (U,P,0),T) 
queries Q]. Moreover, since our TRBACi theories are locally stratified, SLG is 
more efficient than it is for computation on arbitrary function-free logic pro- 
grams, since the number of transformation rules required to generate answer 
clauses is reduced from that required in the general case. 

6 Integrity Constraints and TRBAC Theories 

Integrity constraints have been suggested to be a principal motivation for RBA C 
[y. Gonstraints are necessary for expressing high-level organizational policy and 
general security principles. In this section we consider how constraints on RBAC 
security models may be represented in clausal form logic, and how they may 
be checked by using SLDNF-based methods whenever changes are made to the 
application-specific information contained in an RBAC (or TRBAC) theory. We 
believe that clausal form logic satisfies the fundamental criteria, identified in Q, 
which candidate languages for constraint representation in RBAC must satisfy: 
that they have a well-defined formal semantics, and are sufficiently powerful to 
represent the wide range of constraints which are likely to need to be specified 
on realistic RBAC theories. 

Whilst RBAC 2 models permit integrity constraints to be expressed, we will 
consider the more general case of RBAC 3 . The latter permits RBAC security 
theories to include both integrity constraints and role hierarchies. Moreover, 
since TRBAC 3 subsumes RBAC 3 we will only refer to the former. Henceforth, 
we will denote an arbitrary TRBAC 3 security theory, R, by TRBACsiTi). 

Integrity constraints may be expressed in denial form viz: *—Ll,L2,...,Ln 
(where Li, i=(l..n), is a literal). The denial ^Ll,L2,...,Ln may be read as 
stating that it is impossible for the conjunction of literals Ll,L2,...,Ln to be 
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simultaneously “true” in a TRBAC security theory. For instance, the denial 
^d-s(Rl,R2),d-s(R2,Rl),Rl^R2 represents the constraint that it is impossible 
for a TRBAC 3 theory to include a set of d-s facts which record that role R1 is 
senior to R2 and R2 is senior to R1 (where R1 and R2 are distinct roles). A set 
of integrity constraints, IC, on TRBAC^iTi) is satisfied iff comp(T RB AC 3 {Ti)) 
U IC is consistent 

Notice that, since denials may be expressed using constants or variables, it 
is possible for a SA to make the constraints on a TRBAC 3 theory as specific 
or as general as is required. However, we believe that the constraints should be 
written in their most general form, and should be specialized as needs be by 
including instances of application-specific assertions in a TRBAC 3 theory. 

To illustrate what is involved in the representation of constraints on a 
TRBAC 3 theory, we consider the specification of two fundamental types of 
RBAC constraint: static separation of duties (ssd) and dynamic separation of 
duties (dsd). A ssd constraint prevents a user being recorded in a security the- 
ory as being assigned to any pair of roles which are specified as being mutually 
exclusive (i.e. statically separated). A dsd constraint prevents a user being active 
in a pair of roles, specified as being dynamically separated, at the same point in 
time. 

To specify a ssd constraint, a SA will include ground instances of a binary 
relation ssd(Rl,R2) in a TRBAC 3 theory (where R1 and R2 are distinct roles 
from the domain defined by Role(X)). More specifically, if and Vj {iy^j) are 
instances of roles (where Vi,rj G Role(Xj) and are to be specified as being stat- 
ically separated then a SA will include the assertions ssd(vi,rj) and, because 
of the symmetry of the ssd relation, ssd(rj,Vi) in a TRBAC 3 theory. The ssd 
constraint can then be specified thus (where eurrenttime(T) is used to extract 
the “current time” from the system clock): 

currenttime (T), happens (El, T1),T1 < T,act(El,ura),user(El, U),role(El,Rl ), 
happens(E2,T2),T2 < T,act(E2,ura),user(E2,U),role(E2,R2), 
El^E2,ssd(Rl,R2),stop(El,T3),stop(E2,T4),T < T3,T < T4 

The ssd constraint will be checked each time an attempt is made to insert 
an event description involving ura(E,R) into an authorization history. 

Similarly, to specify a dsd constraint a SA will include dsd(ri,Vj) and, due to 
the symmetry of dsd, dsd(rj,Vi) (iyfj) assertions for any pair of roles and Vj 
{ri,Vj G Role(X)) which are to be recorded as being dynamically separated in a 
TRBAC 3 theory. The dsd constraint can then be specified thus: 

^ initiates (El, active (U,R1 ), Tl), 

initiates(E2,active(U,R2),T2),dsd(Rl,R2),Tl < T2 

The dsd constraint will be checked whenever an initiates (E, active (U,R), T ) fact is 
dynamically inserted into a TRBAC 3 theory after a user IPs request to activate 
a role R has been determined to be authorized. 
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A variety of SLDNF-based methods may be used for constraint checking on 
TRBACs theories (e.g. |), and have attractive technical properties for such 

theories. For instance, the SLIC (Selection-driven Linear resolution procedure for 
Integrity Checking) method from Q is sound, and shares the same completeness 
results as SLDNF-resolution. On the latter point, the argument we gave in the 
previous section can be extended to give a completeness result for SLIC used for 
constraint checking on a TRBAC3 theory. Note also that, from the results in Q, 
since all (realistic) TRBAC3 theories are confined, termination of (fair) SLIC is 
guaranteed. Moreover, since constraint checks will predominantly involve using 
ground assertions and since none of the axioms in C U A are involved in testing 
for constraint violations, it follows that constraint checking can be efficiently 
performed on a proper subset of a TRBAC3 theory. 



7 Conclusions and Further Work 

We have shown how a range of TRBAC (and hence RBAC) security models 
can be represented as logic programs and how proof methods used in logic pro- 
gramming can be used to decide whether a user’s requests to access data items 
are authorized or not. We have also demonstrated that it is possible to rep- 
resent and to enforce high-level security requirements expressed via integrity 
constraints written in clausal form logic. Since DAC and MAC security poli- 
cies are special cases of RBAC, it follows that logic programming may be used 
to represent security theories with temporal authorizations which are based on 
any of the three main classes of access policy. Our approach also provides a SA 
with a general methodology which may be used to develop a range of TRBAC 
security models. This methodology involves extracting user requirements and 
formulating them as a security specification written in clausal form logic, then 
translating this specification into an implementation which enables access re- 
quests to be determined to be authorized (or not) by theorem-proving on the 
resulting theory. 

Whilst the expressive power of normal clause logic is important for enabling 
a wide range of security requirements to be specified, in further work we want to 
investigate sublanguages and special purpose implementations which might en- 
able realistic security theories to be expressed, but which may be more efficient 
to compute with. In future work, we also intend to investigate the specification 
and implementation of large-scale TRBAC models with a commercial organiza- 
tion, and how the work presented in this paper can be combined with our recent 
work on deductive database security 



1314 Steve Barker 



References 

1. Abiteboul, S., Hull, R., and Vianu, V., Foundations of Databases, Addison- Wesley, 
1995. 

2. Apt, K., Blair, H., and Walker, A., Towards a theory of declarative knowledge, 
in J. Minker (Ed.), Foundations of Deductive Databases and Logic Programming, 
Morgan-Kaufmann, 1988. 

3. Barker, S., Security policy specification in logic. International Conference on Arti- 
ficial Intelligence, 2000. 

4. Barker, S., Protecting deductive databases from unauthorized retrievals. To Appear. 

5. Bertino, E., Bettini, C., Ferrari, E., and Samarati, P., A temporal access control 
mechanism for database systems, IEEE Trans, on KDE, 8(1), 1996. 

6. Castano, S., Fugini, M., Martella, G., and Samarati, P., Database Security, Addison- 
Wesley, 1994. 

7. Chen, W., Swift., T., and Warren, D., Efficient top-down computation of queries 
under the well-founded semantics, JLP, 24, 1995. 

8. Clark, K., Negation as failure, in H. Gallaire and J. Minker (Eds), Logic and 
Databases, Plenum, 1978. 

9. Decker, H., and Celma, M., A slick procedure for integrity checking in deductive 
databases, ICLP, 1994. 

10. Eshghi, K., Abductive planning with the event calculus, ICLP, 1988. 

11. Grifhths, P. P., and Wade, B.W., An authorization mechanism for relational 
database systems, ACM TODS, 1(3), 1976. 

12. Jajodia, S., Samarati, P., Subrahmanian, V., and Bertino, E., A unified framework 
for enforcing multiple access control policies in Proc. ACM SICMOD International 
Conference on Management of Data, 1997. 

13. Kowalski, R., Database updates iu the Eveut Calculus, JLP, 12, 1992. 

14. Kuhn, D. R., Mutual exclusion of roles as a means of implementing separation of 
duty in role-based access control systems, Proc. 2nd ACM Workshop on Role-Based 
Access, 1997. 

15. Kunen, K., Signed data dependencies in logic programs, JLP, 7, 1989. 

16. LLoyd, J., Foundations of Logic Programming, Springer, 1987. 

17. Sadri, F. and Kowalski, R., Variants of the event calculus, ICLP, 1995. 

18. Sadri, F. and Kowalski, R., A theorem-proving approach to database integrity 
in Foundations of Deductive Databases and Logic Programming, J. Minker (Ed.), 
Morgan-Kaufmann, 1988. 

19. Sandhu, R., Coyne, E., Feinstein, H., and Youman, C., Role-Based access control: 
a multi-dimensional view, Proc. 10th Annual Computer Security Applications Conf., 
1994. 

20. Sandhu, R., Coyne, E., Feinstein, H., and Youman, C., Role-Based access control 
models, IEEE Computer, 1996. 

21. Sagonas, K., Swift, T., Warren, D., Freire, J., Rao. P., The XSB System, Version 
2.0, Programmer’s Manual, 1999. 

22. Shepherdson, J., Negation as failure, completion and stratification in D. Gabbay 
et al. (Eds), Handbook of Logic in AI and Logic Programming, Volume 5, Logic 
Programming, Oxford, 1997. 




A Deterministic Shift-Reduce Parser Generator 
for a Logic Programming Language 



Chuck Liang 

Department of Computer Science, Trinity College 
300 Summit St., Hartford, CT 06106-3100, USA 
chuck . liangSmail . trincoll . edu 



Abstract. This paper addresses efficient parsing in the context of log- 
ical inference for the purpose of using logic programming languages in 
compiler writing. A bottom-up, deterministic parsing mechanism is for- 
mulated for “bounded right context” grammars, a subclass of LR(k) 
grammars with characteristics amenable to declarative parser specifica- 
tion. A working parser generator for AProlog is described, although the 
basic parsing mechanism is applicable to logic programming in general. 



1 Introduction 



The overall aim of this paper is to use logic programming as a practical instru- 
ment for compiler writing and other activities concerning programming lan- 
guages and systems. Many declarative methods in logic programming (e.g., 
higher order abstract syntax) have been developed for the representation and 
analysis of programming language constructs. However, logic programming is 
still not as widely used as conventional languages in compiler writing. One rea- 
son for this has been the lack of general and efficient parsing schemes. Parsing 
in Prolog has traditionally focused on a range of issues broader than program- 
ming languages (e.g., natural language processing). In such a context, generality 
often takes precedence over determinism. The well-known definite clause gram- 
mars (DCG, ^3) have a wide range of application. In a system using depth-first 
proof search however, DCGs represent a top-down, recursive-descent parsing 
mechanism that suffers from non-determinism and non-termination. Some of 
these problems are alleviated by alternative implementations and optimization 
techniques of logic programming. They alone, however, can not replace all effi- 
cient parsing strategies, such as the use of lookahead symbols and precedence 
functions. Although DGGs have been used in compiler writing, extensive gram- 
mar specialization and other techniques are generally required (e.g. to deal with 
left-recursion and associativity) before syntax can be parsed deterministically. 

Bottom-up parsing in Prolog has also been studied. In fact, shift-reduce pars- 
ing of any context free grammar can be formulated by the following pair of rules 
(which are meant to be read bottom-up): 



at <\ w 
a < tw 



Shift 



and 



aA < w p , 

ay < w tteduce^ A ^ 7 is a production 



J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 1315^^^2000. 
@ Springer-Verlag Berlin Heidelberg 2000 
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The < symbol separates the parse stack from the remaining input, a and w 
are schematic variables representing sequences of symbol^ These rules can be 
directly encoded as Horn Clauses with the bottom sides at the head of each 
clause. However, this “universal parser” will behave non-deterministically for all 
but the simplest grammars. Similar formulations of Earley’s Algorithm also exist 
(see Even LR-style parsing in Prolog has some precedents (e.g., 

The aims of most such efforts, however, are again not specific to compiler con- 
struction (with the noted exception of ^ - see Section^for further discussion). 
As a consequence, these works are usually not concerned with the exact non- 
deterministic choice points of a grammar, namely reduce-reduce and shift-reduce 
conflicts. For example, in non-determinism was intentionally preserved in 
order to process a larger class of logic programs. Unambiguous parser generation 
as required in compiler writing requires that non-deterministic choice points be 
identified and resolved. 

One obvious solution to providing a deterministic parser for logic program- 
ming would be to directly implement the LR parsing algorithms described in 
compiler texts using brute- force methods. Such an approach, however, would de- 
rive few advantages from the use of logic programming and the resulting parser 
will little resemble its declarative grammar. Furthermore, this type of approach 
may not necessarily preserve all the advantages of LR parsing (e.g., “fast table 
lookup” may have no meaning). Declarative programming is better suited for 
implementing deductive systems, and would benefit from studies of parsing in 
this context. 

In this paper we reconsider a class of context free grammars that are closely 
related to LR grammars and are likewise capable of describing all determinis- 
tic context-free languages. These grammars exhibit characteristics that can be 
used to formulate a parsing strategy in the framework of logical inference. The 
inference rules for these parsers are specialized versions of the two basic “shift 
and reduce” rules above. However, they will be deterministic in the sense that at 
most one rule is applicable at any time, and linear in the sense that every rule has 
at most one recursive premise. They are also terminating. Efficient shift-reduce 
parsing is thus manifested as logic programming. 



2 Bounded Right Context and LR Grammars 

The type of grammar we consider suitable for formulating deterministic parsing 
as deduction are known as bounded right context (BRC) grammars, introduced 
by Floyd The principal characteristic of a BRC grammar is that the unique 
“handle” of a bottom-up, rightmost derivation step can be determined by looking 
ahead some k symbols to the right (the remaining input), and looking back 
some I symbols to the left (the stack). The better known LR{k) grammars also 
require lookaheads of k symbols to the right, but look back at the entire stack. 
Implementations of LR parsers rely on deterministic finite state machines to keep 

^ T he re presentation of parsers in the style of logical inference rules was introduced 
in 
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track of stack contents. All BRC grammars are also LR grammars and all LR 
grammars have BRC equivalents that recognize the same language (see 
The essential difference between BRC grammars and LR grammars that are not 
already BRC can be illustrated by the following LR{0) grammar: 

S^aA I bB 
A (A) I X 
B^ {B) I a; 

A “reduced-reduce” conflict would exist between A — > a; and B ^ x unless one 
keeps track of whether an ’a’ or a ’b’ was the first symbol read. This is the 
critical information maintained by the LR(0) state machine of this grammar. 
An equivalent BRC grammar, preserving the distinction between A and B, can 
be given as follows: 

S^aA I bB 
A -I- (A) I X 
B^PB) I a; 

That is, by looking back one symbol to the left, one can now determine the same 
“state” information, which is now carried by the non-terminal symbol P. State 
machine generation for this grammar can be avoided. 

Because BRC grammars are subsumed by the larger LR class, their devel- 
opment as a tool for parser specification was appearantly halted. It is not our 
intention here to compete with other parsing algorithms, except we note that 
most implementations of LR parsing are also restricted to subclasses (SLR and 
LALR). Our reason for resurrecting the BRC subclass is that the trade-off they 
offer compared to general LR grammars is a positive one in the context of logic 
programming. Due to the lack of arrays, pointers and mutable variables, the 
computation of state information necessary for efficient LR parsing is precisely 
the kind of programming that many current declarative languages are not best 
suited for. Logic programming is better suited for the specification of deductive 
systems. The simplification afforded by BRC grammars can be used to formu- 
late deterministic parsing as such a system, one that can take advantage of the 
declarative syntax and unification capabilities of logic programming. 

An indication of the practical suitability of BRC grammars for use in compil- 
ing is that every LR grammar that appears in the most popular compiler texts 
(including Q and Q) are in fact also BRC grammars. When required, the modi- 
fications needed to form BRC grammars from LR grammars are usually few and 
similar to that of the above example (a more practical example is given in Sec- 
tion^3 • General algorithms for translating LR grammars into BRC equivalents 
also exist (see Q). We shall also introduce a simplification of BRC grammars 
that also suffices for most parsing needs in Section 
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3 Formal Definitions 

The following technical presentation assumes a basic familiarity with bottom-up 
parsing concepts such as provided in compiler texts (e.g. H). A more detailed 
introduction to the theory of deterministic languages and parsing can be found 
in We briefly state some basic definitions. 

A context-free grammar is a tuple {V, E, P, S), where V represents a finite set 
of grammar symbols and if C F a set of “terminal” symbols. P is a finite set of 
“productions” of the form A ^ 7 where A G N = V — E (the non-terminals) and 
■j G V*. S G N is the designated “start symbol.” A rightmost derivation step is 
of the form a Aw =^r Oi(3w where a G V*, w G E* and A ^ (3 G P. Derivation 
in arbitrary numbers of steps are represented by and =^r- If 7 e, the 
empty sequence, then 7 is said to be nullable. We also confine our discussion 
to reduced context-free grammars where for all A G V, S =^r aAfd =^r w 
such that w G E* . In other words, all grammar symbols are reachable from the 
start symbol and every symbol derives a sequence of terminal symbols. We also 
exclude grammars where A =^r A is possible for any non-terminal A. Reduced 
grammars allowing such derivations are necessarily ambiguous. 

If S =^r 7 then 7 is a right sentential form of the grammar. If S =^r aAw 
and aAw =^r a(3w then any prefix of a(3 is a viable prefix, and A ^ /3 is called 
the handle of a(3w at position a(3. The handle identifies which production to 
apply in reverse (and where) in a bottom-up, rightmost derivation. 

Let lastif-f) be the length-^ suffix of 7 (or 7 if 7 contains less than I symbols), 
and let firstk{'y) be defined in the usual way: the set of length-fc prefixes of 
terminal sequences derivable from 7 (or length k' < k sequences if 7 derives 
a string of length k'). Formally, a context free grammar {V, E, P, S) is of type 
BRC{1, k) if the following condition holds (from Q): 

1. S =^r aAw aPw, 

2. S =^r a 2 A 2 W 2 =^r 02/32^2 = ct/3u such that cr/3 is a prefix of 02/32, and 

3. firstk{w) = firstk{u) and lasti{a) = lasti{a) 

implies 

A ^ /3 = A 2 ^ P 2 and 02/32 = o"/3. 

If we restrict the preconditions of the definition so that a = a (which would 
also make redundant the “lookback” condition lasti(a) = lasti{a)), then this 
definition would be equivalent to that of LR{k) grammars (Q). Thus it is 
easy to see why every BRC{1, k) grammar is immediately an LR{k) grammar. 
Furthermore, BRC grammars are capable of generating the same set of languages 
as LR grammars, namely all deterministic context-free languages (BD)- I^ 
particular, every LR{k) grammar has an equivalent BRC{1, k) grammar and 
every deterministic language has a BRC{1, 1) grammar. Our formulation below, 
however, is generalized to BRC (I, k) grammars. 
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3.1 Valid Handles and Inference Rules 

The intended meaning of a shift-reduce parsing judgement of the form a < w, 
seen in Section Q is that a is a viable prefix of right sentential form aw of the 
grammar under consideration, a will be used to represent a sequence of grammar 
symbols and w a sequence of terminal grammar symbols. 

The symmetrical nature of BRC grammars suggests that we augment each 
grammar with an implicit production S' — *■ So^Si, where $o and $i are unique 
symbols representing “begin of file” and “end of file” respectively. The $o symbol 
ensures that lookback sequences are never empty. 

We define a contexted handle of a grammar to be a triple 7, Ofc) such 

that A ^ 7 is a production, j3i are either I grammar symbols or I' < I symbols 
beginning with $0, and Ofc are either k terminal symbols or k' < k terminal 
symbols ending in $1. Contexted handles (with fixed I and k) are “valid” if they 
satisfy the following: 

Definition 1. (Valid (/, k) Handles ) 

Given a grammar {V, S, P, S) augmented with S' — > So^Si, 

1. ($0, S' ^ 7, $1) is a valid handle for each production S — > 7. 

2. if {Pi, A crBj, aif) is a valid handle, /3( = lastpPia), and G firstkijOk), 
then {P'l, B ^ p, a'^f) is a valid handle for each production B ^ p. 

We emphasize that unlike firstk, lasti need not be a set since the lookback may 
contain non-terminal as well as terminal symbols. 

Valid handles characterize the right sentential forms of a grammar up to a 
“bounded context,” as formalized by the following lemma (it’s implied here that 
a = eif Pi begins with $0, and analogously for w): 

Lemma 2. {Pi, H > 7, Ofc) is a valid {I, k) handle of a grammar if and only if 
S' =^r aPiAokW for some a S V* and w G S* . 

Proof: by induction on the length of rightmost derivations and the definition of 
valid handles. □ 

The computation of valid handles is similar to the computation of the “fol- 
low” set described in compiler texts, except that the left and right contexts of 
non-terminal symbols are kept tract of simultaneously. That is, we can compute 
the handles by starting with ($0, 5^7, $1) and follow the above inductive def- 
inition until a closure is formed (the computation is also bounded by I, k and 
the number of productions and symbols in the grammar) . We shall describe the 
formation of valid handles further in Section^ 

A grammar with a set of valid handles gives rise to a set of canonical inference 
rules as defined below. 
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Definition 3. (Canonical Inference Rules^ 

Given the valid (/, k) handles of a grammar: 

— The implicit production S' SqiS'Si yields two special rules: 



$0O 0 






Shift 



Bo < aOfc-iW , aa'i^_i G firstk(S), and $qS < 

For each valid handle 7 , Ofc) there exists a rule 

a(3iA < OkW 



aPa < QkW 



Reduce 



Accept 



There, ot and w are schematic variables ranging over arbitrary sequences of 
grammar symbols and terminal grammar symbols respectively. 

— For each valid handle {(3i,A^ 7 , bk) where 7 = Gi . . . G„ for G\, . . Gn G 
V and n > 1, anchor each i such that 1 < i < n where G^+i is not nullable, 
there exists a rulU 



a(3iG\ . . . GiO <1 a'j^_^w 

aPiGi...Gi < aa'j^_iW 



Shift 

, aa-k-i G 



firstk{Gi+i . . .Gnbk) 



Here, if k = 0 (no lookahead) then the firstk side condition is omitted as 
long asa^Si- //fc=l (one lookahead) then, since G^+i is non-nullable, 
the side condition simplifies to a G first{Gi+i). 



The first relation can be pre-computed so it is not necessarily a costly con- 
dition to verify, (and if all shift rules are collapsed into one default rule in actual 
parser code, the first condition becomes unnecessary). 

Determinicity of the canonical inference rules can be checked by pairwise 
unification of their bottom sides, which should share no common instance. For- 
mally, A reduce-reduce conflict between two distinct inference rules exists if they 
are of the forms 



a(3iA < OkW 
0/3/7 <1 OfcW 



Reduce 



and 



a'fd'iA' < Ukw' 
a'P'i'j' < Okw' 



Reduce 



such that 0 / 3/7 = for some o and o'. This condition can be checked 

by unification where o and o' are free variables. For example, a reduce-reduce 
conflict exists between one rule having bottom side aaaA and another one have 
a'aA, since o' = oa is possible. 

Similarly, a shift-reduce conflict exists between any two rules of the forms 



o/3/A < aa'f._pw 

— Reduce 

0/3/7 <1 ao/c-i^ 



and 



o'A' 7 'a < a'k-iw' 

o'/3(7' < aa'f._^w' 



^ It can be shown that G/+i is nullable only if G/+i =Ar Ba such that 33 — > e is a 
production and cr is nullable. But then the valid handles for B —> e will inherit the 
same lookback and lookahead symbols from G/+i. Adding a shift rule at this point 
will thus result in a shift-reduce conflict with 33 — > e. 
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if Qf/3/7 = a'/3;7' for some a and a' . 

We say that a set of canonical inference rules are deterministic if there exist 
no shift-reduce or reduce-reduce conflicts. 



3.2 Examples 

The correctness of this parsing scheme is addressed in section^ but first we give 
some examples of grammars and their encoding as bottom-up inference rules. 

The following simple grammar requires a single lookback symbol for deter- 
minism: 



S' ^ $o^$i 
A — >■ Aa I a 



This 0) (and thus Li?(0)) grammar has the valid handles (the lookahead 

components are omitted): 

— ($ 0 , A — > Aa) 

- ($ 0 , A^ a) 

These in turn give rise to the following deterministic inference rules 



$ 0 ^ < w $ 0 ^ <1 tti < tc $ot < w 

$ 0^0 < W ^ $oO < W ^ $0^1 <3 tw ^ $0 <3 tw 



$ 0 ^ <1 $1 



A 



Without the lookback symbol $o, there would exist a reduce-reduce conflict 
between the productions A Aa and A — > a. Note also that, since no lookaheads 
are needed, the shift rules need not consider which symbol is being shifted (as 
long as it’s not $i). 

The following grammar (with implicit production for S' omitted) requires 
both a lookback and a lookahead and is of type i?i?C(l, 1). The lack of either 
would lead to reduce-reduce conflicts between A ^ c and B ^ c and a non- 
deterministic parser: 

S — > aAd I aBe \ bAe \ bBd 
A -I- c 
B c 



With both lookback and lookahead, non-conflicting reduce rules for the A and 
B productions are derived: 



aaA < dw ^ 
aac <3 dw 



aaB < ew 
aac <3 ew 



abA <3 ew 
abc <3 ew 



abB < dw 
abc <3 dw 



The final example shows where in the syntax of a programming language 
do BRC grammars differ from general LR grammars. Consider a language with 
function definitions of the form function f (x) = ... and function calls of 
the form f (a) . A possible source of conflict is that in the definition header x can 
only be an individual identifier, whereas in a function call a can be an arbitrary 
expression. A possible LR grammar for this syntax would be 
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F — !■ function id{id) = E 
E ^ id \ E + T \ {E) \ ... 

Without the function keyword, a shift-reduce conflict would result when reading 
an identifler (id) inside parentheses. A BRC grammar would require the following 
modification: 

Gid) = E 
function id( 
id \ E + T \ (E) \ ... 

The unique non-terminal symbol G allows inference rules to distinguish the 
appropriate context using a single lookback: 

aGid) < w a(E < )w 

^ Shift —— ^ Reduce 

aGid < )w a(id < )w 

This modification is essentially the same as for the example in Section B and 
all required modifications we have encountered are of this nature. Only two 
modifications of this type were required in defining a BRC grammar for an ex- 
perimental imperative language. Occassional grammar modifications, including 
such seemingly redundant productions, are sometimes also needed for the SLR 
and LALR simplifcations of LR parsing. Users of any parser generator must be 
aware of the requirements of the underlining grammar formalism. 

4 Correctness 

The formal correctness of our deductive parsing mechanism consists of lemma 
Hplus the following results. We use “deduction” to mean the application of a 
sequence of inference rules and “derivation” to mean rightmost derivations of 
grammar symbols. 

Lemma 4. If there is a deduction of a < w from $qS <i $i then a is a viable 
prefix and aw is a right sentential form of the grammar. 

Proof: by induction on the height of deductions, appealing to lemmaj □ 

Lemma 5. If S' =^r ct Aw, then there is a deduction from $qS < $iofaA < w 
Proof: by induction on the length of rightmost derivations, appealing to lemma 

Do 




These “soundness and completeness” lemmas are better understood top- 
down, although they are meant to establish the correctness of a bottom-up 
parsing strategy, which is formalized by the following theorem: 

Theorem 6. A grammar is BRG(l, k) if and only if its canonical inference rules 
are deterministic. 
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Proof: The forward direction is proved by contradiction. Using the previous 
lemmas, it is seen that a reduce-reduce conflict entails the existence of two right 
sentential forms that satisfy the preconditions of the definition of BRC grammars 
but contradict the requirement that A — > /3 = A2 — > /?2 • Similarly, a shift-reduce 
conflict contradicts the requirement that a2^2 = cr/ 3 : cr /3 will remain a proper 
prefix of 02/52 ■ For the reverse direction, it can be shown that if cr /3 is a proper 
prefix of a2^2 then at some earlier point in the bottom-up inference of a ter- 
minal sequence the same reduce rule was applicable, and by determinism will 
entail a different sentential form from a2/32W^ Once we know that 02/^2 = c/?, 
(3 = A2 ^ (32 follows directly from the absence of reduce-reduce conflicts. □ 

Termination of bottom-up deductions is complicated by the presence of e- 
productions (since they can expand the size of the stack). It can be shown that 
termination for grammars without e-productions does not require determinism 
(because we assume that A A is not possible). However, without any look- 
backs or lookaheads, any grammar with an e-production has infinite deductions 
in reverse. The general termination result is state thus: 

Theorem 7 . There are no infinite deductions in reverse for the canonical in- 
ference rules of a BRC {I, k) grammar. 

Proof: It suffices to show that there can not be an infinite sequence of reduce 
steps between shifts. Since reduce rules derive from valid handles, if there is such 
an infinite sequence then, using lemma^ it can be shown that there is also an 
infinite sequence of reductions in reverse for some right sentential form. This 
contradicts determinism and lemmaH □ 



5 Handle Merging 

Two valid handles of the form (6, A — > 7, a) and (6, A ^ 7, a') can be merged 
to form one set of inference rules without introducing new conflicts, since either 
lookahead will cause the same action. The merged handle would have the form 
( 5 , A ^ 7, {a, a'}). Handles of the form (b',A — > 7,0) and ( 5 , A ^ 7,0) can 
similarly be merged safely. Handles of the form (6, A ^ 7, a) and (6', A ^ 7, o'), 
however, can not in general be merged without causing new conflicts (consider 
the second example of Section ^ 3 . In the representation of valid handles we 
can therefore use sets for both the lookbacks and lookaheads. Handle merging 
is an important implementation-wise feature because it significantly reduces the 
number of inference rules needed. 

For example, consider the following BRC{1, 1 ) grammar: 

S' ^ So^Si 

L = R I R 

® This argument uses the fact that in reduced grammars all sentential forms derive 
terminal sequences, and that grammars where A ==>r A is possible are excluded. 
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L *R I id 
L 

There are sixteen valid handles of this grammar, but they can be safely merged 
into the following eight handles: 

- ({$o},5^L = i?,{$i}), ({$o},5^i?,{$i}) 

- ({=},L^zd,{$i}) 

- ({$o,=},i?^T,{$i}) 

These merged handles give rise to inference rules with extra side conditions, such 
as 

abL < aw „ 

ab*R < aw , 6 G {*, $o}, a G {=, $i}) 

Note that the union of all lookaheads of the valid handles of L ^ id and L — > *R 
is exactly the “follow” set of L, and similarly for S and R. We exploit this 
characteristic in the next section. 



5.1 Simple BRC 



For BRC{1,1) grammars, the number of inference rules resulting from the 
(merged) valid handles is comparable to the number of states in the finite au- 
tomaton of a LR{1) parsed The previous section suggests a technique that is 
analogous to “SLR” parsing in relation to LR{1) parsing: we allow valid handles 
of the form {b,A -y,a) and (b',A —!■ 7 , 0 ') to be merged into {{b,b'},A — > 
7 , {a, a'}). This will ensure that the number of merged handles is always the 
same as the number of productions of the grammar (minus the initial produc- 
tion for S'). Conflicts introduced by this type of merging can still be detected and 
resolved by other means (e.g., the user can be prompted to choose which action 
should be given preference). We say that a grammar is a Simple BRC (SBRC) 
grammar if the resulting set of inference rules derived from the “simply-merged” 
handles remain deterministic. The following grammar is often used as a standard 
example of bottom-up parsing: 

S' $oE$i 
E ^ E + T I T 
T ^T*E I E 
E ^{E) I id 

The fully merged valid handles of this grammar are: 



- ({$0, {},E^E + T, {$!,+, )}), ({$0, (}, E^T, {$1, +, )}) 

- ({$0, (, +}, T ^ r * F, {$1, +, *, )}), ({$0, (, +}, T^E, {$!,+, *, )}) 

“ ({$0j (j +j ^ (£')j {Sii +j )}), ({$0j (i +j ^ {$ii +j )}) 



Each rule roughly corresponds to an occurrence of a “kernel item” in a DFA state. 



4 
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The inference rules derived from these handles remain deterministic. Note in 
particular the absence of + among the lookbacks of the handles for E ^ T, and 
the absence of * from the lookbacks for T ^ F. This ensures that E + T (or 
T*F) on top of the stack would not be reduced erroneously to E + E (or T*T). 
The lookaheads of each handle is exactly the follow set of the left-hand side 
non-terminal symbol of the associated production. The lookbacks of each handle 
would correspond to a left-side analogy of follow (which we call the before set). 
Thus a SBRC parser generator need only compute the first, follow, and before 
relations in order to generate the merged handles from which inference rules can 
be derived. Experiments have shown that this technique, combined with operator 
precedence and associativity declarations and user-resolved shift-reduce conflicts, 
suffices to yield a useful parser generator for many purposes. 



6 A Parser Generator 

We now describe aspects of a working parser generator in a logic programming 
languag(B Both the full BRC{1,1) and the simple BRC methods have been 
implemented. The SBRC method has sufficed for most examples we’ve tried 
so far, and is currently being further developed. The programming language is 
XProlog ( Teyjus implementation (J) . The choice of this language has to do 
with the semantic actions of a parser (they can generate higher-order abstraet 
syntax)^ and not with any aspect of our parsing mechanism in particular. AProlog 
properly embeds Horn Clause Prolog. Notationally, application in AProlog is 
written in curried form: (f a b) instead of f (a,b). 

The input to the parser generator is itself a AProlog file (module) where a 
grammar is declared by a clause such as the following: 

cfg 7o attributed context free grammar for online calculator 

[ 

rule ((ae R) ==> [iconst R2] ) (R is R2) , 

rule ((ae R3) ==> [Iparen, (ae Rl),rparen]) (R3 is Rl) , 

rule ((ae R4) ==> [(ae A4) ,plust , (ae B4)]) (R4 is (A4 + B4)), 

rule ((ae R5) ==> [(ae A5) ,minust , (ae B5)]) (R5 is (A5 - B5)), 

rule ((ae R6) ==> [(ae A6) ,timest , (ae B6)]) (R6 is (A6 * B6)), 

rule ((ae R7) ==> [(ae A7) , divide! , (ae B7)]) (R7 is (A7 div B7)), 

rule ((ae R8) ==> [(ae A8),expt,(ae B8)]) (power A8 A8 B8 R8) 

] . 

The implicit production for S' is internal. The symbols ae, iconst, minust, 
plust , Iparen, etc., are grammar symbols. A grammar symbol can be a func- 
tion symbol with distinct variables, representing semantic attributes, as its ar- 
guments. Each production is represented by a rule term with the infix symbol 
==> seperating the non-terminal from a list of right hand side symbols. The 

® The full implementation, which also includes a semi-universal lexical analyzer, plus 
several larger examples and additional notes are available from the homepage at 
ifCD : / /www^ .rrincoii . eau/ cxiane/Darsereen\/ or by contacting the author. 
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last component of a rule term is a semantic action in the form of a AProlog 
goal (which takes the place of C code in Yacc). Unlike Yacc-style generators, a 
separate parser is not needed for the grammar specification. 

It is required that no attribute variable in a list of productions appear more 
than once, except in the semantic action goals. Also, only variables can appear 
as attribute arguments in a production. Without such restrictions, the grammar 
may become context sensitive (DCGs have the same problem). 

Valid handles are generated by forming a closure of triples following the 
inductive definition as described in the foregoing. The first relation needed 
for lookaheads is pre-computed and written to the parser file as atomic clauses 
(for efficient lookup). The detection of reduce-reduce and shift-reduce conflicts 
proceeds directly from the valid handles (except we consider each “member” of the 
lookbacks and lookaheads of a merged handle by virtue of Prolog’s backtracking 
using negation-as-failure) . 

The generated representation of parsing judgements are four-place predicates 
of the form parse Stack Input Result Rule_Type where Stack and Input are 
lists, and Rule_Type is a string that’s either "shift", "reduce", "accept", 
"special", or "error". Result is instantiated by the "accept" rule to the 
start symbol of the grammar along with its attribute (usually the abstract syn- 
tax tree). For example, a merged handle such as ({6},p — > gr, {al, o2}) can be 
represented by the clauses 

parse [q,b|Stack] [r I Input] Result "shift" 
parse [r ,q,b I Stack] Input Result Nextrule. 
parse [r ,q,b I Stack] [A I Input] Result "reduce" 
member A [al,a2], (semantic_action) , 
parse [p,b|Stack] [A I Input] Result Nextrule. 

Semantic action goals are added to reduce rules in the obvious way. 



6.1 Operator Precedence and Associativity 

The grammar shown in the cf g clause, used in an implementation of an “online 
calculator” however, is ambiguous as defined and the parser generator outputs 
the message^ 

Computing Valid Handles. . . 

No reduce-reduce conflicts. 

**Shif t-Reduce conflict with ae _63 ==> ae _85 : : plust : : ae _87 
: : nil exists 

when top of stack is of form ae _683 : : plust : : ae _694 : : 
bofs : : _68306 

and lookahead symbol is plust 
Do you want to (s)hift or (r)educe (default is shift): 



Symbols such as _85 are internally generated logic variables. is alternative 

notation for the list constructor I . bofs is $q. 
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As with Yacc-style generators, shift-reduce conflicts caused by ambiguity con- 
cerning operator precedence and associativity can be resolved by supplementary 
declarations. This feature is easily incorporated into our parser generator by 
clauses illustrated by the following examples: 

binaryop plust (ae X) (ae Y) "left" 3. 
binaryop timest (ae X) (ae Y) "left" 2. 

These clauses declare which grammar symbols are to be regarded as operators 
(on certain kinds of expressions) as well as their associativity and precedence 
level. Ambiguity caused by these operators are then resolved by "special" 
clauses at the beginning of the file. This feature requires the use of ! in the 
parser (otherwise non-determinism due to backtracking will become possible). 
For example, Binary operator associativity is resolved by the following clause, 
which redirects a goal to a shift or reduce rule: 

parse [Ea,DP,Eb| Alpha] [DP I Beta] Result "special" :- 
binaryop DP Ea Eb Assoc Prec, ! , 

( (Assoc = "left" , 

parse [Ea,DP,Eb| Alpha] [DPiBeta] Result "reduce"); 

(Assoc = "right", 

parse [Ea,DP,Eb| Alpha] [DP I Beta] Result "shift")). 

Unary and implicit operators are handled similarly. A default "error" clause is 
also placed at the end of the file to report failure. 

The parser displays messages for remaining conflicts as illustrated above. 
Reduce-reduce conflicts result in failure. Remaining shift-reduce conflicts are 
resolved by user input, producing "special" clauses that redirect goals matching 
the form of the conflicts to "shift" or "reduce" rules. 

Another simplification (currently unimplemented) is to collapse all shift rules 
into a simple default rule, which is used only if no reduce rule is applicable. This 
simplification however, means that a shift is always possible and errors will not be 
reported until the end of the file has been reached. This problem can be largely 
solved if the default shift rule is aware of the maximum number of terminal 
symbols on the right-hand side of any grammar production (which limits the 
number of symbols that can be shifted before a reduce rule must be applied) . 

7 Related Work 

In Section H we have already discussed the relationship between our approach 
and some other works on parsing in logic programming. A close precedent to 
the type of work presented here, however, is that of Cohen and Hickey Q, 
who described strategies for parsing in Prolog with similar goals. They showed 
how to compute grammar properties such as “first” and “follow” succinctly, 
and gave enough details for building LL(1) parsers in Prolog. A formulation 
of deterministic bottom-up parsing was proposed based on “weak-precedence 
grammars.” However, this formulation is incomplete: an extra condition that 
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excludes productions with right-hand sides ending in the same symbol must be 
enforced, otherwise non-determinism of the reduce-reduce type may persist 
This extra condition however, further restricts the type of grammars that can 
be used with their technique. Nevertheless, the ultimate aims of this paper is 
very much in the same spirit as Q. 

8 Conclusion 

When faced with the need for a generic parsing tool appropriate for use in com- 
piler writing, the logic programmer can consider several alternatives. DCGs are 
general, but non-deterministic. Using an existing parser generator in an alien 
language is another alternative. It is technically possible to extract the parse 
table from code generated by Yacc and use it in a Prolog parser. However, it is 
difficult to see how such a process can be automated, especially when declarative 
semantic attributes must be attached to grammar symbols. A forced implemen- 
tation of established LR parsing algorithms is also possible, and would at least 
allow semantic actions to be defined in the native language. If such a tool al- 
ready exists for the declarative language in question, then it may seem needless 
to examine another grammar formalism. However, when faced with the task of 
developing a parser generator from scratch, it is valid to address the fact that 
certain aspects of general LR parsing renders its formulation as declarative, log- 
ical clauses highly awkward. Aspects of LR parsing that give it its efficiency also 
may not translate into anything meaningful in a logic programming context. Per- 
haps future logic programming languages, such as those based on linear logic, 
can give declarative formulations of the kind of computation required by general 
LR parsing. But the past also deserves some consideration. The almost-forgotten 
class of BRC grammars were never considered in the light of logic programming. 
BRC grammars, and our SBRC grammars, offer simplifications of LR parsing 
that are conducive to logic programming, just as LALR and SLR grammars are 
appropriate simplifications for conventional languages. 

Our parser generator has been used in the implementation of an experimental 
imperative language (with static scoping, functions and types) . A parser for most 
of AProlog itself was also generated. An experimental interpreter for core SML in 
AProlog is currently being developed. Additionally, it has been used for purposes 
other than compiling as part of an interactive theorem prowr for translating the 
syntax of various “object-logics” into AProlog host syntajJ 

This paper has intentionally not addressed the detailed representation of 
semantic attributes and actions. We have completely separated the basic parsing 
mechanism so that it can be incorporated into a variety of declarative settings. 
However, it was the desire to reason with a new class of abstract syntax, namely 

^ Consider the grammar {S — > aB \ cA, A ab, B ^ b) in relation to the 
formulation of weak-precedence parsing in Q. 

® Please see accompanying homepage for more details on these applications 

ifCD : / /www^ .rrincorr . eau/ cxiane/Darsereen/ . 
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higher order abstract syntax, that truely motivated this work. It is hoped that 
the availability of this parsing tool will facilitate the exploration of a host of 
possible applications of declarative programming in general, and of higher order 
logic programming in particular. 

For future work on the parser generator we plan to improve its performance 
and usability, especially in the form of additional "error" clauses for error cor- 
rection. 
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Abstract. Logic programming rules are provided to capture the rules 
governing formal poetry in Spanish. The resulting logic program scans 
verses in Spanish to provide their metric analysis. The program uses 
DCG grammars to model the division of each word into syllables, and 
additional predicates are employed to define metric phenomena such as 
synaloepha, syllable count of a verse, rhyme of a word... The system 
is tested over a set of Spanish Golden Age sonnets and shown to give 
reasonable results, providing a very useful pegdagogical application for 
teaching Spanish poetry. 



1 Introduction 

Logic programming has provided many tools for natural language processing 
(see ^Q). It has been applied with success in various fields like generation, 
understanding, parsing, and semantic representation. The present paper extends 
the application of logic programming to natural language processing beyond 
everyday language. Logic programming rules are provided to capture the rules 
governing formal poetry in Spanish. The resulting logic program scans verses in 
Spanish to provide their metric analysis. As such it constitutes a useful tool for 
literary study of Spanish poetry, or as a pedagogical tool for teaching students 
how Spanish poetry is analysed. The system is tested over a set of Spanish 
Golden Age sonnets and shown to produce good results. 

The system has immediate aplication as a pedagogical tool to help in the 
process of teaching Spanish poetry and metric at school and university level. 
As well as scanning metrically a set of verses, the system allows easy location 
of places where the poet has used poetic licenses such as hiatus, dieresis and 
syneresis, thereby providing a good tool for stylistic analysis of texts. 

2 Description of the Problem 

Formal poetry in Spanish is governed by a set of rules that determine a valid 
verse form and a valid strophic form. A given poem can be analysed by means 
of these rules in order to establish what strophic form is being used. Another 
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set of rules is applied to analyse (or scan) a given verse to count its metrical 
syllables. This paper presents a logic programming application that carries out 
this analysis. The program uses DCG grammars to model the division of each 
word into syllables, and additional predicates are employed to define metric 
phenomena such as synaloepha, syllable count of a verse, rhyme of a word... 

2.1 Parsing the Syllables in a Word 

As a starting point the process of scanning a verse requires a preliminary decom- 
position of the verse into syllables. These syllables, as understood by the layman 
with no notions of formal analysis of poetry, do not match metric syllables, but 
they constitute the starting point of the analysis. The Spanish language presents 
advantages over other languages in this respect in the sense that one can work 
out the division of a word into syllables algorithmically from the way it is writ- 
ten. The process of parsing the list of letters corresponding to a word in order 
to generate a list of syllables applies a set of ortographical rules governing the 
way letters are grouped together into syllables (see Q- These rules have to be 
taken into account when parsing automatically. The next step in the process of 
scanning a verse is to take into account metric considerations that transform this 
initial list of syllables into metric syllables, and to generate a count of metric 
syllables in the verse. These processes depend on the position of the stressed 
syllables of each word. 

2.2 Locating Stressed Syllables 

The accents that need to be counted are not those that are usually represented 
by a slanted dash over a word. Every word has its own prosodic accent, and 
this is placed over the sUaha tonica, the one that carries the stress when it is 
pronounced. Spanish does have a set of rules that allow automatic location of 
the stressed syllable of a word from its written form (see Q) . This is important 
because it allows analysis with no need for a lexical entry for each word in the 
verse. 

According to the distance from the stressed syllable to the end of the word, 
words are classified into three different types: 

— palabras agudas, or oxytone words, those in which the stressed syllable is the 
last syllable of the word 

— palabras lianas , or paroxytone words, those in which the stressed syllable is 
the one before the last syllable of the word 

— palabras esdrujulas , or proparoxytone words, those in which the stressed 
syllable lies two syllables from the end of the word 



2.3 Metric Syllable Count 

In working out the count of metric syllables of a verse the concept of syllable 
involved differs slightly from its everyday equivalents. A metric syllable does not 
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always match the corresponding morphological syllable. When a word ends in a 
vowel and the following word starts with a vowel, the last syllable of the first 
word and the first syllable of the following word constitute a single syllable. This 
is known as synaloepha (see Q, or for an overview in English), and it is one 
of the problems that we are facing. 

For instance, the following list of syllables for a verse 

bas - te - te a - mor lo que ha por mi pa - sa - do 
13 syllables 

turns into the list of metric syllables: 

bas - te - te_ a - mor lo que _ ha por mi pa - sa - do 
11 syllables 

because it shows two instances of synaloepha (marked in bold) . 

Another phenomenon that affects the syllable count is given by the position 
of the accent of the last word a verse (see or for an overview in English) . 
If the last word is a palabra liana (stress one syllable from the end) the verse is 
considered to have as many metric syllables as it has morphological syllables. 

to - dos sen - ti - dos hu - ma - nos 
8 metric syllables 

If the last word is a palabra aguda (stress right at the end) the verse is 
considered to have one more metric syllable than it has morphological syllables. 

A - si, con tal en - ten - der 
7+1 = 8 metric syllables 

If the last word is a palabra esdrujula (stress two syllables from the end) the 
verse is considered to have one metric syllable less than it has morphological 
syllables. 



A - mor, tus fuer - zas ri - gi - das 
8-1 = 7 metric syllables 



2.4 Distribution of Stressed Syllables 

The considerations presented so far describe how a division of a verse into metric 
syllables and the corresponding metric syllable count is obtained. Formal analysis 
of poetry also studies the position of stressed syllables over a verse. For the verse 
to sound pleasing, the prosodic accents must be distributed according to precise 
patterns. This distribution of prosodic patterns provides the quality of being 
pleasant to the ear. 

For instance, for an eleven syllable long verse to sound pleasing, it needs some 
of the stressed syllables of its words to fall on certain specific positions. It is not 
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necessary for the stressed syllables of every word in the verse to be in specific 
positions. It is enough for certain strategic syllabic positions within the verse to 
have a stressed syllable. There are four accepted combinations that produce the 
required prosodic effect (see ^^3). 

1) Stressed syllables fall on positions 1, 6 and 10. The verse is then referred as an 
endecasilabo enfdtico. In the following examples, one such verse is first given in 
its original form, followed by a divided version in which words have been split up 
into syllables and syllables from adjoining words are linked together whenever 
synaloepha has occurred. Syllabic positions are numbered in the line below, and 
stressed syllables falling in key positions are marked out in bold 

bas- te- te_ a- mor lo que _ ha por mi pa- sa- do 
12 3 45 6 789 10 11 

2) Stressed syllables fall on positions 2, 6 and 10. The verse is then referred 
as an endecasilabo heroico. For instance ”en verdes hojas vi que se tornaban”: 

en- ver- des ho- jas vi que se tor- na- ban 
1 2 3456789 10 11 

3) Stressed syllables fall on positions 3, 6 and 10. The verse is then referred as 
an endecasilabo melodico. For instance” a la entrada de un valle, en un desierto” : 

a la_ en- tra- da de_ un va- lle_ en un de- sier- to 
12 34 5 6 7 89 10 11 

4) Stressed syllables fall on positions 4, 6 or 8, and 10. The verse is then 
referred as an endecasilabo sdfico. For instance, the verse ”que con lloralla cresca 
cada dia” : 



que con llo- ra- 11a cres- ca ca- da di- a 
1 2 345 6 789 10 11 

Once a verse has been scanned, and the stressed syllables have been located 
for every word in the verse, analysis of the positions of stressed syllables is a 
simple matter. 



2.5 Extracting Word Rhyme 

In order to identify the strophic form of a given poem it is important to identify 
the rhyme of each verse. In Spanish (see QQ) the last vowel of the verse and 
all the following letters (both vowels and consonants) are the same in verses that 
rhyme. The rules described in the previous sections also allow determination of 
the set of letters at the end of the word that constitute its rhyme. 
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2.6 Related Work 

Work along similar lines has been carried out for Italian Renaissance poetry 
Q, French Q, Middle Indo- Aryan Q, and Old English In particular, Q 
discusses the need for metrically scanned electronic versions of classical texts, 
and discusses the severe limitations of automatic procedures for marking accents 
and counting syllables in the case of Italian. As a conclusion of this discussion, 
an interactive program is suggested as the best means of scanning the text 
metrically. Similar difficulties are met in Q while dealing with French text. 
French requires prior specific transcription of the written text into phonemes 
before the metrical analysis can be carried out. The study of Middle Indo- Aryan 
Prakrit in Q presents an additional problem due to the fact that a special 
character set is required for the language, so the text must be first be transcribed 
onto Roman script. The work carried out on Old English in Q concentrates on 
analysis of phonological patterning, with particular emphasis on alliteration. 

Spanish does not present as many difficulties as Italian or French, because the 
phonetics of a word can be unambiguously obtained from its written form. This 
includes word accents, since the language provides special means of representing 
accents graphically. However, Spanish presents the additional difficulty of allow- 
ing a number of poetic licenses concerning metrical scansion. This implies that 
scansion of Spanish verse cannot be decided unambiguously without resorting to 
the context. A verse scanned as 12 syllables may be re-interpreted as 11 syllables 
long if it appears in the context of a poem built solely of 1 1 syllable long verses, 
provided that the right conditions for poetic licence to occur are met. 

Existing work on analysis of Spanish poetical texts, such as applies 
computational techniques to six main streams of research: sentential analysis, 
word length analysis, running words analysis, word frequency analysis, use of 
words analysis, and cluster analysis. At present we are not aware of any work 
that concentrates specifically on the metrical analysis of Spanish verse. 

3 The Logic Programming Implementation 

The analyser presented in this paper is implemented in SWI Prolog (see 
In order to carry out the whole set of analyses required to decide whether a 
given text is a correct poem, verses must be treated as lists of words, words 
must be treated as lists of characters (later as lists of syllables) and syllables 
as lists of characters. Prolog provides very useful mechanisms to process such 
a representation. In this program. Definite Clause Grammars (DCG) (see B) 
have been used to encode the different stages of analysis. A detailed description 
of the implementation of each step is given below. 

The predicate that carries out the analysis of a single verse is implemented as 
a predicate analysis. The predicate analysis obtains the following information 
from a verse represented as a list of words: number of syllables after applying all 
the rules, list of syllables in the verse, list of positions of stressed syllables, and 
rhyme of the verse. 
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For instance, for the following call: 

?- analysisC [Cerrar,podra_,mis,ojos,la,postrera] ,N,Ls,La,Ri) . 
the system would return the following results: 

N = 11 

Ls = [Ce,rrar,po,dra_,mis,o, jos,la,pos,tre,ra] 

La = [2,4,5,6,8,10] 

Ri = era 

These items are obtained in two stages. To carry out the task in hand, the 
system needs to know the following information about each word in the verse: 
number of syllables, list of syllables in the word, position of stressed syllable of 
the word, and rhyme of the word. 

The first step during analysis is to check whether such information is available 
in the system vocabulary (a database of facts) for all the words in the verse. If 
data are missing for a given word of the verse, they are worked out from the 
word using the rules as described below. The system adds this information to 
the database of vocabulary facts available for metric analysis. 

The second step starts when all data are available. The verse is analysed 
recursively, using the data worked out for each word, and applying the metric 
rules to scan the verse properly. Two types of analysis are possible: finding 
the list of syllables of a word (and therefore the metric syllable count for the 
verse), or finding the list of positions of stressed syllables (which determines the 
correctness of the verse). 

The division of the general process into two different stages gives the system 
exceptional flexibility when confronted with new texts. On the one hand, any 
unfamiliar word appearing in the text can be analysed to obtain the required 
data. On the other hand, the system may resort to previously stored analysis 
to avoid recomputation of the data for a specific word. This may have a dual 
effect on the efficiency of the system, transferring the load from computation 
time to memory requirements. And additional advantage lies in the fact that 
there are many exceptions to the general rules implemented in the system. The 
rules capture the general pattern of word formation of the Spanish language, 
but many words borrowed from other languages but now fully accepted do not 
conform to these rules. The particular structure proposed allows the relevant 
data for problematic to be loaded into the system prior to its use, therefore 
avoiding errors during the analysis due to exceptions to the rules appearing in 
a text. 

The rest of this section provides brief descriptions of the different processes 
involved in the analysis. 

3.1 Syllabic Analysis of a Word: Word Syllable Parser 

The Word Syllable Parser module takes as an input the list of characters of the 
word to be analysed. The complete operation is carried out in three stages of 
parsing. 
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Parsing Character Type. The first parse classifies each character (or group 
of two characters) into one of 14 different categories according to its ability to 
combine with other characters to form basic sound groups (double consonants, 
consonants that can group with other consonants, high, low or middle vowels). 
Information about vowel classification plays an important role in sorting out 
syllable boundaries in diphthongs (see for details). For instance, an r fol- 

lowing an r is grouped into a single rr ’double consonant’ group. This grouping 
is carried out by a DCG of 4 basic rules and 63 rules describing terminals. This 
proliferation of rules for terminals is due to the fact that both upper and lower 
case characters must be taken into account, and combinations of these in cases 
of double consonants. Only the simplest examples of the grammar are presented 
here. There are many variations and many exceptions to each rule (m after q acts 
as a single consonant, ns at the end of a syllable cannot be separated, double 
consonants ch, rr, ll and pr need separate rules...). 

Terminal elements of the grammar are defined as facts of the form: 



vowel (va( [a] ) ) — > [a] . 




/* 


a */ 


vowel (vm( [e] ) ) — > [e] . 




/* 


e */ 


vowel (vc ( [i] ) ) — > [i] . 




/* 


i */ 


vowel (vu( [u] ) ) — > [u] . 




/* 


u */ 


consonant (n( [n] ) ) — > [n] . 








consonant (cp( [p] ) ) — > [p] . 




/* 


p */ 


consonant (cl ( [1] ) ) — > [1] . 




/* 


1 */ 


consonant (c ( [v] ) ) — > [v] . 








double_consonant (cd( [c ,h] ) ) - 


->[c,h] . 


/* 


ch */ 


double_consonant (cd( [r ,r] ) ) - 


->[r,r] . 


/* 


rr */ 



Vowels are classified into high {i,u), middle (e,o)or low (a). This information is 
required to work out the behaviour of diphthongs (see |). Groups of different 
vowels are grouped together into a single syllable (a dyphthong) when certain 
circumstances are met. These circumstances are specified in terms of whether the 
group of vowels is made up of different combinations of vowels from one group 
or another, and whether the corresponding vowels are stressed or not. The rules 
for the grouping of vowels into dyphthongs requrie this information at a later 
stage, so the distinction is noted during this stage of the analysis. 

The vowel u requires special treatment because it also acts as auxiliary to 
consonants g and q. 

Gonsonants are classified according to their ability to form different letter 
groups either with other consonants (groups ns, *r, *1...) or with specific vowels 
(groups qu, gu...). Letters with different combination properties are identified as 
members of the specific group and marked as such at this stage. In each case, a 
functor is generated that identifies the type of letter considered, and contains the 
letter itself (in list format if it is a complex letter such as a double consonant) 
as an argument. 
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The rules of the grammar simply parse the input assigning categories to each 
group of letters: 

parse_letters ( [] ) — > [] . 

parse_letters ( [X I Rest] ) — >double_consonant (X) , 

parse_letters (Rest) . 
parse_letters ( [X I Rest] ) — >consonant (X) , 

parse_letters (Rest) . 
parse_letters ( [X I Rest] ) — >vowel (X) , 

parse_letters (Rest) . 



Parsing Character Groups. The second parse operates over the output of 
the first and joins together basic sound groups that make up either a consonantal 
group or a vowel group. For instance, pr, gl, ns, group together as consonants; 
and vowels are grouped into diphthongs or triphthongs according to the rules. 
This DCG has 60 rules. The basic rule for this level of analysis (identifying 
groups of consonants and groups of vowels) is defined as: 

group_letters ( [] ) — > [] . 

group_letters ( [X I Rest] ) — >group(X) ,group_letters(Rest) . 

The rest of the rules take the form: 

group (cons (X)) — >[cd(X)] . 
group (cons (X) ) — > [c (X) ] . 

group (gv(X)) — >[va(X)] . 

group(gv( [A,B] )) — > [vc( [A] ) ,vm( [B] )] . 

Certain cases require a step of look-ahead in order to make the right decision. 
For instance, the rules for g, u combinations before i and e (in which cases the 
u is silent); or cases where a certain combination of vowels forming a diphthong 
is broken by the graphic accent of For instance, the combination of a low 

vowel and a stressed high vowel, such as ...at... does not form a dyphthong and 
should be parsed into two syllables, whereas the combination of a stressed low 
vowel and a high vowel, such as ...di... does, and should be parsed into the same 
syllable. 

group (cons ( [G,U] ) , [gr ( [G] ) , vu( [U] ) , vm( [e] ) |X] , [vm( [e] ) I X] ) . 
group (cons ( [G,U] ) , [gr ( [G] ) , vu( [U] ) , vc( [i] ) |X] , [vc( [i] ) I X] ) . 

7o dyphthong 

group (gv ( [A , T , B] ) ) — > [va ( [A] ) , ac ( [T] ) , vu ( [B] ) ] . 

7, no dyphthong (requires lookahead) 

group(gv(A) , [va(A) ,vc(B) ,ac(T) I X] , [vc(B) ,ac(T) I X] ) . 

^ The tilde is represented in the system as an ac(T) functor. 
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The examples presented here are only a selection of particular instances of 
the type of rule discussed in each case. 



Parsing Syllables. The third parse takes as input the list of consonant and 
vowel groups and tacks together those that form valid syllables. This DCG has 
14 rules. The basic structure of this grammar is: 

f ind_syllables — > syllable, find_syllables. 
f ind_syllables — > [] , ! . 

syllable — >initial_consonant , vowel_group, f inal_consonant . 
syllable — >initial_consonant , vowel_group . 
syllable — >vowel_group , f inal_consonant . 
syllable — >vowel_group . 

These rules include an additional argument which returns the list of the 
syllables found for the word, each one converted into a Prolog atom. 



Locating the Stressed Syllable of a Word. Simple Prolog predicates carry 
out the task of locating the stressed syllable of a given word, taking as input 
the list of syllables. The representation in use includes a notation symbol for 
the tilde, used in Spanish orthography to help locate stressed syllables using a 
few simple rules. This rules are taught to every primary school student (and 
forgotten regrettably fast!). For a detailed reference, see |j]. 



Extracting the Rhyme of a Word. The rhyme of a word is given by the 
fragment of the word that lies beyond the last stressed vowel of the word. The 
rhyme of each word is obtained by a predicate obtainjrhyme that operates over 
the list of syllables for that word. Taking into account the location of the stress 
in the word, it truncates the stressed syllable to obtain its tail (from the stressed 
vowel to the end) and it appends to it all the remaining syllables to the end 
of the word. The procedure is made up of three rules. Each rule deals with one 
possible stress pattern for the word. Every rule works by locating the last stressed 
syllable, applying the predicate end_of .syllable (which returns the portion of 
the syllable which lies beyond the last stressed vowel), and joins it together with 
any remaining syllables between the stressed syllable and the end of the word. 

The information about the rhyme of a word is also included in the fact stored 
for it in memory. Therefore, during the metric analysis of a verse, identifying 
the rhyme of a word involves just querying the vocabulary database. 



Managing the Vocabulary Database. The system operates with a vocab- 
ulary database that is declared in the form of Prolog facts. When the system 
reads a word, whether during selection of rhymes or during the writing of a 
draft, it consults the vocabulary database. If the word is not found, the required 
procedures are invoked to obtain the necessary information. 



A Logic Programming Application for the Analysis of Spanish Verse 1339 



This information is stored as facts of the form: 

known_word ( 1 , ar , [ce.rrar] ,no ,no , cerrar) . 

where: the first argument 1 shows the position of the stressed syllable from the 
end of the word, ar is the rhyme of the word, [ce , rrar] is the list of syllables of 
the word, the first no indicates whether the word starts with a vowel, the second 
no indicates whether the word ends with a vowel, and the final argument cerrar 
is the word itself, to be used as key when retrieving the rest of the information. 

If a given word in the text was not present could not be found in the database, 
the results of the analysis are declared in memory in the same format as existing 
items in the database. At the end of a session, the system allows the updated 
database to be saved. This makes the result of all new words that have been 
already parsed available in database form for later analyses. 

This method allows the option of starting the system with an empty vocabu- 
lary database each time (thereby optimising memory use), or to build the vocab- 
ulary database incrementally by loading a previous version before the analysis 
of each new text. This second option implies growing memory requirements for 
subsequent executions, but improves the computational efficiency of the analysis. 
It has the additional advantage of progressively building a vocabulary database 
of metrically analysed Spanish words. 

3.2 Metric Analysis of a Verse: The Metric Syllable Counter 

The metric syllable counter is defined as a set of Prolog predicates that operate 
recursively over the list of words in a verse. All the information about the division 
into syllables and the location of the stressed syllable obtained for a given word 
during previous two stages is declared in memory as Prolog facts. In this way, 
while processing each word in the verse the syllable counter has access to the 
list of syllables of the word and the position of the stressed syllable. From this 
information it can also determine easily whether a word starts or ends with a 
vowel. 



Counting the Metric Syllables in a Verse. The predicate word_analysis 

works out the scansion of the verse and it returns a list of metric syllables 
corresponding to that verse, as well as the number of syllables found in the 
verse. 

A simple predicate synaloepha implements the decision rule for synaloepha, 
and appends two contiguous syllables whenever necessary. This is done by means 
of two auxiliary predicates (start_vowel y end_vowel ) that identify whether 
a word starts or ends with a vowel. When processing a word, the final syllable 
of the previous word is carried over, together with a variable indicating whether 
it ended in a vowel or not. The last syllable of the previous word is treated as if 
it were part of the word. According to the variable one or the other rule of the 
procedure is used. If synaloepha takes place, the rule that requires the previous 
word to end in a vowel simply acts as an interface, calling the other version with 
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the corresponding alterations of the list of parameters: the number of syllables 
found so far is reduced by one, and the last syllable of the previous word and 
the first syllable of the present one are fused into a single syllable. Since this 
operation is carried out recursively, two syllables appended in this way may yet 
be appended to a third one if the conditions are right. This is quite common 
when one vowel articles such as a occur between words that finish and start with 
vowels. This method requires special attention to be paid to border situations. 
For the first call (at the beginning of a verse) an additional ghost syllable must 
be added. This ghost syllable must be eliminated from the final list of syllables 
at the end. In the same way, for the last call (which would given the empty list as 
a result) the last syllable of the previous word must be returned as sole member 
of the list of syllables found, to ensure that it is not lost. 

The predicate reevaluate takes into account the effect on the count of metric 
syllables of the verse (as opposed to prosodic ones) of the position of the stressed 
syllable of the last word. It has three different versions, one for each possible 
pattern of stress placement. They all carry out basic arithmetic operations over 
the resulting number of syllables: subtract one if the last word is proparoxytone, 
leave as it is for a paroxytone word, add one for an oxytone word. 

A similar predicate, accent_analysis, operating over the same list of words 
for the verse and using the information facts in memory for each word, translates 
the list of words into a list of stressed syllable positions. This process is parallel to 
the one carried out when creating the list of syllables, with a numerical counter 
taking the part of the syllables. 



Using Results to Validate a Verse. Over the results of the analysis, a 
diagnostic of the correctness of the verse can be obtained by pattern matching 
with a set of valid patterns declared in memory. The predicate conclusions 
takes the obtained results and works out whether the verse under analysis is 
valid as endecastlaho. If it is, the type of endecastlabo is identified by checking 
the positions of the stressed syllables. 

In the example above, the verse: 

Cerrar podra mis ojos la postrera 

is an endecastlaho heroico, because it is eleven syllables long (N = ll)and its 
list of positions of stressed syllables (La = [2,4,5,6,8,10]) contains the key 
positions 2, 6, 10. 



4 Evaluation of the System 

The system has been evaluated over a set of classical poems. The number of 
incorrect analyses is worked out as a percentage. Specific sources of error are 
identified and their contribution to the general error is discussed. In each case, 
possible solutions are discussed. 
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4.1 The Choice of Test Data 

The system has been tested over a set of 64 classic Spanish Golden Age sonnets 
(taken from |). These sonnets were fed to the system in separate files containing 
the sonnets by different authors. The system output a file with the syllable count, 
list of syllables, list of stressed positions, and rhyme for each of the given verses. 
Sonnets were chosen as benchmark poems because they have a very rigid formal 
structure. Every verse in a Spanish sonnet must be 11 syllables long according 
to the rules. Over the resulting files, verses that had been assigned by the system 
a syllable length other than 11 were hand checked for errors. 

4.2 The Results 

The results obtained are presented in table 1. 



Table 1. Raw Results 



Author 


Sonnets 


Verses 


Errors 


% Error 


Quevedo 


21 


294 


31 


89.5 


Lope 


16 


224 


17 


92.4 


Gongora 


11 


154 


19 


87.7 


Garcilaso 


8 


112 


21 


81.3 


Boscan 


3 


42 


2 


95.2 


Aldana 


5 


70 


11 


84.3 


Totals 


64 


896 


101 


88.7 



4.3 The Problem of Poetic License 

A poet is allowed a number of poetic licences to make the verses fit into the 
metric structure. These poetic licences are known as syneresis, dieresis, and 
hiatus (see details). Of these, dieresis allows a diphthong to be broken 

(adding one syllable to a given word), syneresis allows an illegal diphthong to 
be created (subtracting a syllable to a word), and hiatus allows synaloepha to 
be broken (adding a syllable to a given verse) . Resolving issues of poetic license 
presents special problems because the main idea behind the concept is too allow 
the same verse to be parsed as having a certain length in one specific context 
and as having a different one in another. This is achieved by overlooking or 
enforcing two different metric rules: the rules for synaloepha and the rules for 
dyphthong formation. Two syllables that might constitute synaloepha (or two 
vowels making a dyphthong) and be parsed as one under normal conditions can 
exceptionally be broken up if the poet needs an extra syllable to his verse at that 
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stage, resulting in hiatus (or dieresis). Alternatively, syllables (or vowels) that 
would be parsed as separate may be parsed as a unit if the poet wants one syllable 
less, resulting in hiatus (or syneresis) . The fact that correct solutions are context 
dependent means that they cannot be implemented for isolated verses, but only 
when verses are scanned as part of a whole poem, in which case, the metric rules 
for the poem impose specific lengths on verse. In a wider setting, these poetic 
licenses can easily be solved by rephrasing synalopeha and dypththong rules as 
defeasible inferences (or simply allowing the implicit backtracking in Prolog to 
find the alternative solution). 

The system as it stands allows easy location of poetic licenses, which gives 
added-value when analysing poetry. The results for poetic licenses obtained for 
the test data are presented in table 2. The number of poetic licenses taken in 
each set of poems is listed for each kind. The percentage of error when problems 
of poetic license are discounted is also shown. A great improvement in system 
efficiency is appreciated. 



Table 2. Poetic Licenses 



Author 


Verses 


Hiatus 


Dieresis 


Syneresis 


Total 


Real % error 


Quevedo 


294 


5 


1 


1 


7 


97.6 


Lope 


224 


6 


2 


1 


9 


96.0 


Gongora 


154 


3 


4 


4 


11 


92.9 


Garcilaso 


112 


10 


2 


2 


14 


87.5 


Boscan 


42 


0 


0 


0 


0 


100 


Aldana 


70 


2 


3 


1 


6 


91.4 


Totals 


896 


26 


12 


9 


47 


94.8 



4.4 Detected Errors and Planned Improvements 

The most important source of real errors is the conjunction y, which can act 
both as a vowel and as a consonant. This creates problems when determining 
whether synaloepha is possible or not between words. The rules for synaloepha 
must be redesigned to acoutn for these variations. 

The remaining errors can be attributed to exceptions in diphthong formation 
rules. Although there are generally accepted rules governing diphthong forma- 
tion, certain cases constitutes exceptions (for historical or etymological reasons) . 
Foreign words that have been accepted into Spanish also constitute exceptions 
to the syllabic rules. The fact that the system keeps a database of facts for the 
words in its vocabulary allows exceptions to the rules to be declared directly 
into the database. In this way, known exceptions can be included from the start, 
thereby improving the accuracy of the system. 
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Table 3 shows final results for the system once problems of poetic licence and 
probles related with conjunction are excluded. 



Table 3. Final Results 



Author 


Sonnets 


Verses 


Y Errors 


% Error 


Quevedo 


21 


294 


20 


98.6 


Lope 


16 


224 


7 


99.6 


Gongora 


11 


154 


8 


100 


Garcilaso 


8 


112 


6 


99.1 


Boscan 


3 


42 


2 


100 


Aldana 


5 


70 


5 


100 


Totals 


64 


896 


48 


99.3 



5 Conclusions and Further Work 

Several conclusions can be drawn from the above observations. On one hand, the 
logic programming tools used to implement the system have demonstrated their 
power and flexibility in coping with a complex problem of symbolic processing. 
On the other hand, the system shows potential both in the fields of literary 
analysis of large texts, and in the field of teaching. 

5.1 Advantages of Logic Programming for the Task 

The problem tackled in this paper presented a complex structure of several 
layers of analysis (at character level, at character group level, at syllable level, 
at the level of words in a verse), each implemetned as a DOG. Solutions with 
fewer layers are possible, and some have been tested during the development of 
the system, but were rejected because of the excessive amount of backtracking 
required whenever information from bottom layers affects the decision process 
in top layers. 

The declarative nature of logic programming, and the modular design of 
the program (with general rules set distinctly apart from specific data for a 
given word in the vocabulary database) allows very easy encoding of exceptions. 
It also allows the system to act both as a parsing tool and as a vocabulary 
database generator. None of these advantages would have been available in an 
imperative implementation of the system, even though such an implementation 
would possibly carry out the parsing problem more efficiently if all the different 
cases were coded. The modularity of the program allows easy modification and 
might allow reuse of some parts of the code for languages with similar phonetic 
structure. 
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5.2 The System as a Practical Tool 

The system is shown to give very good results over a basic sample. Although 
a considerably bigger sample would be required for a proper validation of the 
system, the fact that different authors (and therefore different vocabulary and 
different use of poetic licence) are involved improves the significance of the result. 

It is also important to note that although the system is based on linguistic 
rules for contemporary Spanish, the results are good even when applied to the 
work of Sixteenth Century poets - which speakers of modern Spanish some- 
times find obscure. This shows that the system is not dependent on the specific 
database of vocabulary facts that it starts with, and it can reasonably be ex- 
pected to cope with new words however alien to contemporary speakers (as long 
as they conform to the rules). 

The system may be put to practical use as an autonomous analysis tool (as a 
first approximation to block analysis of texts), or as a pedagogical tool in teach- 
ing environments. As extensions of this line of work, a complete system for the 
analysis of poems, including a diagnostic of strophic form is under development 
at present. Additional issues such as modelling the described forms of poetic 
license during the analysis are being considered. 
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Abstract. We describe Ipdoc, a tool which generates documentation 
manuals automatically from one or more logic program source files, writ- 
ten in Ciao, ISO-Prolog, and other (C)LP languages. It is particularly 
useful for documenting library modules, for which it automatically gen- 
erates a rich description of the module interface. However, it can also be 
used quite successfully to document full applications. A fundamental ad- 
vantage of using Ipdoc is that it helps maintaining a true correspondence 
between the program and its documentation, and also identifying pre- 
cisely to what version of the program a given printed manual corresponds. 
The quality of the documentation generated can be greatly enhanced by 
including within the program text assertions (declarations with types, 
modes, etc. ...) for the predicates in the program, and machine-readable 
comments. One of the main novelties of Ipdoc is that these assertions and 
comments are written using the Ciao system assertion language, which is 
also the language of communication between the compiler and the user 
and between the components of the compiler. This allows a significant 
synergy among specification, debugging, documentation, optimization, 
etc. A simple compatibility library allows conventional (C)LP systems 
to ignore these assertions and comments and treat normally programs 
documented in this way. The documentation can be generated interac- 
tively from emacs or from the command line, in many formats including 
texinf o, dvi, ps, pdf, info, ascii, html/ css, Unix nrof f /man, Windows 
help, etc., and can include bibliographic citations and images. Ipdoc can 
also generate “man” pages (Unix man page format), nicely formatted 
plain ASCII “readme” files, installation scripts useful when the manuals 
are included in software distributions, brief descriptions in html/css or 
info formats suitable for inclusion in on-line indices of manuals, and 
even complete WWW and info sites containing on-line catalogs of doc- 
uments and software distributions. The Ipdoc manual, all other Ciao 
system manuals, and parts of this paper are generated by Ipdoc. 



1 Introduction 

Ipdoc is an automatic program documentation generator for (C)LP systems. Its 
main functionality is to generate a reference manual automatically from one or 
more source files of (constraint) logic programming systems. It has been devel- 
oped as part of the Ciao Prolog | program development environment, but it 
can also be used to document source files of almost any other (ISO-)Prolog-like 
Q (C)LP system. Ipdoc is particularly useful for documenting library modules, 

J. Lloyd et al. (Eds.): CL 2000, LNAI 1861, pp. 1345^^^2000. 

© Springer-Verlag Berlin Heidelberg 2000 
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Fig. 1. Overall operation 
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man 
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for which it automatically generates a rich description of the module interface. 
However, it can also be used quite successfully to document full applications. 

The operation of Ipdoc is illustrated in Figure J Ipdoc combines the infor- 
mation from a number of user and syst em fi les (as specified in a user-provided 
configuration file -SETTINGS in Figure^^and produces manuals in a number 
of formats (texinfo, dvi, ps, pdf, info, html/css, ascii, Windows help, etc.) 
which can include bibliographic citations and images (if the target supports 
them). In addition to full manuals, Ipdoc can also generate nicely formatted 
plain ASCII “readme” files, man pages (Unix manual page format), as well as 
brief descriptions in html or emacs info formats suitable for inclusion in an on- 
line master index of applications. Using these index entries, Ipdoc can create 
and maintain fully automatically WWW and info sites containing pointers to 
the on-line versions of the documents it produces. Similarly, it can be used to 
generate software distribution sites. Ipdoc also generates installation scripts for 
the manuals it produces, which simplify the process of creating a distribution of 
the corresponding software package. Finally, it is also possible to start a number 
of viewers directly from Ipdoc in order to quickly browse the manuals produced. 
The documentation can be generated interactively from emacs or from the com- 
mand line in a documentation directory containing configuration files. 

The quality of the documentation generated can be greatly enhanced by 
including within the program text assertions (declarations with types, modes, 
and other properties) for the predicates in the program, and machine-readable 
comments (in the “literate programming” style ^^|). The assertions and com- 
ments included in the source file need to be written using the Ciao assertion 
language This is one of the main novelties of Ipdoc. The fact that 

this assertion language also serves as the communication vehicle between the 
compiler and the user and between the components of the compiler allows a 
significant synergy among specification, debugging, analysis, optimization, and, 
thanks to Ipdoc, program documentation. As we will see, Ipdoc understands na- 
tively this language and can thus provide accurate information and relate both 
the the formal and the textual aspects of properties with the assertions in which 
they occur. 

In order to make the discussion self-contained, an example of source code and 
the output produced by Ipdoc is included at the end of the paper. However, since 
it is difficult to show significant output from the system in the space available, the 

^ It also possible to use files written in GNU texinfo format as part of the Ipdoc input 
(useful when gradually converting a manual from this popular format to Ipdoc). 
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reader is invited to look at actual manuals generated by Ipdoc for reference while 
reading the paper. In particular, the Ipdoc manual Q and all other Ciao system 
manuals are generated by Ipdoc. The Ciao manuals and other Ipdoc-generated 
manuals can be found on-line at itto : / /www. cud . aia. ii .uom. es/ sortware 
iDDD : / /WWW. ciiD.aia.il .UDm. es/soiiware/oiac and 

HID : / /WWW. ciiD. aia.ii .uDm. es/soiiware/tseiE (registration as a Beta 
tester is needed for access to the latter). In fact, all these WWW sites are 
automatically generated and maintained by Ipdoc as well. 

2 Generating a Mannal 

We now describe, from the user’s point of view, the process of generating a 
manual (semi-)automatically from a set of source files, installing them in a public 
area, and accessing them on line. 

Documentation can be generated fully automatically from within emacs (e.g., 
from the Ciao emacs-based program development environment) or calling Ipdoc 
from the command line. The process starts (automatically in the former case 
or by hand in the latter) by creating a directory (e.g., doc) in which the docu- 
mentation will be built. This directory is usually placed in the top directory of 
the distribution of the application or library to be documented and will contain 
the (automatically generated) manuals as well as scripts for installation of such 
manuals during the installation of the software package. Typically, almost all 
files in this directory will be automatically generated by Ipdoc, which also takes 
care of cleaning up this directory of intermediate files before distribution of the 
software, leaving only the manuals in the selected formats. The configuration 
file of Figure^ normally named SETTINGS , also resides in this directory. This 
file is written in Prolog syntax, possibly using Ciao syntactic enhancements (in 
particular, the functional notation is often useful in this context). 

A manual can be generated either from a single source file or from a set 
of source files. In the latter case, one of these files should be chosen to be the 
main file, and the others will be the component files. The main file is the one 
that will provide the title, author, date, summary, etc. to the entire document. 
In principle, any set of source files can be documented, even if they contain no 
assertions or comments. However, the presence of these will greatly improve the 
documentation (see Section H. 

The name of main file is specified in the SETTINGS file by defining a fact of 
a predicate main. Facts of a (possibly empty) predicate components define the 
component files which will generate the different chapters of the manual. Facts of 
a predicate f ilepaths are used to define all the directories where the previously 
mentioned files can be found. Similarly, facts of the predicate systempaths are 
used to list all the system directories where system files used by the files be- 
ing documented can be found. This is needed because on startup Ipdoc has no 
default search paths for files defined, not even those defined by default in the 
Prolog system under which it was compiled (typically Ciao). This has the im- 
portant consequence that it allows documenting Prolog systems other than that 
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under which Ipdoc was compiled. The effect of putting a path in systempaths 
instead of in filepaths is that the modules and files in those paths are docu- 
mented as system modules (this is useful when documenting an application to 
distinguish its parts from those which are in the system libraries). 

These are the only settings which are strictly needed in order to generate 
a manual. However, many aspects of the generated manuals can be controlled 
through additional configuration parameters. For example, it is possible to con- 
trol what is included in the different files and how: whether to include bug 
information or not, comments associated to version changes and/or to patches, 
author info, detailed explanation of predicate argument modes, starting page 
number, etc. It is also possible to define the set of formats (dvi, ps, pdf, ascii, 
html, info, manl, ...) in which the documentation should be generated by de- 
fault (however, a manual in any of the supported formats can be generated on 
demand by typing “Ipdoc formaf"). In particular, selecting htmlindex and/or 
inf oindex requests the generation of (parts of) a master index to be placed in 
an installation directory and which provide pointers to the documents generated. 

A predicate indices determines a list of indices to be included at the end 
of the document. These can include indices for defined predicates, modules, 
properties, types, concepts, files, etc. The contents of these indices are afterwards 
used for several purposes in on-line documents. In particular, Ipdoc includes an 
emacs library for automatically locating any part of the manual related to the 
symbol (predicate, flag, property, type, etc.) under the cursor (“help for symbol 
under cursor”) and also performing automatic completion of partially typed 
names of predicates, types, etc. This is very useful when typing the name of a 
library predicate: it is possible to complete the name and also locate in one step 
the corresponding page in the on-line manual generated by Ipdoc. 

It is possible to define a predicate bibf ile containing paths of .bib files, i.e., 
files containing bibliographic entries in BiBTeX format. If citations are used in 
the text (using the @cite command) these will be the files in which the citations 
will be searched for. All the references in all component files will appear together 
in a References appendix at the end of the manual (the -noref s option prevents 
generation of the ’References’ appendix). It is also possible to select different 
levels of verbosity during processing, from pretty silent -more or less only a 
couple of messages per file-, to quite verbose, reporting the files visited and the 
predicates being documented on the fly. The latter is obviously quite useful for 
debugging. 

Once the manual has been generated in the desired formats, Ipdoc can also 
install them in a different area, specified by a predicate docdir in the SETTINGS 
file. As mentioned before, Ipdoc can generate directly brief descriptions in html 
or emacs info formats suitable for inclusion in an on-line index of applications. 
In particular, if the htmlindex and/or inf oindex options are selected, then 
Ipdoc will create the installation directory, place the documentation in the de- 
sired formats in this directory, and produce and place in the same directory 
suitable index.html and/or dir files. These files will contain some basic info 
on the manual (extracted from the summary and title, respectively) and include 
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pointers to the relevant documents which have been installed. The appearance 
of the actual indices created (e.g., index.html) can be controlled via templates 
and style sheets, specified in the configuration file. Several manuals, coming from 
different doc directories, can be installed in the same docdir directory. In this 
case, the descriptions of and pointers to the different manuals will be automat- 
ically combined (appearing in alphabetic order) in the index.html and/or dir 
indices, and a contents area will appear at the beginning of the html index page. 
In the same way, facilities are provided for de-installation of manuals from the 
docdir area. 



3 Enhancing the Documentation Being Generated 



Ipdoc will generate quite useful information from standard program files: e.g., 
exported predicates with their arity, characteristics of these predicates -dynamic, 
multifile, ...-, other modules used, required libraries, and, if available, types 
and other properties, etc. However, the quality of the documentation generated 
can be greatly enhanced by including within the program text assertions, and 
machine-readable comments. 

Assertions are declarations which are included in the source and provide in- 
formation regarding certain characteristics of the program. Typical assertions in- 
clude type declarations, modes, general properties (such as does not fail), etc. For 
our purposes, we can consider standard compiler directives (such as dynamic/1, 
op/3, meta_predicate/l...), also as assertions. When documenting a module, 
Ipdoc will use the assertions associated with the module interface to construct 
a textual description of this interface. In principle, only the exported predicates 
are documented, although any predicate can be included in the documentation 
by explicitly requesting it (by using a particular comment/2 declaration -see 
below). Judicious use of these assertions allows at the same time documenting 
the program code, documenting the external use of the module, and greatly 
improving the debugging process. The latter is possible because the assertions 
provide the compiler with information on the intended meaning or behavior of 
the program (i.e., the specification) which can be checked at compile-time (by 
a preprocessor/static analyzer) and/or at run-time (via checks inserted by the 
same preprocessor) -see 0 for details. 

Machine-readable comments are also declarations included in the source pro- 
gram but which contain additional information intended to be read by humans 
(this is where the connection with the literate programming style of Knuth 
is closest). These declarations are ignored by the compiler in the same way as 
classical comments. Thus, they can be used to document the program source in 
place of (or in combination with) the normal comments typically inserted in the 
code by programmers. However, because they are more structured and they are 
machine-readable, they can also be used to improve the automatic generation of 
printed or on-line documentation. Typical such comments include module title, 
author(s), bugs, changelog, etc. Judicious use of these comments allows enhanc- 
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ing at the same time the documentation of the program text and the manuals 
generated. 

As mentioned before, Ipdoc requires these ass ertions an d comments to be 
written using the Ciao system assertion language Comments have 

the general form: 

: - comment (CommentType, CommentData) | 

where generally the first argument states the type of comment and the second 
one the comment itself, written in a particular markup language which is very 
similar to texinfo and LaTeX (see Section^. Examples of comments are: 

:- comment (title , "Complex numbers library"). 

:- comment (summary , "Provides an ADT for complex numbers."). 

:- comment (ctimes (X,Y, Z) , "@var{Z} is @var{Y} times OvarfX}."). 

An example of an assertion is: 

:- pred qsort(X,Y) : list(X) => sorted(Y) 

# "@var{Y} is a sorted permutation of SvarfX} . " . 

which states that in the calls to predicate qsort/2 the first argument should be a 
list and, upon exit, the second argument should be sorted. There is also a textual 
assertion comment, written using the same markup language as in comment/2. 
The properties list/1 and sorted/1 used in the assertion might be declared as 
such with the following assertions (we are also including the actual definitions 
for illustration purposes): 

:- prop sorted(X) # "@var{X} is sorted.". 
sorted( [] ) . 
sorted( [_] ) . 

sorted( [X,Y|R] ) :- X < Y, sorted ( [Y I R] ) . 

:- regtype list(X) # "@var{X} is a list.". 
list([]). 

list([_|T]) :- list(T). 

(list is actually a particular case of property: a regular type). Space limitations 
unfortunately do not allow a description of the assertion language. See the ap- 
pendices for more examples and for details. 

4 Overall Structure of the Generated Documents 

If the manual is generated from a single main file (i.e., components is empty), 
then the document generated will be a flat document containing no chapters. If 
the manual is generated from a main file and one or more components, then the 
main file will be used to generate the cover and introduction, while each of the 
component files will generate a separate chapter. The contents of each chapter 
will reflect the contents of the corresponding component source file. 

^ A simple compatibility library can be used so that programs documented using as- 
sertions and comments can be loaded by traditional (constraint) logic programming 
systems which lack native support for them. Using this library, such assertions and 
comments are simply ignored by the compiler. 

® For brevity, also doc (...,...) . can be used. 
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If a .pi file does not define the predicates main/0 or main/1, it is assumed 
to be a library and information on the interface (e.g., the predicates exported by 
the file, the name of the module and usage if it is a module, etc. -the API), is 
produced by default. If, on the contrary, the file defines the predicates main/0 or 
main/1, it is assumed to be an application and no description of the interface is 
generated. Instead, usage information is produced. Any combination of libraries 
and/or main files of applications can be used arbitrarily as components or main 
files of an Ipdoc manual (see the Ipdoc manual Q for interesting combinations). 
A : -comment (filetype ,/iZetype). declaration can be used to defeat these rules. 

In any case, a cover is generated with the title, authors, summary, version, 
etc. of the whole manual, which are those of the main file. Then comes the table of 
contents, whose level of detail can also be controlled via options. This is followed 
by the sections or chapters corresponding to the file or files being documented. 
Finally, the manual ends with the selected indices, list of references, etc. 

5 Structure of Chapters 

The structure of the individual chapters depends also on whether they are ap- 
plications or libraries. In the case of libraries, the structure is as below. Note 
that inclusion of many of the following items can be turned on or off and can 
be configured in several ways through options. Examples of a source file and 
the chapter generated for it (under a particular set of options) are listed in 
appendices H and H for illustration while reading the following items. 

— Chapter title, from a title comment, such as the line: 

comment (title , "The classical quick-sort"), 
in the example. If the file is the main file, the title text (a documentation 
string) will also be used in the cover page and also as the description of the 
manual in on-line indices. If no such comment exists, then a suitable one 
is generated from the module or file name. Also, a subtitle comment is 
allowed. 

— Authors, which are obtained from author comments, such as: 

:- comment (author , "Alan Robinson"). 

There can be more than one of these declarations per module (normally, 
one per author). These are followed by copyright info (from copyright com- 
ments) and version info (from changelog comments). If the file is part of a 
bigger package, then both the file version (i.e., when last changed) and the 
overall system versions are documented. 

— Chapter introduction, taken from a summary comment or from a module 
comment, if no summary is available (see also the example). 

— A usage and interface section, which is typically generated without any need 
for comment declarations, and includes: 

• Module usage info, stating whether it is a module, a user file, a pack- 
age B, etc., and how it is to be loaded. These automatically generated 
loading instructions can be replaced by more specific ones by means of 
a usage comment. 
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• List of exported predicates. These are classified by kind: normal predi- 
cates, multifile predicates, regular types, properties, declarations, etc. 

• The list of other modules used Jlhese are separated into User, System 
and, optionally. Engine librariefl (this division is controlled by the paths 
in SETTINGS). It is possible to optionally prevent the information on 
System and/or Engine libraries used from being included in the manual. 
Note that this information is useful because it allows the user of a library 
to see which other libraries it will load, and thus the impact that it will 
have on the size of the executable. 

— A section with overall information on the library, taken from the module 
comment, if available (and if this comment was not already used before). 

— A section documenting new declarations B defined (Ciao-specific) . 

— A section documenting the predicates (including regular types and proper- 
ties) exported by the library (e.g., qsort/2, list/1, and sorted/1 in the 
example). In principle, all exported predicates are documented. However, it 
is possible to prevent documentation on a predicate from appearing in the 
manual by using a hide comment (useful, e.g., for low-level predicates which 
are exported but are not meant to be used directly). 

— A section documenting the multifile predicates defined by the library. 

— Possibly a section documenting some internal predicates (or regular types or 
properties) defined by the library. In principle internal (local) predicates are 
not documented, but documentation of an internal predicate can be forced 
by using a doinclude comment. This is the case for partition/4 in the 
example. This is useful for example when generating “internals” manuals or 
implementation chapters for inclusion in larger documents. 

— Optionally, a section with known bugs, i.e., those present in bug comments 
(see the example). 

— Optionally, a section with a list of changes, those present in version com- 
ments (see the example) . It is possible to list only comments associated with 
major version changes an leave out minor changes (“patches”). This allows 
writing version comments which are internal, i.e., not meant to appear in 
the manual. Code is provided for maintaining version numbers automatically 
with emacs, or they can also be maintained with other tools such as standard 
version control systems. 

— Reexported predicates, i.e., predicates which are exported by a module ml 
but defined in another module m2 which is used by ml, are normally not doc- 
umented in the original module, but instead a simple reference is included to 
the module in which they are defined. This is useful if the documentation for 
the referred module is included in the same document. Otherwise, using a 
comment/2 declaration with doinclude in the first argument and the predi- 
cate descriptor in the second forces the documentation to be included in the 
referring module. This is often useful when documenting a library made of 
several components: typically there is a principal module, which is the one 

^ In Ciao, engine libraries contain builtins that are always present in any executable, 
independently of whether they are imported or not from the program. 
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which users will do a use jnodule/ 1 of, and which exports or reexports all the 
predicates which define the library’s user interface. It is then often best to 
include in the manual this main file only, with the appropriate doincludes. 

If the chapter is documenting an application, then no module interface informa- 
tion is included in the documentation, but it still contains title, authors, version, 
summary, usage information, body, bugs, changelog, etc. 



6 Documentation on Predicates, Properties, etc. 

We now describe how individual predicates, declarations, properties, etc. are 
documented. This is done in essentially the same way, independently of whether 
they appear in the export list or they are internal predicates. The documentation 
is obviously more detailed if more information is available on the predicate in 
the form of assertions and comments. 

If the program does not contain any declarations for the predicate, a line is 
output documenting that this is a predicate of the given name and arity and 
a simple comment is included saying that there is no further documentation 
available. Note that this means for example that the predicate will appear in the 
index, and also that its name will be available for command completion within 
emacs. 

If the predicate is declared to be a property or regular type, then this fact is 
included in the documentation. If there is no textual comment available for it, 
then its actual definition is included in the documentation (see list/1 in the 
example). Otherwise, the comment is used (as with sorted/1 in the example). 

If an overall comment (a comment/2 declaration) is available for a predicate, 
it is used as a general explanation (see the general comment for qsort/2 in the 
example). If any assertions are present, they are documented in mostly textual 
form. In particular, if pred declarations are present, each of them is considered 
a possible conceptual usage (i.e., a particular way in which the predicate is 
intended to be used) and is documented as such (e.g., the two pred declarations 
for qsort/2 in the example). Also, if a comment appears in the pred declaration, 
it is associated with the usage (as opposed to the general comment above). 

The syntactic sugar which can be used with the assertions (e.g., property 
macros ^3^3) can be either kept as is or expanded when documentation is 
generated. In the example, having chosen the corresponding option, the modes 
(which are “property macros” in the Ciao assertion language) used in 
partition/4 have been spelled out in the documentation. Note that the para- 
metric type list/2 used (e.g., in list(X,num)) is assumed to be imported by 
default. 

A point of particular interest is that if a textual comment is available in the 
definition of a property or regular type (such as for sorted in the example) then 
this text is used when the property itself is used elsewhere in an assertion. An 
example is the use of sorted in the two usages for qsort/2. This also occurs if 
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the property is imported from another module: the commeiri is read from that 
module (actually, from the module’s . asr interface file) 

7 Documentation Strings 

As shown in previous examples, the character strings which can be used in 
machine readable comments (comment/2 declarations) and assertions can in- 
clude certain formatting commands (“markup”). The syntax of all the for- 
matting commands is: ^command (followed by either a space or {}), or 
® command {body} where command is the command name and body is the (pos- 
sibly empty) command body. Also, a command may have several bodies, as in: 
@ command { bodyl } { body 2 } . 

In order to make it possible to produce documentation in a wide variety 
of formats, the command set is kept small. The names of the commands are 
intended to be reminiscent of the commands used in the LaTeX text formatting 
system, except that is used instead of “\”. Note that “\” would need to 
be escaped in ISO-Prolog strings, which would make the source less readablej 
Given that space restrictions do not allow a full description of the command set, 
we provide a general description by categories. 

There are a number of indexing commands which are used to mark cer- 
tain words or sentences in the text as concepts, names of predicates, libraries, 
files, etc. and which then get indexed and cross-referenced in hypertext formats. 
There are also referencing commands which are used to introduce bibliographic 
citations and references to sections, urls, email addresses, etc. A set of format- 
ting commands are provided which allow typesetting certain words or sentences 
in a special fonts/faces, build itemized lists, introduce sections, include verba- 
tim examples, cartouches, etc. There are also special commands for generating 
accented and special characters. A number of inclusion commands (Sinclude, 
Sincludedef ,...) allow inserting code or strings of text as part of the documenta- 
tion. The latter may reside in external files or in the file being documented. The 
former must be part of the module being documented. There are also commands 
for inserting and scaling images. 



8 Other Issues 



Separating the documentation from the source file: Sometimes one would not like 
to include long introductory comments in the module itself but would rather have 
them in a different file. This can be done quite simply by using the Sinclude 
command mentioned above. For example, the following declaration: 

:- commentCmodule, "@include{Intro.lpdoc}") . 

® This occurs in the example with list/2, which is in the lists library. 

® @ is familiar to texinfo users and, in any case, many ideas in LaTeX were taken 
from scribe, where the escape character was indeed 
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will include the contents of the file Intro . Ipdoc as the module description. 

Alternatively, sometimes one may want to generate the documentation from 
a completely different file. Assuming that the original module is ml .pi, this can 
be done by calling the module containing the documentation ml_doc.pl. This 
ml_doc.pl file is the one that will be included the Ipdoc SETTINGS file, instead 
of ml .pi. Ipdoc recognizes and treats such _doc files specially so that the name 
without the _doc part is used in the different parts of the documentation, in the 
same way as if the documentation were placed in file ml. 

Generating auxiliary files (e.g., READMEs): Using Ipdoc it is often possible 
to use a common source for documentation text which should appear in several 
places. For example, assume a file INSTALL . Ipdoc contains text (with Ipdoc 
formatting commands) describing an application. This text can be included in 
a section of the main file documentation as follows: 

comment (module . @section{Installation instructions} 
@include{INSTALL. Ipdoc} 

At the same time, this text can be used to generate a nicely formatted INSTALL 
file in ASCII, which can perhaps be included in the top level of the application’s 
source directory. To this end, an INSTALL.pl file is constructed as follows: 

:- include (library ( [assertions] )) . 

:- comment (title, "Installation instructions"). 

:- comment(module, "@include{INSTALL. Ipdoc}") . 

main. 7,7, forces file to be documented as an aplication 

Then, the ASCII INSTALL file will be generated by simply running Ipdoc ascii 
in a directory with a SETTINGS file where MAIN is set to INSTALL.pl (these steps 
can be performed automatically in the interactive environment). 

9 System Architecture and Implementation 

Space limitations only allow us to sketch the architecture and implementation 
of the system! Ipdoc is implemented in (Ciao-)Prolog and compiled into a 
standalone Ciao executable. Executable size is around 300K for the dynamic 
version and 2.7Mbytes for the fully static version (including WAM engine). The 

^ Details can be found in the comments within the source files of the system, which, 
when printed out using Ipdoc constitute the system’s internals manual. 
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executable is generated from around IIK lines of application-specific code (in- 
cluding comments/documentation) and 12K lines from the Ciao system libraries, 
plus some IK additional lines of miscellaneous code (html/css, TeX and BiBTeX 
styles, emacs lisp, etc.). The first version of the system was completed between 
1996 and 1997 with successive improved versions appearing after that. 

Since the source used by Ipdoc is not just simple comments but the actual 
code of the modules (e.g., the assertions, the module declarations, exports, im- 
ports, dynamic declarations, syntax extensions, mode definitions, etc., and even 
the source code) Ipdoc requires a full reader. This is specially true for the full 
Ciao system source language, which is designed to be very extensible Q. Also, 
the reader (and the overall system) must be adaptable to different operator def- 
initions and sets of built-ins so that different flavors of Prolog and other (C)LP 
languages can be supported. Finally, because the design objective was to be able 
to document very large systems in an efficient way, processing of the source files, 
including module interface information, declarations, comments, assertions, etc. 
needs to be highly incremental. 

At the level of source file processing, the objectives are achieved in a rela- 
tively straightforward way thanks to the Ciao assertion processing library (see 
Figure H, itself an instance of the c_itf low-level generic modular processing 
library Q. For each documented file, and transitively for other files used by 
the one being documented, the library reads all the information, normalizes the 
assertions, and saves them in . asr and . itf cache files. This process is only 
repeated on a needed basis when a source file is modified. The syntax extensions 
and builtins “seen” during the processing of a file can be controlled by setting 
the Ipdoc load paths (systempaths and f ilepaths -see Section^ so that files 
containing the appropriate syntax extension definitions and the documentation 
for the builtins are “seen” by Ipdoc (see Q for details). 

Once it has read the information for a file and its auxiliary files, Ipdoc uses 
a number of documentation generation rules (also written in Prolog and part of 
which are defined in a configuration file) to implement the documentation ac- 
tions outlined in previous sections. Documentation is in general first generated 
in an internal format (basically, the language of Section fl, and then converted 
by a number of backends in Prolog and/or auxiliary (publicly available) appli- 
cations (TeX, dvi2ps, etc.) into manuals in the different formats, index entries, 
installation scripts, etc. It is quite easy to add new backends. The generation 
of the documentation files is also partly incremental, in that a documentation 
cache file (currently in GNU texinf o format^is kept for each Prolog file being 
documented and which only changes as needed by any changes in the source 
files. Thus, a form of “separate documentation” (in the same sense as “separate 
compilation”) is achieved. Early versions used makefiles for dependency track- 
ing in this process, while more recent versions do the job in Prolog using the 
ciao make library, which has greatly increased portability. Unfortunately some 
of the auxiliary tools currently used by Ipdoc are difficult to make incremental. 



See “The GNU Texinfo Documentation System” manual for more info on this format, 
widely used in the GNU project and on Linux and other Unix systems. 
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although this is not a real problem in practice. For example, the Ciao reference 
manual is generated from approx. 180 source Prolog files and a corresponding 
number of cache texinfo files, producing 50K lines of texinfo code and 550 
busy A4 pages. Regenerating the dvi file after changing a single file (e.g., the 
lists library) takes only 10% of the time needed to generate the whole manual 
from scratch. 

One of the most complicated issues has been to generate consistent documen- 
tation and support as many common features as possible across many different 
formats. For example, supporting citations using BiBTeX files was tricky be- 
cause few of the underlying formats were capable of this (the solution was to 
bridge the missing capabilities in Prolog). 

10 Related Work 

We are not aware of other automatic documentation systems that have all the 
capabilities of Ipdoc. There are some systems which allow interspersing TeX 
and Prolog in a source file in the style of Knuth’s original formulation of literate 
programming! While these systems are quite useful, we believe that Ipdoc goes 
beyond them in that a significant part of the documentation is generated essen- 
tially automatically by modules of the compiler, and that the assertion language 
used is shared with other program development tools, which makes them quite 
useful beyond just documentation. ICON and Perl have some (limited) facilities 
for merging documentation and programs. Perhaps the closest tool to Ipdoc is 
the javadoc documentation system for Java | (the development of Ipdoc and 
javadoc started about the same time and independently). As Ipdoc, javadoc 
uses information which is typically read and/or derived by the compiler (types, 
class structure, etc.), allows including textual comments with (HTML) markup, 
and can be extended via doclets. javadoc seems to have concentrated on produc- 
ing good HTML output, while Ipdoc aims to produce consistent documentation 
across a large number of different formats. Because of the tight integration with 
the language, javadoc cannot be used well for Prolog programs (in the same 
way as Ipdoc would certainly not be as effective as javadoc for Java programs). 
Also, we feel that the markup language and, specially, the assertion language 
and the way properties can be used in documentation, are richer in Ipdoc. Also, 
Ipdoc is not limited to documenting APIs, i.e., it can also include source code 
in the generated documents, create indices, maintain web and info sites, etc. 

11 Conclusions 

Since the first “production” versions of the Ipdoc system became available Q, 
we have applied it in a number of scenarios. We have used it to document all the 
components of the Ciao Prolog development environment, libraries for SICStus 

^ See ftp://ftp.dante.de/tex-archive/macros/latex/contrib/other/gene/pl.tar.gz for a gOod 

example. 
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and CHIP, standalone Prolog applications, and even applications not written 
in Prolog. It has certainly proven very useful for documenting library modules. 
However, we have also found it quite useful for generating “internals” and also 
user manuals of applications and project reports. Because the system can not 
only generate manuals in many formats, but also maintain documentation and 
software distribution sites, we have found ourselves using it for documenting and 
building such sites for a number of applications which, as mentioned above, were 
not even written in Prolog. 

We have found that, with a bit of practice, one can write assertions and 
comments that at the same time document the program code, document the 
external use of the library, and greatly improve the debugging and maintenance 
cycles. One of the fundamental practical advantages observed when using Ipdoc 
to document programs is that it is much easier to maintain a true correspon- 
dence between the program and its documentation, and to identify precisely to 
what version of the program a given printed manual corresponds. Furthermore, 
another fundamental advantage comes from the fact that the assertions are de- 
signed to be checkable in part, either statically or dynamically so that 

the documentation also achieves a certain degree of certification. While in the 
Ciao system writing assertions is optional (in contrast to, e.g.. Mercury ^3), the 
fact that they will generate a good part of the manual encourages programmers 
to write them, and this in turn helps developing programs faster, because more 
errors are detected early on. 

Ipdoc is publicly availablefl The system is currently undergoing further 
development in several directions, such as, for example, reducing the need for 
auxiliary applications (so that it is portable to more platforms) or improving 
the emacs-based interactive environment. As mentioned previously, with a sim- 
ple compatibility library it is relatively easy to make traditional (constraint) 
logic programming systems (in which new declarations can be defined) accept 
programs adorned with Ciao-style assertions and comments, so that they are ig- 
nored during compilation but Ipdoc (and the Ciao preprocessor!) can be used on 
them. As mentioned above, we have done this for SICStus and CHIP. It should 
not be too difficult to modify the front end for other type/ assertion languages, 
such as those used in Mercury Q and HAL Q (this is under study at least in 
the case of HAL), or even non LP-based languages (which would, however, need 
a specific front-end) . 

Acknowledgements: The design of the Ipdoc system has benefitted from sug- 
gestions made by CLIP group members and users of Ciao Prolog which are too 
many to mention here (acknowledgements are given in the reference manual and 
source files). This document has benefitted from detailed comments from Daniel 
Cabeza, Per Cederberg, and the anonymous referees. The author would also like 
to thank the PC for deciding to accept this paper, despite its perhaps somewhat 
atypical nature. The development of Ipdoc has been funded in part by CICYT 
project EDIPIA (TIC99-1151). 
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A An Example: Source 

module (sort , [qsort/2 , list/1 , sorted/1] , [assertions ,regtypes , isomodes] ) . 
use_module(library(lists) , [append/3]) . 
comment (title, "The classical quick-sort") . 

comment (module , "This library provides a naive implementation of 
quick-sort and some associated types and properties."). 

:- comment (qsort (X,Y) , "@var{Y]- is a sorted permutation of @var{X]-."). 

:- pred qsort(X,Y) : list(X) => sorted(Y) 

# "This is the normal use.". 

:- pred qsort(X,Y) : (list(X), sorted(Y)) 

# "Checking that SvarlY]- is a sorted permutation of @var{X]-.". 
qsort ([],[]). 

qsort ( [X I L] ,R) :- 

partition(L,X,Ll,L2) , qsort (L2 ,R2) , qsort (LI ,R1) , append (R1 , [X I R2] ,R) . 

:- pred partition(+list (num) ,+num, -list (num) , -list (num) ) . 

:- comment (doinclude , partition/4) . 

partition( [] ,_B, [],[]). 

part it ion ( [E |R] ,C, [E I Leftl] , Right) : - 

E < C, !, partition(R, C, Leftl, Right) . 
part it ion ( [E |R] ,C, Left , [E I Right 1] ) : - 

E >= C, !, partition(R,C,Left,Rightl) . 

:- prop sorted(X) # "@var{X]- is sorted.". 
sorted( [] ) . 
sorted( [_] ) . 

sorted( [X,Y|R] ) :- X < Y, sorted ( [Y I R] ) . 

:- regtype list/1. 
list([]). 

list([_|T]) :- list(T). 

:- comment(bug, "Code uses @pred{append/3]-, which is inefficient."). 

: - comment (version_maintenance , on) . 

: - comment (version (0*1+1 , 1999/ 10/11,03: 19*00+’ CEST’ ) , 

"Already made the first change. . . (Manuel Hermenegildo)"). 

: - comment (version (0*1+0, 1999/ 10/11,03: 18*29+’ CEST’ ) , 

"File created. (Manuel Hermenegildo)"). 



B The Classical Quick-Sort 

Version: 0.1#1 (1999/10/11, 3:19:0 CEST) 

This library provides a naive implementation of quick-sort and some associated 
types and properties. 

B.l Usage and Interface (sort) 



— Library Usage: 

:- usejnodule (library (sort) ) . 
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— Exports: 

• Predicates: 
qsort/2. 

• Properties: 
sorted/1. 

• Regular Types: 
list/1. 

— Other Modules Used: 

• System Library Modules: 
lists. 



B.2 Documentation on Exports (sort) 

qsort/2: PREDICATE 

qsort(X,Y): Y is a sorted permutation of X. 

Usage 1: qsort(X,Y) 

— Description: This is the normal use. 

— Should hold at call time: list(X). 

— Should hold upon exit: Y is sorted (sorted/l). 

Usage 2: qsort(X,Y) 

— Description: Checking that Y is a sorted permutation of X. 

— Should hold at call time: list(X) (list/l), Y is sorted (sorted/l). 

list/1: REGTYPE 

A regular type, defined as follows: 
list(D). 
list ([_1 IT]) :- 
list (T) . 

sorted/l: PROPERTY 

Usage: sorted(X) 

— Description: X is sorted. 



B.3 Documentation on Internals (sort) 

partition/4: PREDICATE 

Usage: 

— Should hold at call time: Argl is a list of nums (list/2), Arg2 is a number (list/2), 
Arg3 is a free variable (var/l), Arg4 is a free variable (var/l). 

— Should hold upon exit: Arg3 is is a list of nums (list/2), Arg4 is is a list of nums 
(list/2). 

B.4 Known Bugs and Planned Improvements (sort) 

— Code uses append/3, which is inefficient. 

B.5 Version/ Change Log (sort) 

— Version 0.1#1 (1999/10/11, 3:19:0 CEST) 

Already made the first change... (Manuel Hermenegildo) 

— Version 0.1 (1999/10/11, 3:18:29 CEST) 

File created. (Manuel Hermenegildo) 
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Abstract. While medical information systems have become common in 
the United States, commercial systems that automate or assist in the 
process of medical diagnosis remain uncommon. This is not surprising, 
since automating diagnosis requires considerable sophistication both in 
the understanding of medical epidemeology and in knowledge represen- 
tation techniques. This paper is an interdisciplinary study of how recent 
results in logic programming and non-monotonic reasoning can aid in 
psychiatric diagnosis. We argue that to logically represent psychiatric 
diagnosis as codified in the Diagnostic and Statistical Manual of Men- 
tal Disorders, 4th edition requires abduction over programs that include 
both explicit and non-stratified default negation, as well as dynamic 
rules that express preferences between conclusions. We show how such 
programs can be translated into abductive frameworks over normal logic 
programs and implemented using recently introduced logic programming 
techniques. Finally, we note how such programs are used in a commercial 
product Diagnostica. 



1 Introduction 

Medical information systems have become an active area of software development 
in the United States, with a market of over 10 billion dollars per year. Typically, 
these systems have as their goals either to cut the costs of medical treatment or 
to ensure that treatments are performed in a standard, well-documented man- 
ner. Traditional medical information systems may have considerable complexity 
and most often address problems such billing or shift-scheduling; problems re- 
lated to workflow management such as monitoring of treatment plans; or image 
processing. However, commercial systems that partially automate the process of 
medical diagnosis are uncommon, partly because the process of medical reason- 
ing is difficult to automate. The purpose of the Diagnostica system developed 
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by Medicine Rules, Inc is twofold. As a research system, it explores how psychi- 
atric assessment can be represented by extensions of classical logic and serves 
as a focus of an interdisciplinary collaboration between computer scientists and 
research psychiatrists. Just as importantly, as a commercially available prod- 
uct Diagnostica seeks to aid psychiatrists, psychologists and psychiatric social 
workers in diagnosing patients in an efficient and systematic manner. 

Accurate diagnoses can be difficult to make, even for a trained psychiatrist. 
For instance a confused, elderly patient could suffer either from Alzheimer’s De- 
mentia or a Major Depressive Disorder (sometimes colloquially called pseudo- 
dementia). In the latter case, the patient may be treatable with medication; in 
the former case the patient may not be. Similarly, it may be difficult to deter- 
mine whether a child has Attention Deficit Disorder (treated by medication) or 
an Adjustment Disorder (treated by therapy or by changing the child’s environ- 
ment). Diagnostic procedures concerning such disorders have been codified by 
the American Psychiatric Association in the fourth edition of its reference book 
Diagnostic and Statistical Manual of Mental Disorders, or DSM-IV which is 
widely used in the United States. These procedures specify various criteria that 
a patient must satisfy in order to meet a diagnosis for a mental disorder. As an 
example, criteria for Asperger’s Disorder, a Childhood Pervasive Development 
Disorder, is shown in Figure J As terminology we use the term criterion to 
specify both the conditions comprising a rule (e.g. criteria 1-5 in FigureH and 
the “symptoms” that the patient exhibits, e.g. criteria l.a-l.d in Figure Jwhich 
are sometimes called base criteria. 

Criterion 1 reflects the polythetic nature of psychiatric diagnoses, in which 
there need be no essential characteristic or criterion of a diagnosis. Instead, mul- 
tiple prototypes with varying features are used to group together a wide range of 
disparate phenomena into a diagnosis. At the same time there may be a signifi- 
cant amount of symptom overlap between different diagnoses. For instance, the 
failure to develop peer relationships can, under different circumstances, indicate 
schizophrenia, autism, and many other disorders. The issues of multiple proto- 
types and symptom overlaps leads to occasional difficulty and even ambiguity 
in distinguishing between the 618 DSM-IV diagnoses, as in the cases mentioned 
above. Because of these complications, while most American psychiatrists use 
DSM-IV, few use it to its full advantage. Studies have shown that clinical psy- 
chiatrists err in using DSM-IV by not considering all possible diagnoses, while 
research psychiatrists err by not excluding diagnoses quickly enough. 

As indicated by Figure J DSM-IV diagnostic rules have a clear formulation 
that lends itself to coding as a logic program: thus a patient meets criteria for 
a diagnosis if the body of the diagnosis, expressed as a logical rule, is satisfied. 
However, the logical formulation and implementation of DSM-IV is not always 
straightforward, and includes the need to exclude certain diagnoses in order to 
prove other diagnoses, the need to represent incomplete knowledge, and the need 
for hypothetical reasoning during diagnosis. This paper explores how recently 
introduced techniques in logic programming and non-monotonic reasoning can 
be used to represent aspects of diagnosis as codified in DSM-IV. Specifically: 
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1. Qualitative impairment in social interaction, as manifested by at least two of the 
following 

(a) marked impairment in the use of multiple nonverbal behaviors such as eye-to-eye 
gaze, facial expression, body postures, and gestures to regulate social interaction; 

(b) failure to develop peer relationships appropriate to developmental level 

(c) a lack of spontaneous seeking to share enjoyment, interest, m or achievements with 
other people (e.g. by a lack of showing, bringing, or pointing out objects of interest 
to other people). 

(d) lack of social or emotional reciprocity 

2. Restricted repetitive and stereotyped patterns of behavior, interests, and activities, as 
manifested by at least one of the following: 

(a) encompassing preoccupations with one or more stereotyped and restricted patterns 
of interest that is abnormal either in intensity or focus 

(b) apparently inflexible adherence to specific nonfunctional routines or rituals. 

(c) stereotyped and repetitive motor mannerisms (e.g., hand or finger flapping or 
twisting, or complex whole-body movements) 

(d) persistent preoccupation with parts of objects 

3. The disturbance causes clinically significant impairment in social, occupational, or other 
important areas of functioning 

4. There is no significant clinical delay in cognitive development or in the development 
of age-appropriate self-help skills, adaptive behavior (other than in social interaction) 
and curiosity about the environment in childhood. 

5. Criteria are not met for another Pervasive Development Disorder or Schizophrenia 



Fig. 1. A Diagnostic Criterion for Asperger’s Disorder 



— We show that modeling DSM-IV requires non-stratified negation in order to 
handle ambiguities in its formulation; we argue that both default and explicit 
negation are required to codify DSM-IV as is a provision for hypothetical 
reasoning. 

— We show how practical diagnosis using DSM-IV can be based on interpreting 
non-stratified negation in DSM-IV through the well-founded semantics 
augmented by a novel form of preference logic whose semantics we define. 

— We describe how the Diagnostica system is based on a partial implementation 
of these techniques, and discuss an important use for abduction to construct 
differentials for diagnoses. 

Section Q discusses the knowledge representation problems of DSM-IV in 
detail. Section H shows how these problems can be addressed in an abductive 
framework that includes logical preferences; while Section ^provides a 3- valued 
semantics for these logical preferences and compares it to other semantics in 
the literature. For readability by non-specialists, nearly all discussion of the 
semantics of our Preference Logic Programs is confined to Section H However, 
we employ standard logic programming terminology throughout. 
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2 The Nature of Knowledge in DSM-IV 

From the perspective of knowledge representation, several factors distinguish the 
process of psychiatric assessment. 

Exclusion Criteria. In making a diagnosis, a psychiatrist may need to ensure 
that certain criteria are fulfilled, while others are excluded. One example of 
an exclusion criterion is criterion 5 for Asperger’s disorder (Figure Q which 
specifies that criteria must not be met for Schizophrenia or for any other Per- 
vasive Development Disorder (a class that includes Autism, Retts, Childhood 
Disintegrative Disorder, Asperger’s, and Pervasive Development Disorder Not 
Otherwise Specified). Exclusion criteria occur frequently in DSM-IV diagnosis, 
with some variability in the phrasing of the negative conditions. Other exclusion 
criteria may state that “criteria are not better accounted for" by another diagnosis 
or class of diagnoses, (e.g. in Major Depressive Disorder a criterion requires that 
symptoms be not better accounted for by Schizophrenia) or that a patient has 
“not ever” experienced a syndrome (e.g. in Major Depressive Disorder a criterion 
requires verification that a patient has not ever had a manic episode ) . 

Usually exclusion criteria indicate a priority for how diagnoses are to be made 
and so the DSM-IV rules are generally stratified through exclusion criteria. For 
instance, most diagnoses in the class of Mood Disorders require the exclusion 
of Substance Abuse or Bereavement. In other cases, diagnoses may be non- 
stratified through exclusion criteria. In the case of dissimilar diagnoses, the non- 
stratification may be considered an error in DSM-IV; however in several cases 
the lack of stratification reflects a lack of consensus about how to differentiate 
the diagnoses. We consider each of the non-stratified classes in turn. 

Two diagnoses. Adjustment Disorder and Alzheimer’s Dementia illustrate the 
first class, which may constitute “errors” in DSM-IV. Both may be considered 
to be “default” diagnoses, that are to be made only if no other diagnoses are rea- 
sonable; exclusion rules for these diagnoses are very broad and can be cyclic. For 
instance, within the criteria of Cognitive Disorders, a diagnosis of Alzheimer’s 
Dementia should be made only if no other cognitive disorder is more likely for 
the patient; accordingly, the exclusion rule for Alzheimer’s Dementia states 

— The disturbance is not better accounted for by another Axis I disorder (e.g. 

Major Depression, or Schizophrenia)^ 

Adjustment Disorder, which can also be considered as a default diagnosis, has 
a similarly broad exclusion. Interpreting DSM-IV rules strictly logically, it is 
possible to have a set of positive criteria that are met such that that a patient 
has Adjustment Disorder if his symptoms are not better met by Alzheimer’s 
Dementia and that a patient has Alzheimer’s Dementia if his symptoms are not 
better met by Adjustment Disorder. However, this sort of loop through exclusion 

^ An Axis I disorder is any mental disorder that is not a personality disorder or mental 
retardation. 
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criteria is not expected to occur in practice, as it is not likely that a given patient 
would meet positive criteria for both diagnoses at the same time. 



To understand the second class of mutually exclusive diagnoses, consider 
again the exclusion criterion (5) of Asperger’s Disorder. Other Pervasive Devel- 
opment Disorders, such as Autism or Childhood Development Disorder contain 
similar exclusion rules, so that choosing among the three disorders may be inde- 
terminate according to a logical interpretation of the DSM-IV rules. In the case 
of the Pervasive Development Disorders, the lack of stratification reflects not 
only the practical clinical problem of distinguishing Asperger’s Disorder from, 
say. Autism, but also the fact that researchers continue to debate the validity of 
Asperger’s Disorder as a distinct diagnosis altogether (see e.g. The diag- 

noses of Asperger’s Disorder and Autism is not a unique example of this type of 
stratification. The diagnoses Adjustment Disorder with Disturbance of Emotions 
and Conduct, Adjustment Disorder, and Attention Deficit/Hyperactivity Disor- 
der are also linked through exclusion criteria and can be difficult to differentiate 
as can several other sets of diagnoses. 



Thus, while most diagnoses are stratified via exclusion rules, many are not. 
In many cases, the lack of stratification is accountable by the informality of 
the DSM-IV rules as with Alzheimer’s Dementia and Adjustment Disorder. In 
these cases the DSM-IV rules should arguably be tightened to avoid inadvertent 
mistakes caused by exclusion rules that are too broad. However in other cases, 
such as Asperger’s Disorder and Autism the lack of stratification has a deeper 
nature and reflects the similarity of the disorders themselves. 



Incomplete Knowledge: If there are no indications that a patient has an uncom- 
mon symptom or case history, certain criteria may be ruled out by default. For 
instance, the diagnosis of Dissociative Fugue disorder depends on determining 
that the patient has no medical condition that could also account for the ob- 
served symptoms, a determination that may be difficult, if not impossible, to 
make with absolute certainty. Similarly, many diagnoses depend on a history of 
the patient that may be impossible to obtain, or may be unreliable from patients 
or their significant others (e.g. criterion 4 for Asperger’s Disorder). For instance, 

— A 5-year old child in foster care speaks normally. The physician has no way 
of obtaining a reliable case history, so that the physician concludes by default 
that there is no evidence of a significant delay in language acquisition. 

— A case history is taken from the child’s parents and it is explicitly determined 
that there was no significant delay in language acquisition. 

In the first case, the diagnosis may need to be made on less than perfect in- 
formation, and there is a need to distinguish information that is assumed false 
because there is no evidence to support it from information that is explicitly 
known to be false. 
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Hypothetical Reasoning: Diagnoses sometimes rely on hypothetical reasoning by 
the physician, particularly with regard to time. An instance of this is Adjustment 
Disorder, which has the criterion 

— Once the stressor (or its consequences) has terminated, the symptoms do not 
persist for more than an additional 6 months. 

Taken literally, this criterion implies that a physician cannot diagnose a patient 
as undergoing Adjustment Disorder, while the patient is undergoing it. Simi- 
larly, hypothetical reasoning about the expected duration of symptoms may be 
used to differentiate between the diagnoses of Schizophrenia or Schizophreniform 
Disorder. 

Temporal Reasoning: DSM-IV often requires sophisticated temporal reasoning 
to represent the duration and occurrence of various symptoms. Indeed, cer- 
tain closely related diagnoses be distinguished primarily through the duration 
of the symptoms. An example are the diagnoses Brief Psychotic Disorders, in 
which delusional symptoms last less than one month. Schizophreniform Disor- 
der (symptoms last at least one month but less than six), and Schizophrenia 
(in which symptoms have lasted more than six months) . Furthermore, temporal 
reasoning also may be used to determine whether a patient is diagnosed with 
single or multiple disorders. For instance, if a patient is both depressed and anx- 
ious, he will be diagnosed for an anxiety-related disorder only if the symptoms 
of an anxiety disorder preceded those of the depression — otherwise the anxiety 
is taken to be a symptom of a depression disorder. 

3 Representing DSM-IV as a Logic Program 

From the discussion above, it is apparent that modeling DSM-IV as a logic 
program requires the use of non-traditional techniques. The first three of the 
factors mentioned above: DSM-IV Exclusion Criteria, Incomplete Information, 
and Hypothetical Reasoning have been formalized and partially implemented. 
However, a determination has not yet been made of the best way to model time 
in DSM-IV among the many techniques in the literature. 



3.1 Exclusion Criteria 

In order to explain our approach to handling exclusion criteria, we first discuss 
the actions that should be taken when diagnoses are linked through mutual ex- 
clusion rules. First, there are certain diagnoses that are not considered to be 
similar, but that logically may have loops through exclusion criteria: for in- 
stance Alzheimer’s Dementia and Adjustment Disorder. Positive criteria should 
not be satisfied for both of these disorders for any patient at a given time; if 
this happens, it should be considered an error condition. Second, certain diag- 
noses are known to be similar but mutually exclusive. In the case of Asperger’s 
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and Autism, only one of the diagnoses should be made true: that is, the epi- 
demiological theory underlying DSM-IV states that a patient cannot have both 
Asperger’s and Autism. At the same time if positive criteria are met for both 
Diagnoses, the action to take is ambiguous. Some clinicians would prefer As- 
perger’s under the principle that if the diagnosis isn’t clearly Autism the lesser 
diagnosis of Asperger’s should be made. Other clinicians who don’t believe that 
there is a separate Asperger’s disorder separate from Autism would prefer the 
diagnosis of Autism. Third, in cases such as Pervasive Development Disorders 
and Schizophrenia which are also linked through exclusion rules, the relationship 
as specified in DSM-IV is complicated. If a patient has a Pervasive Development 
Disorder, the additional diagnosis of Schizophrenia is also made if the patient 
has had prominent delusions or hallucinations for over a month. In other words. 
Schizophrenia and Pervasive Development Disorders are usually mutually exclu- 
sive, but both diagnoses are warranted in certain cases. 

Our approach to representing these different kinds of exclusions is based 
on modeling the exclusions using default negation augmented by abnormality 
conditions and preference rules. The resulting program is then evaluated under 
the (extended) well-founded semantics. The three- valued well-founded semantics 
will assign the trught value of undefined in the cases where all non-exclusion 
criteria are met for diagnoses that are mutually exclusive in DSM-IV. In this 
way, non-preference rules represent DSM-IV in an informationally sound way. 
As will be seen below, a physician can go beyond information in DSM-IV by 
creating preference rules to override undefined truth values. 

The portion of the diagnostic rule for Asperger’s disorder relevant to exclu- 
sion criteria is 

aspergers : - 

exclude (aspergers ,retts) , 
exclude (aspergers, autism) , 

exclude (aspergers .childhoodjiisintegrativejiisorder) , 
exclude (aspergers .pervasivejievelopmentjdisorderjios) , 
exclude (aspergers .schizophrenia) . 

where default negation (not/1) is used to defined exclude/2: 

exclude (Diagl ,Diag2) :- 

abnormal_situation(Diagl ,Diag2) . 

exclude (Diagl ,Diag2) :- 
not Diag2. 

In the case of Schizophrenia and Pervasive Development disorders, definition of 
an abnormal situation allows both diagnoses to be true by allowing the exclusion 
criterion to be satisfied by a means other than negation. At the same time, a 
set of mutually exclusive diagnoses will be undefined under the well-founded 
semantics if the positive criteria are met for each diagnosis in the set and if no 
abnormality conditions are defined. Such a situation is useful for representing 
cycles through exclusion criteria such as occurs with Alzheimer’s Dementia and 
Adjustment Disorder, as the truth-value undefined can explicitly represent an 
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error that is taken to occur when positive criteria are simultaneously met for 
both diagnoses. 

Both exclusion criteria and abnormality rules model conditions that occur 
explicitly in DSM IV. However, as discussed previously, there may be similar, 
mutually exclusive diagnoses, such as Asperger’s and Autism for which it should 
not be an absolute error if positive criteria are simultaneously satisfied for both. 
In these cases, other criteria, unspecified in DSM-IV may be brought to bear, 
and it is useful to allow the clinician to state the conditions under which she 
prefers one diagnosis to another. She would do so by a preference rule of the 
form: 

prefer (Diagnosisl ,Diagnosis2) Body. 

A semantics of such preference rules, based on a transformation into normal 
programs that can be evaluated under the well-founded semantics, is discussed 
in Section Q Here, we note that our framework for preference logic is quite 
general, in that it allows the truth value of preferences (i.e. atoms formed over 
the predicate prefer /2) to depend on the truth value of literals that depend on 
other preferences, allows preferences to be defined about other preferences, and 
assigns cyclic preferences the truth value of undefined. 

Example 1. The following programs illustrate, at a highly abstract level, the 
actions of Preference Logic Programs on some of the psychiatric diagnoses dis- 
cussed so far. Let P\ contain the rules. 

aspergers not autism, 
autism not aspergers. 

maj or_depression_disorder . 
alzheimers . 

P\ abstracts DSM IV diagnosis rules, discussed previously, for Asperger’s Dis- 
order and Autism, which are related through exclusion rules, and for Major De- 
pression Disorder and Alzheimer’s which are not related through exclusion rules. 
Suppose a psychiatric practice did not believe in the validity of the Asperger’s 
diagnosis and preferred to diagnose patients with Autism. Suppose further that 
they believed that DSM-IV diagnostic criteria for Major Depressive Disorder 
and Alzheimer’s were too coarse, and wanted to flag an error in the case when a 
diagnosis might be ambiguous^ In this case the practice could add the following 
preference rules: 

preferCautism, aspergers) . 

prefer (maj or_depression_disorder, alzheimers) . 
prefer (alzheimers , maj or_depression_disorder) . 

In this case, P\ together with the preference rules has autism true, aspergers 
false, and both major_depression_disorder and alzheimers undefined. 

^ The psychiatric literature, in fact, offers support for this view. See for a survey 
of recent literature. 
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Next suppose that a particular psychiatrist in a practice wishes to diagnose 
patients to have Major Depression Disorder rather than Alzheimer’s in all cases 
where non-exclusion criteria for both were met (perhaps because he is part of 
a study about the efficacy of an experimental medication for depression). The 
psychiatrist would add the preference rule. 

prefer (prefer (major_depression_disorder, alzheimers) , 
pref er (alzheimers ,major_depression_disorder) ) . 

We summarize our treatment of exclusion rules in DSM-IV. Representation 
of DSM-IV knowledge is kept in the diagnosis rules themselves, including the 
exclude/2 and abnormal_situation/2 predicates. Preference rules allow the 
user to adjust how exclusion rules are interpreted using knowledge not con- 
tained in DSM-IV and, as mentioned above, both cyclic preferences and prefer- 
ences about preferences may make sense in certain situations. Indeed preference 
rules could be used in place of the predicate abnormal_situation/2; the pred- 
icate abnormal_situation/2 was introduced in order to maintain a distinction 
between DSM-IV knowledge and that represented by the user. 

3.2 Incomplete Information 

It is well-known from knowledge representation literature that information that 
is assumed false because there is no evidence to support it can be represented 
by default negation; while information that is explicitly known to be false can 
be represented by explicit negation. The well-founded semantics with explicit 
negation Q, provides a semantics for adding explicit negation to the well-founded 
semantics. This semantics can be evaluated using a linear transformation of rules 
with explicit negation into normal logic program rules. 

3.3 Speculative Information 

Speculative information, such as that needed to conclude an Adjustment Dis- 
order can be represented using abduction, which allows a form of hypothetical 
reasoning. Since preference rules can be transformed into normal program rules 
(Section H evaluated with the well founded semantics (with explicit nega- 
tion) no special semantics for abduction is needed beyond what is present in 
the literature: e.g. the three-valued abductive frameworks for extended logic 
programs of Q. Because preference logic programs are translated into normal 
programs, preferences are treated no differently than any other predicate in a 
program. As a result, the truth value of preferences may depend on particular 
abductive scenarios, and abductive integrity rules may call preferences just as 
they may call goals with any other predicates. Furthermore, Definition^of Sec- 
tion ^ensures that any abductive dependency of a preference is propagated to 
literals whose truth depends on these preferences. Evaluation of this framework, 
which requires abduction over the well-founded semantics, is discussed in Section 
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Abduction plays a larger role in psychiatric diagnosis beyond what is needed 
to model hypothetical reasoning in DSM-IV, a topic to which we now turn. 

Abduction and Differential Diagnoses. As has been discussed above, clinicians 
often need to distinguish between closely related diagnoses. Often this is done 
through exclusion rules, but other times there are wording differences between 
positive criteria for similar diagnoses that can be used to as a differential be- 
tween the diagnoses. Indeed, understanding differentials for related diagnoses is 
a fundamental element of clinical training; and applying these differentials is a 
fundamental element of clinical practice. Providing dynamic differentials for di- 
agnoses can easily be done through abduction. The idea is that, if the differential 
is required between diagnosis Di and diagnosis D 2 then Di should be abduced in 
the presence of the integrity constraint _L :- D 2 which, produces the conditions 
for failing £> 2 . The abductive context will then provide the differential for the 
diagnoses. 

In order for abduction to be practical for constructing differentials several 
conditions must hold. First the differential should be as specific as possible, which 
requires abducibles to be specific and to have an easily understood relationship 
with one another. In particular, abducibles should be drawn from atomic propo- 
sitions that represent the symptom state of a patient, and restricted to those 
atoms of the symptom state that are not known to be true or explicitly false. 
The most obvious representation of a symptom state makes use of DSM-IV base 
criteria. Alternatively, the symptom state may consist of elements of other as- 
sessment methodologies, such as the World Health Organization’s Schedules for 
Clinical Assessment in Neuropsychiatry which are mapped into DSM-IV 
base criteria. Adding structure to representation of symptom states benefits the 
abduction routines: for example if two elements are known to be inconsistent, 
perhaps because they are antonyms, the inconsistency constraints can be used 
to restrict abductive solutions. 

At the same time, the number of abductive solutions generated should not 
overwhelm the user. For instance, if criteria l.a — l.d and 2. a — 2.d of Asperger’s 
Disorder in Figure J were set as abducibles, then there may be as many as 24 
different minimal abductive solutions to the goal ?- aspergers. To reduce the 
number of solutions the abduction routines make use of special presentation 
routines. For instance, when abducing through a criterion in which at least n 
of a list of base criteria must be true, and for which k of the base criteria are 
true and I are explicitly false in the symptom state, the abductive solutions 
are grouped so that the user is presented with a statement of the form at least 
(n — fc) of a revised list (i.e. excluding the explicitly false base criteria) must be 
present. When abducing base criteria through exclusion rules, a large number 
of abductive solutions may similarly be derived. Thus, abduction is not allowed 
within exclusion rules: rather the exclusion rule itself is returned to the user, 
after ensuring that the excluded rule is not enforced by the symptom state and 
presently abduced abducibles. 
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4 Three- Valued Preference Logic Programs 



We now define the Preference Logic Programs upon which the representation of 
DSM-IV is based. 



Definition 1 . A Preference Logic Program (PLP) [P, Pref] is a set of extended 
rules P and Pref where the set Pref o/ preference rules (or preferences^ has the 
form 

prefer{Termi,TeriTi2) Body. 

Arguments of prefer /2 are restricted to he objective literals of [P,Pref] and are 
called preference atoms. 

Assume that [P, Pref] does not contain the predicate symbols overridden/ 2 , 
pnot /1 or trans_prefer/ 2 . T/ie extended embedding of [P, Pref], [P, Pref]norm, 
is the smallest program containing 



1 . The rules r' defined as follows. An objective literal A is potentially overridden 
(resp. potentially preferred/ if there is a preference rule prefer{Ai,A2) 
Body and A unifies with A2 with mgu 9 (resp. A unifies with Ai with mgu 
6 ). Let r be a rule H Ai, ... , An, not B\, . . ., not Bm in P. 

(a) If P{ is potentially overridden, then r' = H Ai, . . ., An, B[, . . ., B(^, 

not overridden{H). 

(b) Otherwise, r' = H A\, . . ., An, B'f), . . ., B' . 

In either case, for 0 < i < m, B[ = pnot{H, Bf) if Bi is potentially preferred, 
and B[ = Bi otherwise. 

2 . The rules 



overridden{Ai ) pre/er( A2 , Ai ) , ^2 . 
overridden{Ai) prefer{A2, Ai), overridden{A2) . 



pnot{Ai, A2) : —transjprefer{Ai,A2). 
pnot{Ai, A2) '. —not A2. 



trans_prefer{Ai, A2) : —trans_prefer{Ai,A2). 
transjprefer{Ai, A2) : —trans_prefer{Ai,A^),prefer{A^,A2). 

Because the extended embedding is based on potentially overridden and po- 
tentially preferred atoms, if the set of preference rules in a PLP \P, Pref] is 
empty, the normal embedding will have no effect on P beyond adding the rules 
in clause 2 . Definition fallows preferences to be dynamic in the sense that their 
truth- value may depend on the truth value of other parts of the program, in- 
cluding other preferences. In addition, preferences can be declared on preferences 
themselves. 

Since [P, Pref]norm is an extended program, it can be evaluated under any 
semantics for extended programs. For the purposes of this paper, we restrict our 
attention to the well-founded semantics with explicit negation It is immediate 
from Definition J that an objective literal that depends on cyclic preferences 
(i.e. an objective literal A such that prefer{A, A) is true) will either be false or 
undefined in the extended well-founded model of [P, Pref], WFM{[P, Pref]). 
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4.1 Relation to Other Preference Formalisms 

The semantics above extends the possible worlds semantics for PLPs as described 
in which is concerned with what may be termed static PLPs| 

Definition 2 . Let [P, Pref] he a definite PLP, that is a PLP in which P and 
Pref are restricted to be definite programs. We say that a ground atom Ai 
depends on a ground atom A2 if there is a path from Ai to A2 in the dependency 
graph of P. A derived atom in [P, Pref] is one that depends on a preference 
atom. A base atom is an atom that is neither a preference atom nor a derived 
atom. Preferences in [P, Pref] are static if all atoms in the bodies of rules in 
Pref are base atoms. 

For a static PLP [P, Pref] , the semantics of Pref is taken as its minimal 
model, together with that of the base atoms of P. Based on these observations, 
we can compute preferences, as it were, apart from P and define a relation <pref 
between atoms such that Ai <pref A2 if A2 is transitively preferred to Ai (using 
the relation prefer /2 in the minimal model of Pref). We say that <pref is well- 
behaved if it is a strict partial order, and well-founded in the sense that there is 
no infinite chain of atoms Ai <pref A2 <pref ■ ■ ■• 

The possible worlds semantics of preference logic programs is based on 
strongly optimal worlds. 

Definition 3 . Let [P, Pref] be a definite PLP whose preferences are static. A 
set W of derived and preference atoms over P is reduced if there is no Ai, A2 G 
W such that Ai <pref A2. IfW is also a subset of the minimal model of P, then 
it is called a world. A world W\ is refiexively preferred to a world W2 (denoted 
W2 <sp W\) if for each preference atom A2 G W2 there is a preference atom 
Ai G Wi such that A2 = A\ or A2 <pref Ai . A world W is strongly optimal if 
for any other world W, W <sp Wi ^ Wi C W. 

The operator Tp denotes the standard inference operator for definite pro- 
grams. A world W is supported if W C Tp{W). A program [P^Pref] has the 
optimal subproblem property if every strongly optimal world for [P, Pref] is 
supported. 



Example 2 . Consider the PLP P2: 

prefer(pCa) ,p(d)) . prefer(p(b) ,p(d)) . 
p(a):-p(d). p(b). p(d) . 

There are five worlds for P2: {p{a),p{b)}, {p(a)}, {p{b)}, {p{d)} and 0 . The world 
{p{a),p{b)} is strongly optimal. However Tp{{p{a),p{b)}) = {p{b),p{d)} so that 
P2 does not have the optimal subproblem property. 



® In both P and Pref may be locally stratified: for simplicity of presentatio n, w e 
restrict P and Pref to definite programs while comparing to the semantics of | ' > | . 
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Theorem 1. Let [P,Pref] be a simple PLP, and [P, Pref]norm be the normal 
embedding of P. Then 

1. There is a unique strongly optimal world, W for [P,Pref]. 

2. WFM{[P, Pref]norm) is two-valued; 

3. A is true in WFM{[P, Pref]nor7n) iff A G 

While a full comparison with other preference frameworks is beyond the scope 
of this paper, we note a few comparisons in passing. The atom-based approach to 
preferences presented above is distinct from those of all of which define 

preferences on rules rather than on atoms. Finally, Q present an atom-based 
approach to preferences, in which statically defined relations among atoms are 
used to represent priorities in generalized extended disjunctive programs. 



4.2 Abductive Frameworks for Preference Logic Programs 



Definition Q indicates how a preference logic program can be translated into 
an extended program. The resulting abductive framework for the translated 
program [P, Pref]norm has the form 

{[P,Pref] 

normj -^5 

in which A is a set of abducibles and I a set of integrity rules. This framework, in 
which P and / are extended programs that may include non-stratified negation, 
can then be directly evaluated by the Abdual method (See Q for details of 
Abdual and of the frameworks it evaluates J If A is empty, Abdual reduces to 
an evaluation of a query under the well-founded semantics with explicit negation 
and has polynomial data complexity. Using the terminology of Q, this result can 
easily be extended to preference logic programs: 

Proposition 1. Let [P, Pref] be a PLP whose ground instantiation is finite, 
and [P, Pref]norm be its normal embedding (Definition^^ . Then Abdual evalua- 
tion of a query to the abduetive framework {[P, Pref]norm, 0, 1) has a complexity 
that is polynomial in the size of those rules in PUPrefUL whose body is empty. 



Proof. Straightforward from Theorem 3.3 of | and DefinitionHwhich ensures 
that the size of [P, Pref]norm is polynomial in the size of P U Pref. 



* The proof of this theorem can be found in the paper Preference Logic Grammars: 
Semantics, Implementation, and Application to Data Standardization available at 
ittD : / /WWW. cs . sunvsD. eau/ rswin 

® In addition, calls to the exclude/2 must also be unfolded in order for the extended 
embedding to work properly on the psychiatric rules and preferences described in 
Section^ 




Psychiatric Diagnosis from the Viewpoint of Computational Logic 1375 



5 Discussion 

Investigation into the logical representation of DSM-IV was sparked by the de- 
sire to automate DSM-IV in a commercial system, Diagnostica, a beta ver- 
sion of which is available (see ittD://meaicineruies.coii . Full implemen- 
tation of Diagnostica, using the techniques of Section ^ and using XSB (cf. 
itfD://xsD. sourceioree.net is not yet complete. The current user interface 
for Diagnostica thus uses abduction in a simple, but clinically relevant way. True 
differentials for diagnoses are not yet available to the user, nor are screens for 
adding or manipulating preferences. The inclusion of these features is planned 
for future versions. 

Non-stratified programs are sometimes considered to be of little use for prac- 
tical problems. However, translation of DSM-IV diagnostic rules into logical rules 
shows that sets of closely related diagnoses form non-stratified recursive com- 
ponents, so that non-stratified negation is semantically meaningful. Indeed, it is 
difficult to see how DSM-IV could be adequately coded without non-stratified 
negation. The well-founded semantics is used as a basis of our semantics for 
DSM-IV rather than, say, stable models for several reasons. It is convenient to 
use the undefined truth value to represent error conditions for diagnoses such as 
Alzheimer’s Dementia and Adjustment Disorder. At the same time, multiple di- 
agnoses can be obtained by the predicate abnormal_situation/2 in cases where 
this information is explicit in DSM-IV. The addition of preference rules under 
the well-founded semantics allows a user-based resolution of non-stratified loops 
while retaining a polynomial complexity of evaluation when abduction is not re- 
quired. On the other hand, the addition of abduction to well-founded preference 
logic programs allows representation of hypotheses used in diagnoses as well as 
a means of constructing differentials for diagnoses. 

The need to implement these aspects of DSM-IV in Diagnostica has helped 
spur the development of the Abdual evaluation method Q as well as the Pref- 
erence Logic presented here. At the same time, development of these formalisms 
has been necessary in order to understand how to implement abduction and 
preferences in Diagnostica. Experience gained as Diagnostica becomes fielded 
will be invaluable in testing the practical usefulness of this framework. 
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